InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.4: The WebSphere delegation model

5.1.4: The WebSphere delegation model

The WebSphere delegation model is an extension the Enterprise JavaBeans 1.1 specification; delegation is fully addressed in Enterprise JavaBeans 2.0 specification. Enterprise beans can have delegation policies; Web resources cannot.

Delegation allows an intermediary to perform a task initiated by a client under an identity determined by the associated policy. Therefore, enforcement of delegation policies affects the identity under which the intermediary performs downstream invocations, that is, invocation made by the intermediary in order to complete the current request, on other objects. By default, if no delegation policy is set, the intermediary will use the identity of the the requesting client while making the downstream calls. Alternatively, the intermediary can perform the downstream invocations under its own identity or under an identity specified by configuration.

When the intermediary operates under an identity other than its own, downstream resources do not know the identity of the intermediary. Therefore, they make their access decisions based on the privileges associated with the identity being used.

The administrator specifies a delegation policy by setting the run-as mode for each enterprise-bean method. For each, the administrator can choose among three policies:
  • The client identity
  • The system identity, the identity of the intermediary
  • A specified identity, based on a particular role, named in the delegation policy

For example, suppose that a client invokes a session bean that invokes an entity bean. If the delegation policy states that methods are invoked under the client's identity, the session bean makes its invocations under the client's identity. Therefore, it is the client, rather than the session bean, that must have permission to invoke the entity-bean methods. If the delegation policy requires the system identity, the session bean makes its invocation under the identity of the server in which the session bean resides; it is this server that must have permission on the entity-bean methods. Finally, if the delegation policy requires a specified identity, the session bean invokes the methods under this identity, so the specified identity must have permission on the entity-bean methods.

In WebSphere Application Server, the application assembler determines the use of delegation by using the application-assembly tool (AAT) to set the SecurityIdentity value in the deployment descriptor. If this value is not set, no special instructions about security identities are used, and the intermediary uses the caller identity for any downstream invocations. The SecurityIdentity value be associated with any of the following types:

  • UseCallerIdentity (cannot be used for message-driven beans)
  • UseSystemIdentity
  • RunAsSpecifiedIdentity
Use of UseCallerIdentity means that the intermediary will use its client's credentials for downstream invocations. Use of UseSystemIdentity means that the intermediary will use its own credentials for downstream infocations. Use of RunAsSpecifiedIdentity means that credentials determined elsewhere will be used.

The application assembler does not typically know the makeup of the run-time environment, including the specific user identities that are available. Therefore, it can be impossible for an assembler to have a concrete value to specify for an intermediary that is to run as a specified identity. Therefore, the run-as identity is designated as a logical role name, which corresponds to one of the security roles defined in the deployment descriptor. That is, if the type of identity is specified as the RunAsSpecifiedIdentity type, the deployment descriptor also contains a runAsSpecifiedIdentity element with a roleName attribute. Thus, to establish a delegation policy under which a resource runs as an administrator, that is, a member of the admin role, the runAsSpecifiedIdentity element looks like this:

...
<runAsSpecifiedIdentity
xmi:id="Identity_1"
roleName="admin"
description=""
/>
...
At deployment time, a particular user is assigned to that role and becomes the run-as identity by indirection. This allows you to use the specified-identity delegation policy to run beans under the identity of a user who has been associated with the role.

Go to previous article: Role-based authorization Go to next article: Using Windows NT or Windows 2000 with Local authorization

 

 
Go to previous article: Role-based authorization Go to next article: Using Windows NT or Windows 2000 with Local authorization