To extend the function that is provided by the Java Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject or invocation subject with a different valid entry that is used for outbound requests on this running thread.
This extension gives you the flexibility to associate the Subject with all the remote calls on this thread whether you use a WSSubject.doAs method to associate the subject with the remote action.
An application developer
can use the WSSubject.doAs method to establish a JAAS subject that is authenticated
by a JAAS login module as the active security identity for the WebSphere Application
Server runtime to use while performing a specified action. WSSubject.doAs
only synchronizes the thread identity when it is called within a component
that is configured for sync-to-thread. When used with the application Synch
to OS Thread Allowed option, this identity is set on the operating system
thread for the scope of that action.
try
{
javax.security.auth.Subject runas_subject, caller_subject;
runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
// set a new RunAs subject for the thread, overriding the one declaratively set
com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);
// do some remote calls
// restore back to the previous runAsSubject
com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);
}
catch (WSSecurityException e)
{
// log error
}
catch (Exception e)
{
// log error
}
In this information ...Related concepts
Related tasks
Customizing a server-side Java Authentication and Authorization Service authentication and login configuration Related reference
| IBM Redbooks, demos, education, and more |