Delegation propagates security identities from a caller to a called object.
As per the J2EE specification, a servlet and enterprise beans can propagate either the client (remote user) identity when invoking enterprise beans or they can use another specified identity as indicated in the corresponding deployment descriptor.
The IBM extension supports EJBs to propagate to the server ID when invoking other entity beans. There are three types of delegations...
- RunAs Client Identity
- RunAs Specified Identity
- RunAs System Identity
The EJB specification only supports delegation (RunAs) at the EJB level. But an IBM extension allows EJB method level RunAs specification. Method EJB method level runAs specification allows one to specify a different RunAs role for different methods within the same enterprise beans.
The RunAs specification is detailed in the deployment descriptor (the ejb-jar.xml file in the EJB module and the web.xml file in the Web module). The IBM extension to the RunAs specification is included in the ibm-ejb-jar-ext.xmi file.
There is also an IBM specific binding file for each application that contains a mapping from the RunAs role to the user. This file is specified in the ibm-application-bnd.xmi file.
These specifications are read by the run time during application startup.
There are two tables that help in the delegation process...
- Resource to RunAs role mapping table
- RunAs role to user ID and password mapping table
Use the Resource to RunAs role mapping table to get the role that is used by a servlet or by enterprise beans to propagate to the next enterprise beans call.
Use the RunAsRole to User ID and Password mapping table to get the user ID that belongs to the RunAs role and its password.
Delegation is performed after successful authentication and authorization. During this process, the delegation module consults the Resource to RunAs role mapping table to get the RunAs role (3). The delegation module consults the RunAs role to user ID and password mapping table to get the user that belongs to the RunAs role (4). The user ID and password is used to create a new credential using the authentication module, which is not shown in figure.The resulting credential is stored in the ORB Current as an invocation credential (5). Servlet and enterprise beans when invoking other enterprise beans pick up the invocation credential from the ORB Current (6) and call the next enterprise beans (7).