Liberty profile: Quick overview of security

WAS v8.5 > Reference > Developer detailed usage information
Liberty profile: Quick overview of security

This topic describes some common security terms, along with an example that helps you understand the basic workflow of security in the Liberty profile.

Security key terms

Authorization

Authorization determines whether to grant a user access to resources within the system. The Java™ EE model uses subjects, resources, and roles to determine what must and must not be allowed.

Authentication

Authentication confirms the identity of a user. The most common form of authentication is user name and password, such as through basic authentication or form login for web applications. When a user is authenticated, the source of a request is represented as a Subject object at run time.

Resource

Also known as object, resources are things within the system. A resource can be any non-active entity, such as a web application.

Role

A role is a logical collection of privileges that can be assigned to a user or group. Some roles such as the Administrator role, are predefined by the system. Other roles are defined by the application developer. In Java EE, subjects are usually granted or denied access to resources based on the roles they do or do not possess.

Subject

A subject is both a general term and a Java object javax.security.auth.Subject. Generally, the term subject means active entities within the system, such as users on the system, and even the system process itself.

Security workflow

The following example demonstrates how the security is applied when a user requests access to a resource. For example, a user Bob wants to access a servlet myWebApp. See the code samples in Get started with security in the Liberty profile.
To access the servlet myWebApp, the following conditions must be true:

Bob must be able to log in to the system because the servlet is protected.
Bob must be in the testing role because the servlet is restricted using an auth-constraint element in the deployment descriptor.

If Bob cannot log in to the system, or Bob is not in the testing role, then the access to the servlet myWebApp is denied.
Another user Alice can log in to the system because Alice is a valid user. But Alice is not in the testing role. An HTTP 403 error (Access Denied/Forbidden) displays when Alice logs in.

Parent topic: Liberty profile: Security

Parent topic: Get started with security in the Liberty profile

|