Authorization technology

Authorization information determines whether a user or group has the necessary privileges to access resources.

WebSphere Application Server supports many authorization technologies including the following:

• Authorization involving the web container and Java EE technology

• Authorization involving an enterprise bean application and Java EE technology

• Authorization involving web services and Java EE technology

• Java Message Service (JMS)

• Java Authorization Contract for Containers (JACC)

  WebSphere Application Server supports both a default authorization provider and an authorization provider based on the Java Authorization Contract for Containers (JACC) specification. The JACC-based authorization provider enables third-party security providers to handle the Java EE authorization. For more information, see JACC support in WebSphere Application Server.

• Java Authentication and Authorization Service (JAAS)

  For more information, see Java Authentication and Authorization Service.

• Java 2 security

  For more information, see Java 2 security.

• Naming and administrative authorization

• Pluggable authorization

  WebSphere Application Server supports an authorization infrastructure that enables us to plug in an external authorization provider. For more information, see Enable an external JACC provider.

• (zos) System Authorization Facility (SAF)

  Alternatively to WebSphere Application Server authorization, we can use SAF-based authorization, such as the RACF EJBROLE profile, to control client access to Java EE roles in EJB and web applications. For more information, see System Authorization Facility for role-based authorization.

  In this release of WAS, we can use SAF security to associate a SAF user ID with a distributed identity. See Using distributed identity mapping for SAF for more information.

Subtopics

• Administrative roles and naming service authorization
  WebSphere Application Server extends the Java EE security role-based access control to protect the product administrative and naming subsystems.

• Role-based authorization
  Use authorization information to determine whether a caller has the necessary privileges to request a service.

• Administrative roles
  The Java EE role-based authorization concept is extended to protect the WAS administrative subsystem.

• Authorization providers
  WebSphere Application Server supports authorization based on the Java Authorization Contract for Containers (JACC) specification in addition to the default authorization.

• (zos) System Authorization Facility for role-based authorization
  There are three choices we have when assigning roles: (1) WebSphere Application Server authorization, in which authorization management is performed within the WebSphere Administration using the Security role to user/group mapping panel of the console. (2) The System Authorization Facility (SAF) for role-based authorization (WebSphere Authorization Facility for z/OS only option) , which uses SAF authorization for Java 2 Platform Enterprise Edition (J2EE) roles. (3) External Authorization Provider using the pluggable JACC interfaces. When WebSphere Application Server is configured to use SAF Authorization, the authorization management is performed using SAF management facilities and the user or group to J2EE role Management within WebSphere Administration is ignored. SAF class of EJBROLE is used (for example, using the RACF EJBROLE profile) to control access by a client to Java 2 Platform, Enterprise Edition (J2EE) roles in EJB and web applications, including the WAS console application.

• (zos) Use distributed identity mapping for SAF
  In this release of WAS, we can use z/OS System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity.

• Delegations
  Delegation is a process security identity propagation from a caller to a called object. As per the Java EE specification, a servlet and enterprise beans can propagate either the client or remote user identity when invoking enterprise beans, or they can use another specified identity as indicated in the corresponding deployment descriptor.

Related concepts

Web component security

Java 2 security

Multiple security domains

Related tasks

Secure enterprise bean applications

Naming roles