This topic applies only on the z/OS operating system.

Developing a custom SAF EJB role mapper

WebSphere Application Server for z/OS allows an installation to map Java 2 Platform, Enterprise Edition (J2EE) role names to SAF EJBRole profile names.

Before you begin

WebSphere Application Server for z/OS supports the use of a custom SAF EJB role mapper. The custom SAF EJB role mapper allows an installation to map J2EE role names to SAF EJBRole profile names. Without the SAF EJB role mapper, you must deploy an application by using a role in the deployment descriptor of a component that is identical to the name of an EJBROLE class profile. The security administrator defines EJBROLE profiles and provides the permission to these profiles to SAF users or groups.

Using SAF EJBROLE class profiles can conflict with the standard J2EE role naming conventions. J2EE role names are Unicode strings of any length. RACF class profiles are restricted to 240 characters in length and cannot be defined if these profiles contain any white spaces or extended code page characters.

If a J2EE role name for an installation conflicts with these RACF restrictions, an installation can use the SAF EJB role mapper exit to map the desired J2EE role name to an acceptable class profile name.

The custom SAF role mapper is a Java-based exit to replace the EJBROLE class profile construction algorithm. The custom SAF role mapper is called to generate a profile for authorization and delegation requests. The role mapper passes the name of the application and the name of the role then passes back the appropriate class profile name. Information about the server name, cell name, and the z/OS security domain name prefix is provided to the implementation during initialization.

You also can enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control.

Procedure

  1. Build your custom SAF role mapper. The SAFRoleMapper example (below) can be used as a reference.
    public class SAFRoleMapperImpl1 {
    	String domainPrefix = null;
    
    	public void initialize(Properties context) {
    		domainPrefix = context.get(SAFRoleMapper.DOMAIN_NAME);
    	}
    
    	public String getProfileNameFromRole(String app, String role) {
    		String profile = app + “.” + role;
    		if (domainPrefix != null) {
    			profile = domainPrefix + “.” + profile;
    		}
    		profile = profile.replaceAll(“\\%”, “#”);
    		profile = profile.replaceAll(“\\&”, “#”);
    		profile = profile.replaceAll(“\\*”, “#”);
    		profile = profile.replaceAll(“\\s”,“#”);
    
    		return profile;
    	}
    }
    
  2. Enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control
  3. Enable SAF authorization by setting the custom property com.ibm.websphere.security.SAF.authorization to true.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Aug 29, 2010 9:31:45 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=vela&product=was-nd-mp&topic=tsec_safrolemap
File name: tsec_safrolemap.html