InfoCenter Home >
5: Securing applications -- special topics >
5.7: The Secure Association Service (SAS)

5.7: The Secure Association Service (SAS)

When global security is enabled in WebSphere Application Server, all requests from clients to Enterprise JavaBeans are sent as RMI/IIOP messages via the Object Request Broker (ORB) to the server that hosts the enterprise beans. As part of every such request and response, the ORB invokes the Secure Association Service (SAS) on the client and the server sides. On the client side, SAS intercepts requests before they are sent, obtains the client's security credentials, attaches the credentials to the request as part of the security context, and sends the request. On the server side, SAS intercepts the incoming request, extracts the security context from the message, authenticates the client's credentials, and passes the request to the enterprise bean container, where the request is authorized. The response is also routed through the SAS interceptors.

This article discusses the work performed by the Secure Association Service and describes the properties available to configure its behavior.

The business methods in the client do not need to be written to handle security. Security policies are defined during the deployment phase, and WebSphere Application Server automatically enforces the defined security policy, which specifies authorization requirements, before invoking the requested methods. The only thing required of the user of a client program is authentication information. In some cases, the client program uses the CORBA security interfaces to establish the proper credentials programmatically, before methods are invoked. In applications that do not establish credentials programmatically, SAS automatically prompts the user to collect the necessary information. The information collected is determined by the settings configured for the com.ibm.CORBA.loginSource property. For example, if the value of this property is specified as prompt, SAS prompts the user for a user ID and password combination. If the user does not enter the information within a specified period of time, determined by the value of the com.ibm.CORBA.loginTimeout property, SAS removes the login prompt and the request is handled with no security. If the requested method is protected, the request will fail because the user does not have the necessary permission. If a method allows everyone, authenticated or not, access, the request can succeed.

Go to previous article: Options used with the keytool command Go to next article: Client-side SAS

 

 
Go to previous article: Options used with the keytool command Go to next article: Client-side SAS