Class WSSubject
- java.lang.Object
-
- com.ibm.websphere.security.auth.WSSubject
-
public final class WSSubject extends java.lang.ObjectThe
WSSubjectclass is provided to workaround a design oversight in Java 2 Security. When integrating JAAS doAs with Java 2 Security doPrivileged Programming Model, the doPrivileged call did not propagate the Subject object. This workaround provides doAs and doAsPrivileged static functions in which the Subject is set as the invocation subject. Then WSSubject.doAS and doAsPrivileged methods will invoke the corresponding Subject.doAs and doAsPrivilged methods. This workaround can provide the desired remote EJB doAs invocation behavior. The workaround can function correctly regardless whether the actual fix get into JDK 1.3.1 or not.Please note,
nullSubject or the Subject does not contain an instance ofcom.ibm.websphere.security.cred.WSCredentialin the public credential set of the Subject then an Unauthenticated credential is set as the Invocation credential in thedoAs{Privileged}()methods call.- Since:
- WAS 5.0
-
-
Constructor Summary
Constructors Constructor Description WSSubject()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.lang.ObjectdoAs(javax.security.auth.Subject subject, java.security.PrivilegedAction action)static java.lang.ObjectdoAs(javax.security.auth.Subject subject, java.security.PrivilegedAction action, boolean setCaller)doAswraps the Subject.doAs to provide the correct inter-EJB invocation behavior.static java.lang.ObjectdoAs(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action)static java.lang.ObjectdoAs(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, boolean setCaller)doAswraps the Subject.doAs to provide the correct inter-EJB invocation behavior.static java.lang.ObjectdoAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedAction action, java.security.AccessControlContext acc)static java.lang.ObjectdoAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedAction action, java.security.AccessControlContext acc, boolean setCaller)doAsPrivilegedwraps the Subject.doAsPrivileged to provide the correct inter-EJB invocation behavior.static java.lang.ObjectdoAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, java.security.AccessControlContext acc)static java.lang.ObjectdoAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, java.security.AccessControlContext acc, boolean setCaller)doAsPrivilegedwraps the Subject.doAsPrivileged to provide the correct inter-EJB invocation behavior.static java.lang.StringgetCallerPrincipal()This convenient method returns the caller principal of the current executing thread.static javax.security.auth.SubjectgetCallerSubject()This method returns a Subject contains the principal of the J2EE caller and the J2EE caller credential.static java.lang.ThrowablegetRootLoginException()This convenient method returns the root login exception caught in the system login module, if one exists.static javax.security.auth.SubjectgetRunAsSubject()This method returns a Subject contains the principal of the J2EE run as identity and the J2EE run as credential.static java.lang.StringgetSAFUserFromSubject(javax.security.auth.Subject subject)This convenient method returns the SAF user id that is in the passed-in Subject.static voidsetRunAsSubject(javax.security.auth.Subject subject)This method set the Subject as the J2EE run as identity on the current execution thread.
-
-
-
Method Detail
-
doAs
public static java.lang.Object doAs(javax.security.auth.Subject subject, java.security.PrivilegedAction action)
-
doAs
public static java.lang.Object doAs(javax.security.auth.Subject subject, java.security.PrivilegedAction action, boolean setCaller)doAswraps the Subject.doAs to provide the correct inter-EJB invocation behavior.Please note, if a
nullSubject is passed in or the Subject does not contain an instance ofcom.ibm.websphere.security.cred.WSCredentialthen an Unauthenticated subject is set as the Invocation subject. If setCaller argument is true, the "caller" subject is set with the given subject argument.- Returns:
- An
java.lang.Object. - Throws:
java.lang.SecurityException- Thrown if there is no doAs and other required permissions.
-
doAs
public static java.lang.Object doAs(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action) throws java.security.PrivilegedActionException- Throws:
java.security.PrivilegedActionException
-
doAs
public static java.lang.Object doAs(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, boolean setCaller) throws java.security.PrivilegedActionExceptiondoAswraps the Subject.doAs to provide the correct inter-EJB invocation behavior.Please note, if a
nullSubject is passed in or the Subject does not contain an instance ofcom.ibm.websphere.security.cred.WSCredentialthen an Unauthenticated subject is set as the Invocation subject. If setCaller argument is true, the "caller" subject is set with the given subject argument.- Returns:
- An
java.lang.Object. - Throws:
java.lang.SecurityException- Thrown if there is no doAs and other required permissions.java.security.PrivilegedActionException
-
doAsPrivileged
public static java.lang.Object doAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedAction action, java.security.AccessControlContext acc)
-
doAsPrivileged
public static java.lang.Object doAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedAction action, java.security.AccessControlContext acc, boolean setCaller)doAsPrivilegedwraps the Subject.doAsPrivileged to provide the correct inter-EJB invocation behavior.Please note, if a
nullSubject is passed in or the Subject does not contain an instance ofcom.ibm.websphere.security.cred.WSCredentialthen an Unauthenticated subject is set as the Invocation subject. If setCaller argument is true, the "caller" subject is set with the given subject argument.- Returns:
- An
java.lang.Object. - Throws:
java.lang.SecurityException- Thrown if there is no doAs and other required permissions.
