Run-as support

Normally, when a component calls another component, the invocation uses the client’s credentials. You can use identities to specify alternate credentials for intercomponent calls. Identities map logical identity names to a user name, password, and required SSL session characteristics. The identity names are used in the run-as mode settings for components and component methods.

Run-as support enables an EJB 2.0 component to perform method invocations on other components using a specified identity. This identity can be configured at deployment time. In the standard EJB 2.0 deployment descriptor, the run-as property is expressed in terms of a role. The role is a name of a security-role element defined in the same deployment descriptor. It is expected that at deployment time, or when configuring a new EJB, the role name should be defined. Further, the deployer selects a Jaguar identity that is expected to be present in this role. This Jaguar identity is used while invoking another EJB. The run-as feature can be enabled via EAServer Manager.

To enable use of the run-as identity for EJB component calls made in component code, you must specify corbaname URLs in the EJB Reference properties for the EJB component that issues the call. For information on interoperable naming URLs, see Chapter 9, “EAServer EJB Interoperability,” in the EAServer Programmer’s Guide.

Configuring an EJB 2.0 component to run as a different identity

If necessary, define the identity to be used as described in “Configuring identities”.
Highlight the EJB 2.0 component for which you are establishing a run-as identity.
Display the Run As Identity tab and configure the settings as follows:
- Run as – choose specified.
- Role – specify a role name. The identity specified in the Mapped to Jaguar identity field should be in this role. This name is used if the component is exported to an EJB-JAR file.
- Run as identity – specify a logical identity name.
- Mapped to Jaguar identity – choose an EAServer identity from the pull down menu. This is the identity with which the component executes.
- Description – enter an optional text comment. This field can be used to provide identity mapping instructions for the deployer when the component is deployed to another server.
The Existing Mappings on the Package table displays logical identity names that are mapped to EAServer identities by components in the same package.

You can configure a run-as identity application or server-wide. This provides a convenient way to globally set the run-as identity for all of the EJBs in an application or server.

Configuring EJB 2.0 components or servlets to run as a different identity at the application or server level

If necessary, define the identity to be used as described in “Configuring identities”.
Select the server or application for which you are configuring the run-as identity.
Select File | Server Properties or File | Application Properties.
Select the Security tab.
For a server, click the Set Trusted and Security Identities button. Select the run-as identity from the Run-as Identity drop-down list. To set the run-as identity application-wide, select the run-as identity from the Run-as Identity drop-down list.

You can check the setting of your run-as identity from the Advanced tab by viewing the com.sybase.jaguar.server.security.runasidentity property, and the com.sybase.jaguar.application.security.runasidentity property. Do not set the run-as identity in the Advanced tab since these values are overwritten by the values set in the Security tab.