On an explicit trusted connection, you can switch the user
ID of the connection to a different user ID. Certain rules apply.
- If the switch request is not made from an explicit trusted connection,
and the switch request is sent to the server for processing, the
connection is shut down and an error message is returned (SQLSTATE
08001, SQLCODE -30082 with reason code 41).
- If the switch request is not made on a transaction boundary, the
transaction is rolled back, and the switch request is sent to the
server for processing, the connection is put into an unconnected state
and an error message is returned (SQLSTATE 58009, SQLCODE -30020).
- If the switch request is made from within a stored procedure,
an error message is returned (SQLCODE -30090, reason code 29), indicating
this is an illegal operation in this environment. The connection state
is maintained and the connection is not placed into an unconnected
state. Subsequent requests may be processed.
- If the switch request is delivered to the server on an instance
attach (rather than a database connection), the attachment is shut
down and an error message is returned (SQLCODE -30005).
- If the switch request is made with an authorization ID that is
not allowed on the trusted connection, error (SQLSTATE 42517, SQLCODE
-20361) is returned, and the connection is put in an unconnected state.
- If the switch request is made with an authorization ID that is
allowed on the trusted connection WITH AUTHENTICATION, but the appropriate
authentication token is not provided, error (SQLSTATE 42517, SQLCODE
-20361) is returned, and the connection is put in an unconnected state.
- If the trusted context object associated with the trusted connection
is disabled, and a switch request for that trusted connection is made,
error (SQLSTATE 42517, SQLCODE -20361) is returned, and the connection
is put in an unconnected state.
In this case, the only switch user
request that is accepted is one that specifies the user ID that established
the trusted connection or the NULL user ID. If a switch to the user
ID that established the trusted connection is made, this user ID does
not inherit any trusted context role (neither the trusted context
default role nor the trusted context user-specific role).
- If the system authorization ID attribute of the trusted context
object associated with the trusted connection is changed, and a switch
request for that trusted connection is made, error (SQLSTATE 42517,
SQLCODE -20361) is returned, and the connection is put in an unconnected
state.
In this case, the only switch user request that is accepted
is one that specifies the user ID that established the trusted connection
or the NULL user ID. If a switch to the user ID that established the
trusted connection is made, this user ID does not inherit any trusted
context role (neither the trusted context default role nor the trusted
context user-specific role).
- If the trusted context object associated with the trusted connection
is dropped, and a switch request for that trusted connection is made,
error (SQLSTATE 42517, SQLCODE -20361) is returned, and the connection
is put in an unconnected state.
In this case, the only switch user
request that is accepted is one that specifies the user ID that established
the trusted connection or the NULL user ID. If a switch to the user
ID that established the trusted connection is made, this user ID does
not inherit any trusted context role (neither the trusted context
default role nor the trusted context user-specific role).
- If the switch request is made with a user ID allowed on the trusted
connection, but that user ID does not hold CONNECT privilege on the
database, the connection is put in an unconnected state and an error
message is returned (SQLSTATE 08004, SQLCODE -1060).
- If the trusted context system authorization ID appears in the
WITH USE FOR clause, the DB2® database
system honors the authentication setting for the system authorization
ID on switch user request to switch back to the system authorization
ID. If the trusted context system authorization ID does not appear
in the WITH USE FOR clause, then a switch user request to switch back
to the system authorization ID is always allowed even without authentication.
Note: When the connection is put in the unconnected state, the only
requests that are accepted and do not result in returning the error
"The application state is in error. A database connection does not
exist." (SQLCODE -900) are:
- A switch user request
- A COMMIT or ROLLBACK statement
- A DISCONNECT, CONNECT RESET or CONNECT request
Note: When the user ID on the trusted connection is switched to a
new user ID, all traces of the connection environment under the old
user are gone. In other words, the switching of user IDs results in
an environment that is identical to a new connection environment.
For example, if the old user ID on the connection had any temporary
tables or WITH HOLD cursors open, these objects are completely lost
when the user ID on that connection is switched to a new user ID.
Note: Java trusted connections do not have an unconnected state.
If the switch user operation fails, Java will throw an exception and
the connection will be disconnected.