(ZOS) Java Platform, Enterprise Edition identity and an operating system thread identity
A user is identified using an identity that must be authenticated by WebSphere Application Server in order to access a WAS application in a secure environment.
Understanding the different types of identities: The WAS authenticates the user identity and represents the user with a JAAS subject. A subject contains one or more principals (which are technology-dependent representations of the authenticated user identity). More detail follows:
- User identities
- Java EE identity
- The user identity authenticated by WebSphere and used for access control decisions made by the WAS at Java EE runtime (such as the user identity associated with a Java EE application request and used in EJB method permission access control decisions).
- Operating system (OS) identity
- The user identity authenticated by the underlying operating system and used for access control decisions made by the OS and its subsystems (such as the user identity associated with a WAS for z/OS servant by the SAF STARTED class facility and used by the file system for access control decisions when the server attempts to access files).
- Thread identity
- Java thread identity
- The Java EE identity currently associated with a Java thread managed by the WebSphere Java EE runtime (a Java thread is the JVM representation of a thread). The Java thread identity is associated with an operating system (OS) thread, but the JVM manages the user identity on the Java representation of the thread - separate from the user identity that the operating system manages on the operating system thread. The Java EE identity is current on the Java thread for the life of the a given application request
- OS thread identity
- The operating system identity currently associated with the operating system thread. The OS thread identity is typically the user identity assigned to servant and is normally not the same as the Java thread identity. Note that Java EE maintains a Java EE identity that corresponds to the OS thread identity assigned to the servant. This Java EE identity can be used as a RunAs identity.
- RunAs identity
- The Java EE identity chosen as the Java thread identity for a given Java EE application request (based on the RunAs deployment descriptor policy on an EJB invoked within the Java EE application request). The Java EE identity is normally the identity of the authenticated user who has made the Java EE application request. WAS RunAs policy allows three choices in assigning the Java thread identity for the current request:
- Assign the client (for example, user) Java EE identity - also referred to as selecting RunAs of Caller
- Assign the server's Java EE identity
- Assign the Java EE identity that is in the specified role
When security is enabled, each WAS for z/OS request that invokes a Java EE component is authenticated to ensure an authorized user is requesting access. A user is represented by a Java EE identity (also called a JAAS subject). This Java EE identity contains one or more principals, and each principal corresponds to a specific user identity. This association is managed by the WAS. The Java EE identity and operating system OS thread identity are associated with each other because they have the same name and represent the same user.
WAS for z/OS dispatches component requests in one of its available servant processes. Within the servant process the component request is dispatched on a Java thread. A Java thread is then mapped internally by the JVM to a z/OS thread control block (TCB). A TCB is an operating system thread and is considered part of the native process infrastructure. A servant process has a OS identity assigned to it when it starts. The z/OS security policy uses the SAF STARTED class facility to assign the identity.
Java EE authorization decisions including role authorization and permission checking are determined using the Java EE identity. Through a configuration setting, role authorization checking can be delegated to the underlying operating system security manager (such as System Authorization Facility (SAF)), in which case the associated operating system OS identity is used in the role authorization decision.
Some resource managers on z/OS use the OS thread identity to make authorization decisions. For example, file system access control is determined entirely based on which OS thread identity is currently on the TCB when the file is accessed. Similarly, local Java database connectivity (JDBC) connections to DB2 for z/OS use the TCB OS thread identity as the authorization identity under certain configurations. For resource managers that use the OS thread identity such as DB2 for z/OS (and unlike the file system) that applications access through Java Message Service (JMS), JDBC, or Java EE Connector Architecture (JCA) connectors managed by the WAS for z/OS connection management, we say that the connectors to these z/OS resource managers use operating system thread security.
For more information, refer to:
- Java thread identity and an operating system thread identity
- Connection Manager RunAs Identity Enabled and system security
- Application Synch to OS Thread Allowed
- Connection thread identity
- Use thread identity support
Related:
Java thread identity and an operating system thread identity Application Synch to OS Thread Allowed Connection Manager RunAs Identity Enabled and system security When to use application Synch to OS Thread Allowed