Getting the RunAs Subject from the Thread

 

A RunAs subject contains RunAs subjects are returned by WSSubject.getRunAsSubject() as read-only objects, and contain method authentication info derived from RunAs roles defined in deployment descriptors. Use this API to get access to the WSCredential so that you can put or set data in the hashmap within the credential.

Most data within the Subject is not propagated downstream to another server. Only the credential token within the WSCredential is propagated downstream and a new Caller subject is generated.

try
{
    javax.security.auth.Subject runas_subject;
    com.ibm.websphere.security.cred.WSCredential runas_cred;
    
    runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();

    if (runas_subject != null)
    {
        runas_cred = runas_subject.getPublicCredentials(com.ibm.websphere.security.cred.WSCredential.class).iterator().next();
        String RUNASDATA = (String) runas_cred.get ("MYKEY");
        System.out.println("My data from the RunAs credential is:  " + RUNASDATA );
    }
}
catch (WSSecurityException e)
{
    // log error
}
catch  Exception(e)
{
    // log error
}

 

Requirements

You need the following Java 2 Security permissions to run this API:

permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject;"

 

 

Overriding the RunAs Subject on the Thread

To extend the function provided by the Java Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject (or invocation subject) with a different valid entry that is used for outbound requests on this execution thread.

This setting gives flexibility for associating the Subject with all remote calls on this thread without having to do a WSSubject.doAs() to associate the subject with the remote action. For example...

try
{
javax.security.auth.Subject runas_subject, caller_subject;
    
    runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
    caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();

    // set a new RunAs subject for the thread, overriding the one declaratively set
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);

    // do some remote calls

    // restore back to the previous runAsSubject
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);
}
catch (WSSecurityException e)
{
    // log error
}
catch  Exception(e)
{
    // log error
}

You need the following Java 2 Security permissions to run these APIs:

permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject";
permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject";
permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject";

 

See Also

Programmatic login