Authorizing access to resources

WebSphere Application Server provides many different methods for authorizing accessing resources. For example, we can assign roles to users and configure a built-in or external authorization provider.

We can create an application, an EJB module, or a web module and secure them using assembly tools.

To authorize user or group access to resources, read the following articles:

1. Secure you application during assembly and deployment. For more information on how to create a secure application using an assembly tool, such as the IBM Rational Application Developer, see the information about securing applications during assembly and deployment.

2. Authorize access to Java EE resources. WebSphere Application Server supports authorization based on the Java Authorization Contract for Containers (JACC) specification in addition to the default authorization. When security is enabled in WebSphere Application Server, the default authorization is used unless a JACC provider is specified. For more information, see Authorization providers.

3. Authorize access to administrative resources. We can assign users and groups to predefined administrative roles such as the monitor, configurator, operator, administrator, auditor, and iscadmins roles. These roles determine which tasks a user can perform in the console. For more information, see Authorizing access to administrative roles.

What to do next

After authorizing access to resources, configure the Application Server for secure communication. For more information, see Secure communications.

Subtopics

• Authorization technology
  Authorization information determines whether a user or group has the necessary privileges to access resources.

• Authorizing access to Java EE resources using Tivoli Access Manager
  The Java Authorization Contract for Containers (JACC) defines a contract between Java EE containers and authorization providers. We can use the default authorization or an external JACC authorization provider.We can use the default authorization, a System Authorization Facility (SAF) authorization, or an external JACC authorization provider. When security is enabled in WebSphere Application Server, the default authorization is used unless a JACC provider is specified.

• Authorizing access to administrative roles
  We can assign users and groups to administrative roles to identify users who can perform WebSphere Application Server administrative functions.

• (zos) Enable pluggable login modules to map Java EE identities to System Authorization Facility (SAF)
  You need to perform several actions to enable any pluggable login modules to correctly map Java EE identities to SAF. These actions include configuring the active WebSphere Application Server user registry and configuring pluggable mapping modules.

• Fine-grained administrative security
  In releases prior to WebSphere Application Server version 6.1, users granted administrative roles could administer all of the resources under the cell. WebSphere Application Server is now more fine-grained, meaning that access can be granted to each user per resource.

• (zos) System Authorization Facility for fine-grained administrative authorization
  

• Create a fine-grained administrative authorization group using the administrative console
  We can create a fine-grained administrative authorization group by selecting administrative resources to be part of the authorization group. We can assign users or groups to this new administrative authorization group and also give them access to the administrative resources contained within.

• Edit a fine-grained administrative authorization group using the administrative console
  We can add or remove administrative resources to an administrative authorization group or edit an existing one.

• Fine-grained administrative security in heterogeneous and single-server environments
  We can use fine-grained administrative security in heterogeneous or single-server environments. This capability enables you to use fine-grained administrative security for nodes that were created on different versions of the product, and applications that are grouped and placed in different authorization groups.

• (dist)(zos) Use SCA authorization and security identity policies
  Use two Service Component Architecture (SCA) declarative policies (authorization and security identity) to protect SCA components and operations and to declare the security identity under which the SCA components or operations are executed.

• (dist)(zos) Use the SCA RequestContext.getSecuritySubject() API
  The Service Component Architecture (SCA) RequestContext.getSecuritySubject() API returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service.

• (WAS v8.5.0.1)
• OAuth
  OAuth is an open standard for delegated authorization. The OAuth authorization framework allows a user to grant a third-party application access to their information stored with another HTTP service without sharing their access permissions or the full extent of their data.

Related concepts

Role-based authorization

Development and assembly tools

Related tasks

Secure applications during assembly and deployment

Secure communications

Assembling applications