Security states with thread identity support

(ZOS) Security states with thread identity support

Different Java Platform, Enterprise Edition Connector Architecture (JCA) resource adapters and JDBC drivers provide different support for authenticating threads that transact with application server resources.

In this article the term thread identity refers to the Java EE Identity, such as the RunAs Identity, as opposed to the OS thread identity. Refer to the topic, Synchronizing a Java thread identity and an operating system thread identity and the topic, Understanding Connection Manager RunAs Identity Enabled and operating system security, for more information.

The combinations of Java 2 security, server configurations, connector configurations, and container-managed alias support determine the processing that results when using the thread identity function. Thread identity support is only available with specific JCA resource adapters and JDBC providers. See the article Connection thread identity for a table of resource adapter processes and JDBC provider processes that support thread identity. If our resource adapter or JDBC provider is in the supported list, use the following tables to determine the processing that occurs, based on the settings of the specified properties:

Global security enabled?
Yes No
Go to table 2. Go to table 3.

Container-managed alias specified?
No Yes
Connector Allows or Requires Thread Identity? Connector Requires Thread Identity?
No Yes No Yes
Processing is dependent on connector: may throw exception may default to connector user/password custom properties Connector requires OS thread security? Use specified alias Connector requires OS thread security?
No Yes No Yes
Use identity associated with current thread Server Sync-To-Thread enabled? Use identity associated with current thread Server Sync-To-Thread enabled?
No Yes No Yes
Use Server identity Use identity associated with current thread Use server identity Use identity associated with current thread

Container-managed alias specified?
No Yes
Connector ALLOWS or REQUIRES thread identity o be used when getting a connection Connector REQUIRES thread identity to be used when getting a connection?
No Yes No Yes
Processing is dependent on connector:

May throw exception
May default to connector user/password custom properties

User server identity Use specified alias Use server identity

Related:

Connection thread identity
Java thread identity and an operating system thread identity
Connection Manager RunAs Identity Enabled and system security

Container-managed alias specified?
No				Yes
Connector Allows or Requires Thread Identity?				Connector Requires Thread Identity?
No	Yes			No	Yes
Processing is dependent on connector: may throw exception may default to connector user/password custom properties	Connector requires OS thread security?			Use specified alias	Connector requires OS thread security?
	No	Yes			No	Yes
	Use identity associated with current thread	Server Sync-To-Thread enabled?			Use identity associated with current thread	Server Sync-To-Thread enabled?
		No	Yes			No	Yes
		Use Server identity	Use identity associated with current thread			Use server identity	Use identity associated with current thread

Container-managed alias specified?
No		Yes
Connector ALLOWS or REQUIRES thread identity o be used when getting a connection		Connector REQUIRES thread identity to be used when getting a connection?
No	Yes	No	Yes
Processing is dependent on connector: May throw exception May default to connector user/password custom properties	User server identity	Use specified alias	Use server identity