-
doAsPrivileged
public static java.lang.Object doAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, java.security.AccessControlContext acc) throws java.security.PrivilegedActionException- Throws:
java.security.PrivilegedActionException
-
doAsPrivileged
public static java.lang.Object doAsPrivileged(javax.security.auth.Subject subject, java.security.PrivilegedExceptionAction action, java.security.AccessControlContext acc, boolean setCaller) throws java.security.PrivilegedActionExceptiondoAsPrivilegedwraps the Subject.doAsPrivileged to provide the correct inter-EJB invocation behavior.Please note, if a
nullSubject is passed in or the Subject does not contains acom.ibm.websphere.security.cred.WSCredentialthen an Unauthenticated subject is set as the Invocation subject with the action. If setCaller argument is true, the "caller" subject is set with the given subject argument.- Returns:
- An
java.lang.Object. - Throws:
java.lang.SecurityException- Thrown if there is no doAs and other required permissions.java.security.PrivilegedActionException
-
getCallerSubject
public static javax.security.auth.Subject getCallerSubject() throws WSSecurityExceptionThis method returns a Subject contains the principal of the J2EE caller and the J2EE caller credential. If there is no caller credential, a
nullis returned.If there is a caller credential in the current thread, it creates a new Subject that contains a
com.ibm.websphere.security.auth.WSPrincipaland acom.ibm.websphere.security.cred.WSCredential.This method is protected by Java 2 Security. If Java 2 Security is enabled, then access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.getCallerSubject").This is a server side call, i.e., should only be used by application code running in an application server. If this method is called by the client (application client or thin client), it returns
null.- Returns:
- Subject contains the caller identity,
nullif there is no caller identity and if called by application client or thin client code. - Throws:
WSSecurityException- failed to get the caller identity- See Also:
com.ibm.websphere.security.auth.WSPrincipal,WSCredential
-
getRunAsSubject
public static javax.security.auth.Subject getRunAsSubject() throws WSSecurityExceptionThis method returns a Subject contains the principal of the J2EE run as identity and the J2EE run as credential. If there is no run as credential, a
nullis returned.If there is a run as credential in the current thread, it creates a new Subject that contains a
com.ibm.websphere.security.auth.WSPrincipaland acom.ibm.websphere.security.cred.WSCredential.This method is protected by Java 2 Security. If Java 2 Security is enabled, then access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.getRunAsSubject").- Returns:
- Subject contains the run as identity,
nullif there is no run as identity and if called by application client or thin client code. - Throws:
WSSecurityException- failed to get the run as identity- See Also:
com.ibm.websphere.security.auth.WSPrincipal,WSCredential
-
setRunAsSubject
public static void setRunAsSubject(javax.security.auth.Subject subject) throws WSSecurityExceptionThis method set the Subject as the J2EE run as identity on the current execution thread.
This method is protected by Java 2 Security. If Java 2 Security is enabled, then access will be denied if the application code is not granted the permission
javax.security.auth.AuthPermission("wssecurity.setRunAsSubject").- Throws:
WSSecurityException- failed to set the run as identity
-
getCallerPrincipal
public static java.lang.String getCallerPrincipal()
This convenient method returns the caller principal of the current executing thread.
It will extract the caller from the received credentials of the current thread. If the received credentials is null, then a value of null is returned. In the EJB and Web container, user should use the standard interface provided by the J2EE specification to get the caller principal or caller name. This method call provides a way for code executing outside the containers to get the caller principal. The principal name return is not qualified with the security realm name.
- Returns:
- The principal name (without the security realm). If the received credential is null, then the value of null will be returned as the caller principal.
-
getSAFUserFromSubject
public static java.lang.String getSAFUserFromSubject(javax.security.auth.Subject subject)
This convenient method returns the SAF user id that is in the passed-in Subject. The SAF user id is extracted from the PlatformCredential object, which is referenced by the WSCredential of the subject. If the WSCredential does not have any reference to a PlatformCredential in order to identify the SAF user id, then return
null.- Parameters:
subject- the Subject to extract the SAF user id from- Returns:
- the SAF user id
-
getRootLoginException
public static java.lang.Throwable getRootLoginException()
This convenient method returns the root login exception caught in the system login module, if one exists.
It will extract the exception from the current thread. You will get what the login module sees as the root exception. This could be a nested exception. You may need to extract exceptions from the exception returned until you get the real root exception.
- Returns:
- A Throwable containing the root login exception. If a login exception did not occur, null will be returned.
-
-