Mapping users to RunAs roles using the Assembly Toolkit
Overview
RunAs roles are used for delegation. A servlet or enterprise bean component uses the RunAs role to invoke another enterprise bean by impersonating that role. You must define RunAs roles when a servlet or an enterprise bean in an application is configured with RunAs settings. Before you perform this task:- Secure the Web application and enterprise bean applications, including
creating and assigning new roles to enterprise bean and Web resources.
- Assign users and groups to roles. Complete this step during the installation of the application. The environment or user registry under which the application is going to run is not known until deployment. If you already know the environment in which the application is going to run and you know the user registry, then you can use the Assembly Toolkit to assign users to RunAs roles.
- In the J2EE Hierarchy view of the Assembly Toolkit, right-click an enterprise application
project (EAR file) and click Open With > Deployment Descriptor Editor.
An application deployment descriptor editor opens on the EAR file. To
access information about the editor, press F1 and click Application deployment
descriptor editor.
- On the Security tab, under Security Role Run As Bindings,
click Add.
- Click Add under RunAs Bindings.
- In the Security Role wizard, select one or more roles and click Finish.
- Repeat steps 3 through 5 for all the RunAs roles in the application.
- Close the application deployment descriptor editor and, when prompted, click Yes to save the changes.
Results
The ibm-application-bnd.xmi file in the application contains the user to RunAs role mapping table.
What to do next
After securing an application, you can install the application using the administrative console. You can change the RunAs role mappings of an installed application.
Enterprise bean component security
Role-based authorization
Delegations
RunAs roles to users mapping
Security: Resources for learning