com.ibm.websphere.security.auth
Class WSSubject
- java.lang.Object
com.ibm.websphere.security.auth.WSSubject
- public final class WSSubject
- extends java.lang.Object
The WSSubject
class is provided to workaround a design oversight in
Java 2 Security. When integrating JAAS doAs with Java 2 Security doPrivileged
Programming Model, the doPrivileged call did not propagate the Subject object.
This workaround provides doAs and doAsPrivileged static functions in which the
Subject is set as the invocation subject. Then WSSubject.doAS and doAsPrivileged
methods will invoke the corresponding Subject.doAs and doAsPrivilged methods.
This workaround can provide the desired remote EJB doAs invocation behavior.
The workaround can function correctly regardless whether the actual fix get
into JDK 1.3.1 or not.
Please note, null
Subject or the Subject does not contain an instance of
com.ibm.websphere.security.cred.WSCredential
in the public credential set
of the Subject then an Unauthenticated credential is set as the Invocation
credential in the doAs{Privileged}()
methods call.
Method Summary
Modifier and Type | Method and Description |
---|---|
|
doAs(javax.security.auth.Subject subject,java.security.PrivilegedAction action)
|
|
doAs(javax.security.auth.Subject subject,java.security.PrivilegedAction action,boolean setCaller)
doAs wraps the Subject.doAs to provide the correct
inter-EJB invocation behavior.
|
|
doAs(javax.security.auth.Subject subject,java.security.PrivilegedExceptionAction action)
|
|
doAs(javax.security.auth.Subject subject,java.security.PrivilegedExceptionAction action,boolean setCaller)
doAs wraps the Subject.doAs to provide the correct
inter-EJB invocation behavior.
|
|
doAsPrivileged(javax.security.auth.Subject subject,java.security.PrivilegedAction action,java.security.AccessControlContext acc)
|
|
doAsPrivileged(javax.security.auth.Subject subject,java.security.PrivilegedAction action,java.security.AccessControlContext acc,boolean setCaller)
doAsPrivileged wraps the Subject.doAsPrivileged to provide the correct
inter-EJB invocation behavior.
|
|
doAsPrivileged(javax.security.auth.Subject subject,java.security.PrivilegedExceptionAction action,java.security.AccessControlContext acc)
|
|
doAsPrivileged(javax.security.auth.Subject subject,java.security.PrivilegedExceptionAction action,java.security.AccessControlContext acc,boolean setCaller)
doAsPrivileged wraps the Subject.doAsPrivileged to provide the correct
inter-EJB invocation behavior.
|
|
getCallerPrincipal()
This convenient method returns the caller principal of the
current executing thread.
|
|
getCallerSubject()
This method returns a Subject contains the principal of the J2EE caller and the
J2EE caller credential.
|
|
getRootLoginException()
This convenient method returns the root login exception caught in the system
login module, if one exists.
|
|
getRunAsSubject()
This method returns a Subject contains the principal of the J2EE run as identity
and the J2EE run as credential.
|
|
getSAFUserFromSubject(javax.security.auth.Subject subject)
This convenient method returns the SAF user id that is in the passed-in
Subject.
|
|
setRunAsSubject(javax.security.auth.Subject subject)
This method set the Subject as the J2EE run as identity on the current execution thread.
|
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Method Detail
doAs
- public static java.lang.Object doAs( javax.security.auth.Subject subject,
- java.security.PrivilegedAction action)
doAs
- public static java.lang.Object doAs( javax.security.auth.Subject subject,
- java.security.PrivilegedAction action,
- boolean setCaller)
java.lang.Object
. java.lang.SecurityException
- Thrown if therer is no doAs and other required permissions. doAs
- public static java.lang.Object doAs( javax.security.auth.Subject subject,
- java.security.PrivilegedExceptionAction action)
- throws java.security.PrivilegedActionException
java.security.PrivilegedActionException
doAs
- public static java.lang.Object doAs( javax.security.auth.Subject subject,
- java.security.PrivilegedExceptionAction action,
- boolean setCaller)
- throws java.security.PrivilegedActionException
doAs
wraps the Subject.doAs to provide the correct
inter-EJB invocation behavior.
Please note, if a null
Subject is passed in or the Subject does not contain an
instance of com.ibm.websphere.security.cred.WSCredential
then an Unauthenticated
subject is set as the Invocation subject.
If setCaller argument is true, the "caller" subject is set with the given subject argument.
java.lang.Object
. java.lang.SecurityException
- Thrown if therer is no doAs and other required permissions. java.security.PrivilegedActionException
doAsPrivileged
- public static java.lang.Object doAsPrivileged( javax.security.auth.Subject subject,
- java.security.PrivilegedAction action,
- java.security.AccessControlContext acc)
doAsPrivileged
- public static java.lang.Object doAsPrivileged( javax.security.auth.Subject subject,
- java.security.PrivilegedAction action,
- java.security.AccessControlContext acc,
- boolean setCaller)
doAsPrivileged
wraps the Subject.doAsPrivileged to provide the correct
inter-EJB invocation behavior.
