A standard
WorkContext that allows a
Work instance to propagate security related context information from an EIS
to an application server.
This allows an EIS/resource adapter to flow-in security context information
and execute a Work instance, and call methods on a MessageEndpoint interface,
to effect message inflow, within that Work instance, in the context of an
established identity.
A resource adapter indicates to the WorkManager, that a Work instance needs
to be run in a specified security execution context by submitting a Work
instance that implements WorkContextProvider interface and ensuring that
the List of WorkContexts for that Work instance contains an instance of its
subclass of SecurityContext.
It should be noted however that when a resource adapter flows-in an identity
to be used by the application server, the propagated identity may or may not
belong to the application server's security domain.
There are therefore, two scenarios while a resource adapter propagates a
security identity from an EIS to the application server:
- Case 1: Resource adapter flows-in an identity in the application server's
security domain: In this case, the application server could just set the
initiating principal, flown-in from the resource adapter, as the security
context the Work instance executes as.
- Case 2: Resource adapter flows-in an identity belonging to the EIS'
security domain: The resource adapter establishes a connection to the EIS and
needs to perform a Work in the context of an EIS identity. In this case, the
initiating or caller principal does not exist in the application server's
security domain and a translation from one domain to the other needs to be
performed.