+

Search Tips   |   Advanced Search

Scheduler task user authorization

The scheduler service uses the asynchronous beans deferred start mechanism to propagate JEE service context information to a task when it runs. If we plan to secure the application using the JAAS security context of the administrative security mechanism built into WebSphere Application Server, create each task with the correct credentials on the thread.

Tasks run with specified security credentials using the following methods:

The scheduler service utilizes the asynchronous beans deferred start mechanism to propagate Java EE service context information to a task when it runs. The amount of service context information that is propagated is controlled by the Service Context settings on the WorkManager configuration object that schedulers reference. For example, security and internationalization service contexts can be enabled. See the Using asynchronous beans topic for details on how to configure the Application Server to propagate these service contexts.


Java Authentication and Authorization Service Security context

If we intend to secure the application using the JAAS security context of the administrative security mechanism built into WebSphere Application Server, create each task with the correct credentials on the thread. Once each task has the correct credentials, we can disable and re-enable administrative security without causing any security problems. If we do not set the security context when the scheduler task is created and you later enable security in the target application, a security exception or error message might display, such as SECJ0053E. We might also see this error if two or more schedulers on different servers are accessing the same tables (a clustered or redundant scheduler) and the security settings are different.

The JAAS security context is not set if any of the follow conditions are true:

If any of the previously mentioned conditions are true when creating the task and we need to enable security on the application server or application, you must complete the following steps for each task:

  1. Find the task using the Scheduler API find or get methods.

  2. Cancel the task using the Scheduler.cancel() API.

  3. Recreate the task using the Scheduler.create() method with security enabled. Submitting a task that was retrieved from the scheduler using the find or get methods will automatically generate a new task ID.


Security order of precedence

As previously noted, there are three ways of verifying that a task will run with the correct user credentials. In addition, each TaskInfo implementation may have its own way of supplying user information, which may override the standard mechanisms. If multiple methods are used, refer to the following lists to determine which security mechanism is going to be employed. BeanTaskInfo

  1. TaskHandler security identity set on the process() method of the Enterprise Java Bean file

  2. Authentication Alias set with the setAuthenticationAlias method on the TaskInfo interface

  3. JAAS security context
MessageTaskInfo

  1. Authentication Alias set with the setAuthenticationAlias method on the TaskInfo interface

  2. The setUsername and setPassword methods on the MessageTaskInfo interface. See the Deprecated features article for more information.


Related concepts

  • Identity assertion to the downstream server
  • Asynchronous beans
  • Transactions and schedulers


    Related tasks

  • Configure CSIv2 (CSIV2) inbound and outbound communication settings
  • Use asynchronous beans
  • Secure scheduler tasks

  • Deprecated, stabilized, superseded, and removed features
  • TaskInfo interface Concept topic