(ZOS) Java thread identity and an operating system thread identity
We can specify options to synchronize a Java thread identity and an operating system thread identity.
EJB support a method-level RunAs role specification that associates a Java EE role with an EJB method invocation. The EJB method runs using the authority associated with the designated security role. The authority is mapped to the designated role using a user identity. Normally, this identity is recognized by web-based and Java EE runtime and is associated with the current dispatch thread. This identity governs access to only those resources and those facilities subject to Java EE security. The actual OS thread identity is unaffected by the EJB RunAs role selection and is typically the identity of the server.
Set the OS identity thread synchronizes the Java EE role identity and OS thread (SyncToOSThread). This means that the OS thread identity is associated with the Java EE role identity during the EJB method invocation (application assemblers and deployers associate the RunAs identity with the operating system thread by setting the thread identity to the RunAs identity for specific bean methods). This association means that the caller or security role identity (rather than the server region identity) is used for z/OS system service requests such as access to files and database management systems. The WebSphere Application Server for z/OS Java EE server can be configured to enable or disable this association (or synchronization). The default setting disables the ability to modify the identity on the operating system thread, regardless of the OS thread identity to RunAs identity setting in the deployment descriptor for the installed application. If the application installer does not enable synchronization, any method that sets the RunAs identity to the operating system thread fails with a no_permission error.
You complete the specification of options to synchronize a Java thread identity and an operating system thread identity using the resource access control facility (RACF ) to define FACILITY and optionally SURROGAT class profiles for Sync to OS Thread Allowed. This gives the RACF administrator in the WAS configuration the ability to control the permissions that allow the synchronization of the Java EE role identity and the OS thread (SyncToOSThread).
Use the administrative console, we can specify the following options for thread identity synchronization on the z/OS security options panel:
- Enable WAS and z/OS thread identity synchronization
- Specifies whether an application SynchToOSThread is permitted. When this security option is selected (meaning true is specified) the application-specified SyncToOSThread is honored and then carried out by the EJB and web containers as indicated by EJB and web application SyncToOSThread specifications. The default is false or disabled.
- Enable the connection manager RunAs thread identity
- Specifies whether the connection manager synchronizes the current Java EE principal to the OS thread when a connection is obtained from a resource reference that specifies res-auth=container. The default is false or disabled.
We can also select the SyncToOSThread support using a method-level extended deployment descriptor (XDD) for EJB. Enable this support using a distinguished environment entry that is defined through the EJB or web application standard deployment descriptor. During assembly or deployment, bind a value to this variable by specifying:
- True, which specifies that the Java EE principal or identity should be synchronized to the OS thread for all requests invoked on the EJB or web application.
- False, specifies the Java EE principal application or identity should not be synchronized to the OS thread for all requests invoked on the EJB or web application. This value is the default.
When processing a request, the web container understands what roles, if any, are required to access the component represented by the input URL. The container validates requester authentication and that the authenticated user has been granted permission to the required roles. The web container makes use of the same System Authorization Facility (SAF)-based user registry and EJB role profiles as the EJB container to perform this validation. Therefore, we can use the same user registry and role profiles for administering web applications as we use for Enterprise Beans and Java EE Services. For setting thread identity, possible active user registries include:
- Local OS
- LDAP
- Custom
Application events that modify the thread identity value include:
- Initial value when the first method is set
- By default, invocations of servlet service methods and EJB business methods implicitly run as caller (RunAsCaller) unless the Run as field of a policy's attribute specifies otherwise. EJB client applications always run as server (RunAsServer).
For web applications, if security constraints are not specified, the application might run with an unauthenticated user ID.
- Method delegation changes to the Java EE identity (RunAs Specified)
- The connection manager synchronizes the current Java EE identity with the OS thread when obtaining applications from resources references that have container-managed resource authorization (res-auth=container). EJB methods marked with SynchToOSThread cause the Java EE role identity to be synchronized to the OS thread.
- WSSubject.doAs()
- This setting offers flexibility when associating the Subject with remote calls on a thread without having to do a WSSubject.doAs() to associate the subject with the remote action.
Thread identity is temporarily reset on the server in the following situations:
- JavaServer Pages (JSP) Compilation
- Web container JSP compilation modifies the identity of the server if SyncToOSThread is enabled for the server (security_EnableSyncToOSThread=1).
- Access of Stateful Backing Store
- EJB container stateful session activation changes the identity of the server if SyncToOSThread is enabled. Always access the EJB stateful session backing store using the identity of the server.
- Web application Reloading
- When the web container reloads the web application, it changes the server identity if SyncToOSThread is enabled for web applications.
- Connection Manager Requests
- When the resource reference specifies res-auth=application, the thread identity is temporarily set to the identity of the server.
When running with administrative security enabled, IBM recommends that we have Java 2 security enabled. Exercise caution when enabling this support because it can cause general z/OS system resources (such as files and sockets) to fall outside the control of the WAS runtime and these system resources managements to be accessible to identities established through Java EE applications.
Subtopics
- Considerations for setting the Sync to OS Thread Allowed option
There are a number of options to consider when setting the Sync to OS Thread Allowed option.- Application Synch to OS Thread Allowed
Use application Sync to OS Thread Allowed to synchronize a Java thread identity (or JAAS subject) with the OS thread identity for the duration of the current Java EE application request.- Connection Manager RunAs Identity Enabled and system security
WAS includes connector configurations that use operating system thread security. By enabling Connection Manager Sync to OS Thread support, the Java EE identity (the RunAs identity, for example) can be used to obtain the EIS connection for connector configurations that use operating system thread security.- When to use application Synch to OS Thread Allowed
Specify application Synch to OS Thread Allowed to use the Java thread identity to access the non-WebSphere-managed resources accessed by the application.- Java Platform, Enterprise Edition identity and an operating system thread identity
A user is identified using an identity that must be authenticated by WAS in order to access a WAS application in a secure environment.
Related:
Administrative security Security considerations for WAS for z/OS Connection thread identity Data access resources Configure local operating system registries Overriding the RunAs subject on the thread for JAAS Authentication protocol support JAAS authorization Security states with thread identity support