After looking at the doc for WebSphere OS/390 and the OS/390 HTTP server, it
doesn't look like it's going to be easy. Using a certificate for authentication
to the web server does not necessarily mean that the user has been identified to
Top Secret.
Here is a possible solution, maybe not a desirable one:
Since WebSphere is using Java for OS/390 under UNIX services, it might be
possible to use their Java functions to authorize the access. The problem is to
get the thread to use the security context of the end user. I can see some
native code in your future.
Java for OS/390 provides some security services. While it provides a function
to verify an MVS logon id and password, the verification does not set thread
level security. Thread level security is required to perform authorization
using the Java-OS/390 security functions.
The user will need to provide a mainframe Logon Id and Password (I think this is
the undesirable part). You will need to create a Thread for the user and save a
reference to it in their session (other ideas?). In that thread, you will need
to have some java code invoke some native code that invokes
pthread_security_np(...) with the user's Logon Id and Password, along with the
other required parameters. This sets the user's context in the thread.
After that, you can use the Java OS/390 PlatformAccessControl checkPermission
method in the same Thread to perform authorization.
There may be some issues with this, as I haven't necessarily "tried this at
home" (I don't have access to this environment). For example, there may be a
requirement about what library the code comes from that issues the
pthread_security_np(). There may also be an issue about the use of the Thread.
In addition, there may be alternatives, depending on whether Top Secret can
intercept the HTTP/WebSphere authentication and provide the proper thread
context when the servlet is invoked for the user. I'm not sure that mainframe
security products have advanced enough to provide integration this far afield.
See http://32.97.205.4:80/bookmgr-cgi/bookmgr.cmd/BOOKS/EDCLB020/CCONTENTS for
the Unix Services native functions. See
ftp://ftp.hursley.ibm.com/pub/java/os390/doc/11/118/security/packages.html for
the Java Security interface.
I hope this helps answer the question you were asking. It was fun to research.
Mark
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Fratila, Johnny
> Sent: Tuesday, April 25, 2000 9:45 AM
> To: [EMAIL PROTECTED]
> Subject: Websphere and CA's 'Top Secret' ?
>
>
> Hi,
>
> This might be somewhat off-topic, but I tried everything I could think of.
>
> We're using WebSphere to provide an interface to business logic on a legacy
> system. We already have all the user IDs, passwords, access rights set up
> under the Computer Associates 'Top Secret' product. How can I access this
> information from my servlets?
>
> As far as I know, Top Secret supports LDAP.
>
> Any information would be greatly appreciated.
>
> _________________________
> Johnny Fratila
> Programmer Analyst, Information Systems
> Tel. (573) 634-5600 ext. 1523
>
> ===========================================================================
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
http://java.sun.com/products/jsp/faq.html
http://www.esperanto. .nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
