Security Identity qualifier specifies the identity under which implementation will run at the runtime. A role is specified to the identity. This role dictates whether the component or implementation is authorized to invoke downstream methods. Security Identity is equivalent to the RunAs Role used for delegation in Websphere Application Server.
One of the steps to deploy secured application is to assign users and groups to the Roles that were defined when the application was constructed. This step can be achieved by following the step entitled as "Map security Roles to User and Groups". You can add new users and groups or modify the existing information during this step.
One more step that one has to configure which is entitled as "User RunAs Role". In this step you have to sepcify the user name and password of a user and assign to a role. Important is that user for which you have entered username and password should be the member of that role.
For example, if the RunAs role is assigned user "bob", and the client, "alice", is invoking a BPEL component that invokes method on other secured component, then invocation will happen under the identity of 'bob'. In this case 'bob' must be a authorized user to the invoked secured component. If the user is not authorized a security permission exception is raised.
For more info
http://publib.boulder.ibm.com/infocenter/dmndhelp/v7r0mx/index.jsp?topic=%2Fcom.ibm.websphere.wps.doc%2Fdoc%2Ftsec_deploying.html
Scenario 1 (Setting the Security permission)
One of the steps to deploy secured application is to assign users and groups to the Roles that were defined when the application was constructed. This step can be achieved by following the step entitled as "Map security Roles to User and Groups". You can add new users and groups or modify the existing information during this step.
One more step that one has to configure which is entitled as "User RunAs Role". In this step you have to sepcify the user name and password of a user and assign to a role. Important is that user for which you have entered username and password should be the member of that role.
For example, if the RunAs role is assigned user "bob", and the client, "alice", is invoking a BPEL component that invokes method on other secured component, then invocation will happen under the identity of 'bob'. In this case 'bob' must be a authorized user to the invoked secured component. If the user is not authorized a security permission exception is raised.
For more info
http://publib.boulder.ibm.com/infocenter/dmndhelp/v7r0mx/index.jsp?topic=%2Fcom.ibm.websphere.wps.doc%2Fdoc%2Ftsec_deploying.html
Scenario 1 (Setting the Security permission)
Case 1 : When user is not assigned to any role, currently user is harish
Result :
[6/15/12 12:14:57:191 IST] 000002d0 ExceptionUtil E CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "transactionRequiredActivitySessionNotSupported" on bean "BeanId(SecuritySampleApp#SecuritySampleEJB.jar#Module, null)". Exception data: com.ibm.websphere.sca.ServiceRuntimeException: Permission denied: harish is not in role Caller
Case 2 : When user/group , this time its user = harish is assigned to the Caller role.
Assigning harish to Caller role.
Result : Worked correctly.
Scenario 2 (Setting the Security Identity)
Note : Here privilege = ProIdentity
Case 1 : When no Run as property is set.
Result:
[6/15/12 12:26:07:273 IST] 000002cd ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl initialize FFDC0009I: FFDC opened incident stream file C:\Program Files\IBM\WID62\pf\wps\logs\ffdc\server1_000002cd_12.06.15_12.26.07_0.txt
[6/15/12 12:26:07:273 IST] 000002cd ServiceLogger I com.ibm.ws.ffdc.IncidentStreamImpl resetIncidentStream FFDC0010I: FFDC closed incident stream file C:\Program Files\IBM\WID62\pf\wps\logs\ffdc\server1_000002cd_12.06.15_12.26.07_0.txt
[6/15/12 12:26:07:273 IST] 000002cd ExceptionUtil E CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "transactionRequiredActivitySessionSupports" on bean "BeanId(SecuritySampleApp#SecuritySampleEJB.jar#Module, null)". Exception data: com.ibm.websphere.sca.ServiceRuntimeException: The run-as authentication data is not configured for role ProIdentity.....
Case 2 : Caller : managers group , ProIdentity : harish
[6/15/12 12:37:41:887 IST] 000002cb ExceptionUtil E CNTR0020E: EJB threw an unexpected (non-declared) exception during invocation of method "transactionRequiredActivitySessionNotSupported" on bean "BeanId(SecuritySampleApp#SecuritySampleEJB.jar#Module, null)". Exception data: com.ibm.websphere.sca.ServiceRuntimeException: Permission denied: harish is not in role Caller
Note : Here harish is not a member of managers group (which is actually mapped to the Caller role)
Case 2 : Caller : managers group , ProIdentity : man & ProIdentity Role is assigned to man & harish users.
Note : Here man is a member of managers group.
Result : Worked properly
Attached PI
No comments:
Post a Comment