WebSphere Application Server Version 6.1 Feature Pack for Web Services
             Operating Systems: z/OS

             Personalize the table of contents and search results
This topic applies only on the z/OS operating system.

Developing a custom SAF EJB role mapper

WebSphere Application Server for z/OS allows an installation to map Java 2 Platform, Enterprise Edition (J2EE) role names to SAF EJBRole profile names.

Before you begin

WebSphere Application Server for z/OS supports the use of a custom SAF EJB role mapper. The custom SAF EJB role mapper allows an installation to map J2EE role names to SAF EJBRole profile names. Without the SAF EJB role mapper, you must deploy an application by using a role in the deployment descriptor of a component that is identical to the name of an EJBROLE class profile. The security administrator defines EJBROLE profiles and provides the permission to these profiles to SAF users or groups.

Using SAF EJBROLE class profiles can conflict with the standard J2EE role naming conventions. J2EE role names are Unicode strings of any length. RACF class profiles are restricted to 240 characters in length and cannot be defined if these profiles contain any white spaces or extended code page characters.

If a J2EE role name for an installation conflicts with these RACF restrictions, an installation can use the SAF EJB role mapper exit to map the desired J2EE role name to an acceptable class profile name.

The custom SAF role mapper is a Java-based exit to replace the EJBROLE class profile construction algorithm. The custom SAF role mapper is called to generate a profile for authorization and delegation requests. The role mapper passes the name of the application and the name of the role then passes back the appropriate class profile name. Information about the server name, cell name, and the z/OS security domain name prefix is provided to the implementation during initialization.

You can set the com.ibm.websphere.security.SAF.RoleMapper custom property on the z/OS SAF authorization panel in the administrative console. You also can enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control.

Procedure

  1. Build your custom SAF role mapper. The SAFRoleMapper example (below) can be used as a reference.
    public class SAFRoleMapperImpl1 {
    	String domainPrefix = null;
    
    	public void initialize(Properties context) {
    		domainPrefix = context.get(SAFRoleMapper.DOMAIN_NAME);
    	}
    
    	public String getProfileNameFromRole(String app, String role) {
    		String profile = app + “.” + role;
    		if (domainPrefix != null) {
    			profile = domainPrefix + “.” + profile;
    		}
    		profile = profile.replaceAll(“\\%”, “#”);
    		profile = profile.replaceAll(“\\&”, “#”);
    		profile = profile.replaceAll(“\\*”, “#”);
    		profile = profile.replaceAll(“\\s”,“#”);
    
    		return profile;
    	}
    }
    
  2. Click Security > Secure administration, applications, and infrastructure > z/OS SAF authorization and enable the role mapper by providing the name of the class that you want to give control in the SAF profile mapper field. You also can set this property as a custom property by entering com.ibm.websphere.security.SAF.RoleMapper as the name and providing the name of the class in the value field.
  3. Click Security > Secure administration, applications, and infrastructure > External authorization providers and select the System Authorization Facility (SAF) authorization option to enable SAF as the authorization provider. After you select this option, click z/OS SAF authorization under Related items to configure the SAF authorization options.

    You also can set this property as a custom property by entering com.ibm.websphere.security.SAF.authorization as the name and true as the value.




In this information ...


IBM Redbooks, demos, education, and more


Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

IBM Suggests
Task topic    

Terms of Use | Feedback

Last updated: Nov 25, 2008 2:35:59 AM CST
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.wsfep.multiplatform.doc/info/ae/ae/tsec_safrolemap.html