[z/OS]

Developing a custom SAF EJB role mapper

WebSphere® Application Server for z/OS® allows an installation to map Java™ Platform, Enterprise Edition (Java EE) role names to SAF EJBRole profile names.

Before you begin

WebSphere Application Server for z/OS supports the use of a custom SAF EJB role mapper. The custom SAF EJB role mapper allows an installation to map J2EE role names to SAF EJBRole profile names. Without the SAF EJB role mapper, you must deploy an application by using a role in the deployment descriptor of a component that is identical to the name of an EJBROLE class profile. The security administrator defines EJBROLE profiles and provides the permission to these profiles to SAF users or groups.

Using SAF EJBROLE class profiles can conflict with the standard Java EE role naming conventions. Java EE role names are Unicode strings of any length. RACF® class profiles are restricted to 240 characters in length and cannot be defined if these profiles contain any blank spaces or extended code page characters.

If a Java EE role name for an installation conflicts with these RACF restrictions, an installation can use the SAF EJB role mapper exit to map the wanted Java EE role name to an acceptable class profile name.

The custom SAF role mapper is a Java-based exit to replace the EJBROLE class profile construction algorithm. The custom SAF role mapper is called to generate a profile for authorization and delegation requests. The role mapper passes the name of the application and the name of the role then passes back the appropriate class profile name. Information about the server name, cell name, and the SAF profile prefix (previously referred to as the z/OS security domain) is provided to the implementation during initialization.

You can set the com.ibm.websphere.security.SAF.RoleMapper custom property on the z/OS SAF authorization panel in the administrative console. You also can enable the role mapper by setting the custom property com.ibm.websphere.security.SAF.RoleMapper to the name of the class that is to be given control.

Procedure

  1. Build your custom SAF role mapper. The following SAFRoleMapper example can be used as a reference. 
    public class SAFRoleMapperImpl1 {
	String domainPrefix = null;

	public void initialize(Properties context) {
		domainPrefix = context.get(SAFRoleMapper.DOMAIN_NAME);
	}

	public String getProfileNameFromRole(String app, String role) {
		String profile = app + “.” + role;
		if (domainPrefix != null) {
			profile = domainPrefix + “.” + profile;
		}
		profile = profile.replaceAll(“\\%”, “#”);
		profile = profile.replaceAll(“\\&”, “#”);
		profile = profile.replaceAll(“\\*”, “#”);
		profile = profile.replaceAll(“\\s”,“#”);

		return profile;
	}
}
  2. Click Security > Global security > z/OS SAF authorization and enable the role mapper by providing the name of the class that you want to give control in the SAF profile mapper field.
    You also can set this property as a custom property by entering com.ibm.websphere.security.SAF.RoleMapper as the name and providing the name of the class in the value field.
  3. Click Security > Global security > External authorization providers and select the System Authorization Facility (SAF) authorization option to enable SAF as the authorization provider.
    After you select this option, click z/OS SAF authorization under Related items to configure the SAF authorization options.

    You also can set this property as a custom property by entering com.ibm.websphere.security.SAF.authorization as the name and true as the value.