Administration guide > Secure the deployment environment > Tutorial: Security in a mixed environment
Secure the deployment environment > Tutorial: Integrate WebSphere eXtreme Scale security in a mixed environment with an external authenticator >
< Previous | Next >
Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WAS
Now that you have configured authentication for clients, you can further configure authorization to give different users varying permissions. For example, an "operator" user might only be able to view data, while a "manager" user can perform all operations.
After authenticating a client, as in the previous module in this tutorial, you can give security privileges through eXtreme Scale authorization mechanisms. The previous module of this tutorial demonstrated how to enable authentication for a data grid using integration with WAS. As a result, no unauthenticated client can connect to the eXtreme Scale servers or submit requests to the system. However, every authenticated client has the same permission or privileges to the server, such as reading, writing, or deleting data that is stored in the ObjectGrid maps. Clients can also issue any type of query.
This part of the tutorial demonstrates how to use eXtreme Scale authorization to give authenticated users varying privileges. WebSphere eXtreme Scale uses a permission-based authorization mechanism. You can assign different permission categories that are represented by different permission classes. This module features the MapPermission class. For a list of all possible permissions, see Client authorization programming.
In WebSphere eXtreme Scale, the com.ibm.websphere.objectgrid.security.MapPermission class represents permissions to the eXtreme Scale resources, specifically the methods of the ObjectMap or JavaMap interfaces. WebSphere eXtreme Scale defines the following permission strings to access the methods of ObjectMap and JavaMap:
- read: Grants permission to read the data from the map.
- write: Grants permission to update the data in the map.
- insert: Grants permission to insert the data into the map.
- remove: Grants permission to remove the data from the map.
- invalidate: Grants permission to invalidate the data from the map.
- all: Grants all permissions to read, write, insert, remote, and invalidate.
The authorization occurs when an eXtreme Scale client uses a data access API, such as the ObjectMap ,JavaMap, or EntityManager APIs. The eXtreme Scale runtime checks corresponding map permissions when the method is called. If the required permissions are not granted to the client, an AccessControlException exception results. This tutorial demonstrates how to use Java™ Authentication and Authorization Service (JAAS) authorization to grant authorization map access for different users.
Learning objectivesAfter completing the lessons in this module, you know how to:
- Enable authorization for WebSphere eXtreme Scale.
- Enable user-based authorization.
Time requiredThis module takes approximately 60 minutes.
Lessons in this module
- Lession 4.1: Enable WebSphere eXtreme Scale authorization
To enable authorization in WebSphere eXtreme Scale, enable security on a specific ObjectGrid.
- Lesson 4.2: Enable user-based authorization
In the authentication module of this tutorial, you created two users: operator and manager. You can assign varying permissions to these users with Java Authentication and Authorization Service (JAAS) authorization.
< Previous | Next >