Preston,
Many people, even here within our corporation, don't realize the OS/390
mainframe operating system now contains what I consider to be a "unix kernal
on steriods" complete with a hierarchical file system. IBM implemented its
"unix threads" by extending the capabilities of the older MVS TCBs (Task
Control Blocks). OS/390 (the newest name for MVS) has the ability to assign
different security environments to different tasks running within the same
address space / process.
We actually have IBM's mainframe (Domino Go) web server installed in the
"Unix System Services" of one of our test mainframe LPARs. With its basic
authentication turned on, it really authenticates the userid and password
against our CA-ACF2 (mainframe) security database. This has a side effect of
really setting up a mainframe security environment in the web server for
that userid. For subsequent requests, the "unix" thread in the web server
really runs with the security environment of the end user. Since the JVM is
running "in process", the thread in the JVM continues to run with that
mainframe security environment. I tested this by creating a servlet that was
protected by the authentication and setting the unix file protection flags
so that only my userid had read access to the class file. I could invoke the
servlet myself but a co-worker could not. The logs showed an authorization
failure. I changed the protection flags on the class file to have read
access to the world, and then my co-worker could then load and run the
servlet.
Yes, this is really relevant for JNI calls. The current native DB2 JDBC
driver for OS/390 is implemented roughly as an ODBC-JDBC bridge that won't
accept a userid/password on the connect. It uses the security environment
already set up for the running thread and won't allow any thread to use the
connection other than the one that initiated the connection. So much for
connection pooling! This may sound like a problem, but since you are running
in the same mainframe as the DB2 database that you are connecting to, the
connection time is not bad. I also have servlets connecting to MQ-Series
Queue Managers in that LPAR. The only network related "lag time" is for the
HTTP communication.
John Zerbe - Mellon Bank
IM&R - Middleware Team
Phone: 412-234-1048 E-Mail:[EMAIL PROTECTED]
> -----Original Message-----
> From: Preston L. Bannister [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, November 04, 1999 6:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Where can I download the Standard Extension API
>
> From: Zerbe John W
> > We are currently experimenting with Websphere 1.1 on 0S/390 and will be
> > installing 1.2 soon.
> > 1.1 runs inside the webserver. This means that if you have the basic
> > authentication turned on in the web server,
> > the java servlet request threads run with the authorization
> > associated with
> > the mainframe userid that you logged on to the web server with.
>
> John, I don't believe this is exactly true.
>
> If you protect a page and specify basic authentication, the remote user
> name
> used in authentication is accessible (via
> HttpServletRequest.getRemoteUser()) but this is not necessarily a
> mainframe
> userid.
>
> Also at the operating system level the effective userid for the thread is
> usually (barring odd configurations) the same as all the other threads in
> the web server, not the mainframe userid for the remote user. This is
> very
> relevant if the thread in turn calls JNI, as the effective userid within
> the
> JNI call is also the common web server userid.
>
> All of which makes life just a bit more interesting... :).
>
> __________________________________________________________________________
> _
> To unsubscribe, send email to [EMAIL PROTECTED] and include in the
> body
> of the message "signoff SERVLET-INTEREST".
>
> Archives: http://archives.java.sun.com/archives/servlet-interest.html
> Resources: http://java.sun.com/products/servlet/external-resources.html
> LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
