(ZOS) Develop a custom SAF EJB role mapper
WebSphere Application Server for z/OS allows an installation to map Java EE role names to SAF EJBRole profile names.
WAS for z/OS supports the use of a custom SAF EJB role mapper. The custom SAF EJB role mapper allows an installation to map J2EE role names to SAF EJBRole profile names. Without the SAF EJB role mapper, deploy an application using a role in the deployment descriptor of a component that is identical to the name of an EJBROLE class profile. The security administrator defines EJBROLE profiles and provides the permission to these profiles to SAF users or groups.
Use SAF EJBROLE class profiles can conflict with the standard Java EE role naming conventions. Java EE role names are Unicode strings of any length. RACF class profiles are restricted to 240 characters in length and cannot be defined if these profiles contain any white spaces or extended code page characters.
If a Java EE role name for an installation conflicts with these RACF restrictions, an installation can use the SAF EJB role mapper exit to map the desired Java EE role name to an acceptable class profile name.
The custom SAF role mapper is a Java-based exit to replace the EJBROLE class profile construction algorithm. The custom SAF role mapper is called to generate a profile for authorization and delegation requests. The role mapper passes the name of the application and the name of the role then passes back the appropriate class profile name. Information about the server name, cell name, and the SAF profile prefix (previously referred to as the z/OS security domain) is provided to the implementation during initialization.
We can set the com.ibm.websphere.security.SAF.RoleMapper custom property on the z/OS SAF authorization panel in the administrative console. We also can enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control.
Tasks
- Build our custom SAF role mapper. The following SAFRoleMapper example can be used as a reference.
public class SAFRoleMapperImpl1 { String domainPrefix = null; public void initialize(Properties context) { domainPrefix = context.get(SAFRoleMapper.DOMAIN_NAME); } public String getProfileNameFromRole(String app, String role) { String profile = app + "." + role; if (domainPrefix != null) { profile = domainPrefix + "." + profile; } profile = profile.replaceAll("\\%", "#"); profile = profile.replaceAll("\\&", "#"); profile = profile.replaceAll("\\*", "#"); profile = profile.replaceAll("\\s","#"); return profile; } }- Click Security > Global security > z/OS SAF authorization and enable the role mapper by providing the name of the class to give control in the SAF profile mapper field. We also can set this property as a custom property by entering com.ibm.websphere.security.SAF.RoleMapper as the name and providing the name of the class in the value field.
- Click Security > Global security > External authorization providers and select the System Authorization Facility (SAF) authorization option to enable SAF as the authorization provider. After selecting this option, click z/OS SAF authorization under Related items to configure the SAF authorization options.
We also can set this property as a custom property by entering com.ibm.websphere.security.SAF.authorization as the name and true as the value.
Related:
System Authorization Facility for role-based authorization Developing extensions to the WebSphere security infrastructure