Overriding the RunAs subject on the thread for JAAS
To extend the function that is provided by the Java™ Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject or invocation subject with a different valid entry that is used for outbound requests on this running thread.
Before you begin
- permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject"
- permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject"
- permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject"
About this task
This extension gives you the flexibility to associate the Subject with all the remote calls on this thread whether you use a WSSubject.doAs method to associate the subject with the remote action.
An application
developer can use the WSSubject.doAs method to establish a JAAS subject
that is authenticated by a JAAS login module as the active security
identity for the WebSphere® Application Server runtime to
use while performing a specified action. WSSubject.doAs only synchronizes
the thread identity when it is called within a component that is configured
for sync-to-thread. When used with the application Synch to OS Thread
Allowed option, this identity is set on the operating system thread
for the scope of that action.
Procedure
Example
try
{
javax.security.auth.Subject runas_subject, caller_subject;
runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject();
caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();
// set a new RunAs subject for the thread, overriding the one declaratively set
com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);
// do some remote calls
// restore back to the previous runAsSubject
com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);
} catch (WSSecurityException e) {
// log error
} catch (Exception e) {
// log error
}