Developing a custom SAF EJB role mapper
WebSphere® Application Server for z/OS® allows an installation to map Java™ Platform, Enterprise Edition (Java EE) role names to SAF EJBRole profile names.
Before you begin
WebSphere Application Server for z/OS supports the use of a custom SAF EJB role mapper. The custom SAF EJB role mapper allows an installation to map J2EE role names to SAF EJBRole profile names. Without the SAF EJB role mapper, you must deploy an application by using a role in the deployment descriptor of a component that is identical to the name of an EJBROLE class profile. The security administrator defines EJBROLE profiles and provides the permission to these profiles to SAF users or groups.
Using SAF EJBROLE class profiles can conflict with the standard Java EE role naming conventions. Java EE role names are Unicode strings of any length. RACF® class profiles are restricted to 240 characters in length and cannot be defined if these profiles contain any blank spaces or extended code page characters.
If a Java EE role name for an installation conflicts with these RACF restrictions, an installation can use the SAF EJB role mapper exit to map the wanted Java EE role name to an acceptable class profile name.
The custom SAF role mapper is a Java-based exit to replace the EJBROLE class profile construction algorithm. The custom SAF role mapper is called to generate a profile for authorization and delegation requests. The role mapper passes the name of the application and the name of the role then passes back the appropriate class profile name. Information about the server name, cell name, and the SAF profile prefix (previously referred to as the z/OS security domain) is provided to the implementation during initialization.
You can set the com.ibm.websphere.security.SAF.RoleMapper custom property on the z/OS SAF authorization panel in the administrative console. You also can enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control.