Mapping users to RunAs roles using an assembly tool
RunAs roles are used for delegation. A servlet or enterprise bean component uses the RunAs role to invoke another enterprise bean by impersonating that role.
Before performing this task:
- Secure the web application and enterprise bean applications, including creating and assigning new roles to enterprise bean and web resources. See Secure web applications using an assembly tool and Secure enterprise bean applications.
- Assign users and groups to roles. See Add users and groups to roles using an assembly tool. Complete this step during the installation of the application. The environment or user registry under which the application is going to run is not known until deployment. If we already know the environment in which the application is going to run and you know the user registry, then we can use an assembly tool to assign users to RunAs roles.
This procedure might not match the steps required when using your assembly tool, or match the version of the assembly tool that we are using. We should follow the instructions for the tool and version that we are using.
To define RunAs roles when a servlet or an enterprise bean in an application is configured with RunAs settings, perform these steps:
Tasks
- In the Project Explorer view of an assembly tool, right-click an enterprise application project or Enterprise Archive (EAR) file and click Open With > Deployment Descriptor Editor. An application deployment descriptor editor opens on the EAR file. To access information about the editor, press F1 and click Application deployment descriptor editor.
- On the Security tab, under Security Role Run As Bindings, click Add.
- Click Add under RunAs Bindings.
- In the Security Role wizard, select one or more roles and click Finish.
- Repeat steps 3 through 5 for all the RunAs roles in the application.
- Close the application deployment descriptor editor and, when prompted, click Yes to save the changes.
The ibm-application-bnd.xmi file in the application contains the user to RunAs role mapping table.
For IBM extension and binding files, the .xmi or .xml file name extension is different depending on whether we are using a pre-Java EE 5 application or module or a Java EE 5 or later application or module. An IBM extension or binding file is named ibm-*-ext.xmi or ibm-*-bnd.xmi where * is the type of extension or binding file such as app, application, ejb-jar, or web. The following conditions apply:
- For an application or module that uses a Java EE version prior to version 5, the file extension must be .xmi.
- For an application or module that uses Java EE 5 or later, the file extension must be .xml. If .xmi files are included with the application or module, the product ignores the .xmi files.
However, a Java EE 5 or later module can exist within an application that includes pre-Java EE 5 files and uses the .xmi file name extension.
The ibm-webservices-ext.xmi, ibm-webservices-bnd.xmi, ibm-webservicesclient-bnd.xmi, ibm-webservicesclient-ext.xmi, and ibm-portlet-ext.xmi files continue to use the .xmi file extensions.
What to do next
After securing an application, we can install the application using the administrative console. We can change the RunAs role mappings of an installed application. See User RunAs collection.
Related:
Role-based authorization Delegations Assigning users to RunAs roles User RunAs collection Security: Resources for learning