+

Search Tips   |   Advanced Search

Overriding the RunAs subject on the thread for JAAS

To extend the function provided by the Java Authentication and Authorization Service (JAAS) APIs, we can set the RunAs subject or invocation subject with a different valid entry that is used for outbound requests on this running thread.

We need the following Java 2 security permissions to run these APIs:

This extension gives you the flexibility to associate the Subject with all the remote calls on this thread whether we use a WSSubject.doAs method to associate the subject with the remote action.

(ZOS) An application developer can use the WSSubject.doAs method to establish a JAAS subject that is authenticated by a JAAS login module as the active security identity for the WebSphere Application Server runtime to use while performing a specified action. WSSubject.doAs only synchronizes the thread identity when it is called within a component configured for sync-to-thread. When used with the application Synch to OS Thread Allowed option, this identity is set on the operating system thread for the scope of that action.


Tasks

  1. Set a new RunAs subject for the thread, overriding the one declaratively set.

    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);  	 	 
    

  2. Perform some remote calls.

  3. Restore the previous RunAs subject.

    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);
    


Example

try { javax.security.auth.Subject runas_subject, caller_subject; runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject(); caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject(); // set a new RunAs subject for the thread, overriding the one declaratively set com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject); // do some remote calls // restore back to the previous runAsSubject com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject); } catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }


Related:

  • (ZOS) Java thread identity and an operating system thread identity
  • Customize a server-side JAAS authentication and login configuration
  • Customize application login with JAAS
  • Authentication protocol support