Datasource: propagate userid to DB2 server
Datasource: propagate userid to DB2 server
I activated HTTP Basic authentication in my J2EE application. During application start the SAF authentication works as expected. However, all work processed in DB2 uses the datasource user which is different from the user used for HTTP Basic authentication. Is there any datasource option to get the the ID of the authenticated user propagated to DB2 so that DB2 can use that ID for authorization checking?
I am not aware of a mechanism, although this seems like a reasonable requirement, even though it is more typical to have the DB2 connection use the server's credentials. It might require a custom datasource, and potentially a change to our custom Tomcat SAF Realm (plugin). Contact us as info@dovetail.com if you would like to discuss a custom development effort.
You might try asking this question on the tomcat-users mailing list:
http://tomcat.apache.org/lists.html
Something like:
Is it possible to configure a DataSource so that it creates JDBC connections using the userid/password previously authenticated using HTTP basic authentication along with a custom Tomcat user database realm?
You might try asking this question on the tomcat-users mailing list:
http://tomcat.apache.org/lists.html
Something like:
Is it possible to configure a DataSource so that it creates JDBC connections using the userid/password previously authenticated using HTTP basic authentication along with a custom Tomcat user database realm?
Another possibility might be to do something like this:
- All users are authenticated by SAF
- Each user java thread is switched by Tomcat to run with the authenticated user's identity. There's a Java API in IBM's security.jar that might work for this. If so, it might be pretty easy to write a simple Tomcat "Valve" wrapper for all requests.
- If you used type-2 JDBC connections, the identity of the thread would automatically be used when connecting to DB2.
- The Tomcat pooling datasource would need to pool connections by user. Maybe if you turned off Tomcat's pooling and used DB2's JDBC driver pooling then this might happen automatically.
But, the idea of running threads in the user's identity (ACEE) is one that some applications need independent of DB2. Its a little tricky and can cause lots of problems, since ALL threads need to be able to access resources like jars to keep things running. Websphere used to support this ("RUNAS") - maybe is still does, but I know that it can be very problematic.
- All users are authenticated by SAF
- Each user java thread is switched by Tomcat to run with the authenticated user's identity. There's a Java API in IBM's security.jar that might work for this. If so, it might be pretty easy to write a simple Tomcat "Valve" wrapper for all requests.
- If you used type-2 JDBC connections, the identity of the thread would automatically be used when connecting to DB2.
- The Tomcat pooling datasource would need to pool connections by user. Maybe if you turned off Tomcat's pooling and used DB2's JDBC driver pooling then this might happen automatically.
But, the idea of running threads in the user's identity (ACEE) is one that some applications need independent of DB2. Its a little tricky and can cause lots of problems, since ALL threads need to be able to access resources like jars to keep things running. Websphere used to support this ("RUNAS") - maybe is still does, but I know that it can be very problematic.