Please note, if a null
Subject is passed in or the Subject does not contain an
instance of com.ibm.websphere.security.cred.WSCredential
then an Unauthenticated
subject is set as the Invocation subject.
If setCaller argument is true, the "caller" subject is set with the given subject argument.
java.lang.Object
. java.lang.SecurityException
- Thrown if there is no doAs and other required permissions. doAsPrivileged
- public static java.lang.Object doAsPrivileged( javax.security.auth.Subject subject,
- java.security.PrivilegedExceptionAction action,
- java.security.AccessControlContext acc)
- throws java.security.PrivilegedActionException
java.security.PrivilegedActionException
doAsPrivileged
- public static java.lang.Object doAsPrivileged( javax.security.auth.Subject subject,
- java.security.PrivilegedExceptionAction action,
- java.security.AccessControlContext acc,
- boolean setCaller)
- throws java.security.PrivilegedActionException
doAsPrivileged
wraps the Subject.doAsPrivileged to provide the correct
inter-EJB invocation behavior.
Please note, if a null
Subject is passed in or the Subject does not contains a
com.ibm.websphere.security.cred.WSCredential
then an Unauthenticated subject
is set as the Invocation subject with the action.
If setCaller argument is true, the "caller" subject is set with the given subject argument.
java.lang.Object
. java.lang.SecurityException
- Thrown if there is no doAs and other required permissions. java.security.PrivilegedActionException
getCallerSubject
- public static javax.security.auth.Subject getCallerSubject( )
- throws WSSecurityException
This method returns a Subject contains the principal of the J2EE caller and the
J2EE caller credential. If there is no caller credential, a null
is returned.
If there is a caller credential in the current thread, it creates a new Subject
that contains a com.ibm.websphere.security.auth.WSPrincipal
and a
com.ibm.websphere.security.cred.WSCredential
.
This method is protected by Java 2 Security. If Java 2 Security is enabled, then
access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.getCallerSubject")
.
This is a server side call, i.e., should only be used by application code
running in an application server. If this method is called by the client
(application client or thin client), it returns null
.
null
if there is no caller identity
and if called by application client or thin client code. WSSecurityException
- failed to get the caller identity getRunAsSubject
- public static javax.security.auth.Subject getRunAsSubject( )
- throws WSSecurityException
This method returns a Subject contains the principal of the J2EE run as identity
and the J2EE run as credential. If there is no run as credential, a null
is returned.
If there is a run as credential in the current thread, it creates a new Subject
that contains a com.ibm.websphere.security.auth.WSPrincipal
and a
com.ibm.websphere.security.cred.WSCredential
.
This method is protected by Java 2 Security. If Java 2 Security is enabled, then
access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.getRunAsSubject")
.
null
if there is no run as identity
and if called by application client or thin client code. WSSecurityException
- failed to get the run as identity setRunAsSubject
- public static void setRunAsSubject( javax.security.auth.Subject subject)
- throws WSSecurityException
This method set the Subject as the J2EE run as identity on the current execution thread.
This method is protected by Java 2 Security. If Java 2 Security is enabled, then
access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.setRunAsSubject")
.
WSSecurityException
- failed to set the run as identity getCallerPrincipal
- public static java.lang.String getCallerPrincipal( )
This convenient method returns the caller principal of the current executing thread.
It will extract the caller from the received credentials of the current thread. If the received credentials is null, then a value of null is returned. In the EJB and Web container, user should use the standard interface provided by the J2EE specification to get the caller principal or caller name. This method call provides a way for code executing outside the containers to get the caller principal. The principal name return is not qualified with the security realm name.
getSAFUserFromSubject
- public static java.lang.String getSAFUserFromSubject( javax.security.auth.Subject subject)
This convenient method returns the SAF user id that is in the passed-in
Subject. The SAF user id is extracted from the PlatformCredential object,
which is referenced by the WSCredential of the subject. If the WSCredential
does not have any reference to a PlatformCredential in order to identify the SAF
user id, then return null
.
subject
- the Subject to extract the SAF user id from getRootLoginException
- public static java.lang.Throwable getRootLoginException( )
This convenient method returns the root login exception caught in the system login module, if one exists.
It will extract the exception from the current thread. You will get what the login module sees as the root exception. This could be a nested exception. You may need to extract exceptions from the exception returned until you get the real root exception.
doAs
wraps the Subject.doAs to provide the correct inter-EJB invocation behavior.Please note, if a
null
Subject is passed in or the Subject does not contain an instance ofcom.ibm.websphere.security.cred.WSCredential
then an Unauthenticated subject is set as the Invocation subject. If setCaller argument is true, the "caller" subject is set with the given subject argument.