Advantages of security attribute propagation

9.8 Advantages of security attribute propagation

The propagation of security attributes in WebSphere Application has significant benefits. It eliminates the need to perform registry lookups at each hop along an invocation.
In your environment, you might use a Web proxy server (for example: WebSEAL) to perform user authentication and gather group information and other security attributes. In previous releases, WebSphere Application Server could only use the identity of the user and disregarded all the other security attributes. In the current release of the application server, information that is obtained from the Web proxy server can be used by WebSphere Application Server and propagated downstream to other server resources without additional calls to the user registry.
Another significant benefit of the security attribute propagation is that the user switches that occur because of J2EE Run-As configurations do not cause the application server to lose the original caller information. This information is stored in the propagation token that is located on the running thread.
This also enables third-party providers to plug in custom tokens which can then be propagated via custom login modules. The token interface contains a getBytes() method that enables the token implementation to define custom serialization, encryption methods or both.
Security attribute propagation provides the ability to have a unique ID for each token type. This unique ID is used to formulate a more unique subject identifier than just the user name in cases where dynamic attributes might change the context of a user login. The token interface has a getUniqueId() method that is used for returning a unique string for caching purposes.
For example, you might need to propagate the time of the day when the user logs into the system. This time of the day can be generated during the login using either a Web proxy server or by configuring a custom login module in the WEB_INBOUND login configuration. This information can then be added to the subject prior to serialization. Other attributes might be added to the subject and use a unique ID. All of the unique IDs must be considered for the uniqueness of the entire Subject. WebSphere Application Server has the ability to specify what is unique about the information in the Subject, which might affect how the user accesses the subject later.