WAS v8.5 > Secure applications
Authorizing access to resources
WebSphere Application Server provides many different methods for authorizing accessing resources. For example, we can assign roles to users and configure a built-in or external authorization provider.
We can create an application, an EJB module, or a web module and secure them using assembly tools.
To authorize user or group access to resources, read the following articles:
- Secure you application during assembly and deployment. For more information on how to create a secure application using an assembly tool, such as the IBM Rational Application Developer, see the information about securing applications during assembly and deployment.
- Authorize access to Java EE resources. WAS supports authorization based on the Java Authorization Contract for Containers (JACC) specification in addition to the default authorization. When security is enabled in WAS, the default authorization is used unless a JACC provider is specified. For more information, see Authorization providers.
- Authorize access to administrative resources. We can assign users and groups to predefined administrative roles such as the monitor, configurator, operator, administrator, auditor and iscadmins roles. These roles determine which tasks a user can perform in the dmgr console. For more information, see Authorizing access to administrative roles.
After authorizing access to resources, configure the Application Server for secure communication. For more information, see Secure communications.
Subtopics
- Authorization technology
Authorization information determines whether a user or group has the necessary privileges to access resources. - Authorizing access to Java EE resources using Tivoli Access Manager
The Java Authorization Contract for Containers (JACC) defines a contract between Java EE containers and authorization providers. We can use the default authorization or an external JACC authorization provider. When security is enabled in WAS, the default authorization is used unless a JACC provider is specified. - Authorizing access to administrative roles
We can assign users and groups to administrative roles to identify users who can perform WAS administrative functions. - Fine-grained administrative security
In releases prior to WAS version 6.1, users granted administrative roles could administer all of the resources under the cell. WAS is now more fine-grained, meaning that access can be granted to each user per resource. - Create a fine-grained administrative authorization group
We can create a fine-grained administrative authorization group by selecting administrative resources to be part of the authorization group. We can assign users or groups to this new administrative authorization group and also give them access to the administrative resources contained within. - Edit a fine-grained administrative authorization group
We can add or remove administrative resources to an administrative authorization group or edit an existing one. - Fine-grained administrative security in heterogeneous and single-server environments
We can use fine-grained administrative security in heterogeneous or single-server environments. This capability enables you to use fine-grained administrative security for nodes that were created on different versions of the product, and applications that are grouped and placed in different authorization groups. - Use SCA authorization and security identity policies
Use two SCA declarative policies (authorization and security identity) to protect SCA components and operations and to declare the security identity under which the SCA components or operations are executed. - Use the SCA RequestContext.getSecuritySubject() API
The SCA RequestContext.getSecuritySubject() application programming interface returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service. - Authorization technology
Authorization information determines whether a user or group has the necessary privileges to access resources. - Authorizing access to Java EE resources using Tivoli Access Manager
The Java Authorization Contract for Containers (JACC) defines a contract between Java EE containers and authorization providers. We can use the default authorization or an external JACC authorization provider. When security is enabled in WAS, the default authorization is used unless a JACC provider is specified. - Authorizing access to administrative roles
We can assign users and groups to administrative roles to identify users who can perform WAS administrative functions. - Fine-grained administrative security
In releases prior to WAS version 6.1, users granted administrative roles could administer all of the resources under the cell. WAS is now more fine-grained, meaning that access can be granted to each user per resource. - Create a fine-grained administrative authorization group
We can create a fine-grained administrative authorization group by selecting administrative resources to be part of the authorization group. We can assign users or groups to this new administrative authorization group and also give them access to the administrative resources contained within. - Edit a fine-grained administrative authorization group
We can add or remove administrative resources to an administrative authorization group or edit an existing one. - Fine-grained administrative security in heterogeneous and single-server environments
We can use fine-grained administrative security in heterogeneous or single-server environments. This capability enables you to use fine-grained administrative security for nodes that were created on different versions of the product, and applications that are grouped and placed in different authorization groups. - Use SCA authorization and security identity policies
Use two SCA declarative policies (authorization and security identity) to protect SCA components and operations and to declare the security identity under which the SCA components or operations are executed. - Use the SCA RequestContext.getSecuritySubject() API
The SCA RequestContext.getSecuritySubject() application programming interface returns a Java Authentication and Authorization (JAAS) subject that represents an authenticated user who accesses the protected SCA service. -
OAuth
OAuth is an open standard for delegated authorization. The OAuth authorization framework allows a user to grant a third-party application access to their information stored with another HTTP service without sharing their access permissions or the full extent of their data.
Related concepts:
Role-based authorization
Development and assembly tools
Related
Secure applications during assembly and deployment
Secure communications
Assemble applications