Role-based security with embedded ISAM

The Java EE role-based authorization model uses the concepts of roles and resources. For example.

Roles	getBalance	deposit	closeAccount
Teller	granted	granted
Cashier	granted
Supervisor			granted

The term, principal, within WebSphere Application Server security refers to a person or a process that performs activities. Groups are logical collections of principals configured in WAS to promote the ease of applying security. Roles can be mapped to principals, groups, or both.

Principal/Group	Teller	Cashier	Supervisor
TellerGroup	Invoke
CashierGroup		Invoke
SupervisorGroup
Frank: A principal who is not a member of any of the previous groups		Invoke	Invoke

In the previous example, the principal Frank, can invoke the getBalance and the closeAccount methods, but cannot invoke the deposit method because this method is not granted either the Cashier or the Supervisor role.

At the time of application deployment, the Java Authorization Contract for Container (JACC) provider of ISAM populates the ISAM-protected object space with any security policy information contained in the application deployment descriptor and or annotations. This security information is used to determine access whenever the WAS resource is requested.

By default, the ISAM access check is performed using the role name, the cell name, the application name, and the module name.

ISAM access control lists (ACLs) determine which application roles are assigned to a principal. ACLs are attached to the applications in the ISAM-protected object space at the time of application deployment.

Principal-to-role mappings are managed from the WAS administrative console and are never modified using ISAM. Direct updates to ACLs are performed for administrative security users only.

The following sequence of events occur:

1. During application deployment, policy information is sent to the JACC provider of ISAM. This policy information contains permission-to-role mappings and role-to-principal and role-to-group mapping information.

2. The JACC provider of ISAM converts the information into the required format, and passes this information to the ISAM policy server.

3. The policy server adds entries to the ISAM-protected object space to represent the roles defined for the application and the permission-to-role mappings. A permission is represented as an ISAM-protected object and the role that is granted to this object is attached as an extended attribute.

Related:

Authorization providers

Administer security users and roles with ISAM

Configure ISAM groups