9.6 Downstream propagation
There are two authentication protocols supported by IBM. Secure Association Service (SAS) is the authentication protocol used by all previous releases of the WebSphere product. SAS is deprecated and it is maintained for backwards compatibility. The Object Management Group (OMG) has defined a new authentication protocol, called Common Secure Interoperability Version 2 (CSIV2), so that vendors can interoperate securely. CSIV2 is implemented in WebSphere Application Server with more features than SAS and is considered the strategic protocol.
Downstream propagation uses Remote Method Invocation (RMI) over the Internet Inter-ORB Protocol (RMI over IIOP) to access enterprise beans running on a back-end, that is, a downstream server. The security attributes are passed to the enterprise beans running on the downstream server by using the CSIV2 protocol that is established between the WebSphere Application Servers. Basically downstream propagation enables a downstream server to accept the client identity established on an upstream server, without having to reauthenticate.
There are two types of downstream propagation using RMI:
| RMI_INBOUND
|
When you enable security attribute propagation for RMI_INBOUND, then this indicates that the server can receive propagated security attributes from other servers in the same realm over CSIV2 protocol.
|
| RMI_OUTBOUND
|
When you enable security attribute propagation for RMI_OUTBOUND, this indicates that the server can send (propagate) security attributes from itself to other server in the same realm over CSIV2 protocol. Let's take a scenario described in figure where server1 makes an RMI call to server5. The following occurs:
a. 
Subject contents and the PropagationToken contents are serialized at server1.
|
|
b.
Server1 makes an RMI call to server5.
|
|
c.
Serialized content sent over CSIV2 protocol to the target server (server5) that has RMI_INBOUND propagation enabled.
|
|