Security terminology
Authentication Confirm the identity of a user. Includes basic authentication, or form login for web applications. Authenticated users are represented as a Subject object at run time. Authorization Access rights to a given role within the system: Includes subjects, roles, and role mappings. Role Defined in the Java EE application. Some roles, including Administrator, are predefined by the system; other roles are defined by the application developer. Subject Active entities within the system, such as users on the system, and even the system process itself. Based on Java object: javax.security.auth.Subject.
Security workflow example
The following example demonstrates how the security is applied when a user requests access to a resource. For example, a user Bob wants to access a servlet myWebApp. See the code samples in Get started with security .
To access the servlet myWebApp, the following conditions must be true:
- Bob must be able to log in to the system because the servlet is protected.
- Bob must be in the testing role because the servlet is restricted using an auth-constraint element in the deployment descriptor.
If Bob cannot log in to the system, or Bob is not in the testing role, then the access to the servlet myWebApp is denied.
Another user Alice can log in to the system because Alice is a valid user. But Alice is not in the testing role. An HTTP 403 error (Access Denied/Forbidden) displays when Alice logs in.
Parent topic: Security
Parent topic: Get started with security