1. Field of the Invention
The present invention relates in general to the field of computers and similar technologies, and in particular to software utilized in this field. Still more particularly, it relates to managing identity authorizations to access information processing system resources.
2. Description of the Related Art
The use of application servers has become popular in recent years to perform a variety of tasks across multiple applications. In general, a client submits a request to an application server, which acts as an intermediary between the client and other resources making up a distributed computer environment. As such, the application server may perform tasks such as verifying the client's security credentials, establishing a client identity to identify an authenticated client, and determining which information processing resources within the distributed computer environment the client is authorized to access for executing the client's request. The application server then forwards the request to the appropriate resource on behalf of the client. After the request executes on the appropriate resource, the application server sends the response to the client.
Such application servers are typically designed to use a corresponding server identity, which identifies the application server when an application thread attempts to access resources during its execution. However, some application servers offer the option to switch the server identity on an application thread to a corresponding authenticated client identity. In such cases, the application server uses the authenticated client identity instead of its own server identity when attempting to access a requested resource. Yet some resources may not allow access by an authenticated client identity when executing an application thread. Instead, access may be restricted to a server identity.
However, knowing which resource requires which identity for authorized access can be challenging. In some cases, it may be one or the other. In other cases, it may be both. For example, a business application running under a given application thread might need to read data from a file using the authenticated client identity specific to the application. Later in the execution flow, the same application may need to write out log data using the server identity. In this example, in order to protect the integrity of the application log data, the application log allows only the server identity to write, while all other identities can read. In view of the foregoing, there is a need for ensuring that either, or both, the authenticated client identity and the server identity can be used as appropriate to authorize access to target resources as they are needed.