Authorization in WebSphere Application Server
WebSphere Application Server supports authorization based on the Java Authorization Contract for Containers (JACC) specification in addition to the default authorization. JACC is a new specification in J2EE 1.4. It enables third-party security providers to manage authorization in the application server. The default JACC provider provided by WAS uses the Tivoli Access Manager as the authorization provider.
When security is enabled in the WAS, the default authorization is used unless a JACC provider is specified. The default authorization does not require special setup, and the default authorization engine makes all of the authorization decisions. However, if a JACC provider is configured, all of the EJB and Web authorization decisions are then delegated to the JACC provider.
WAS supports security for J2EE applications and administrative components. Web and EJB components are protected per the J2EE specification. The administrative components are internal to WAS, and are protected by the RoleBasedAuthorizer. The administrative components include the admininstrative console application, MBeans, and other components such as naming and security.
When a JACC provider is used for authorization in WAS, all of the J2EE application-based authorization decisions are delegated to the provider per the JACC specification. However, all administrative security authorization decisions are made by the WAS default authorization engine. The JACC provider is not called to make the authorization decisions for administrative security.
When a protected J2EE resource is accessed, the authorization decision to give access to the principal is the same whether using the default authorization engine or a JACC provider. Both of the authorization models satisfy the J2EE specification, so there should be no differences in function. Choose a JACC provider only when you want to work with an external security provider such as the Tivoli Access Manager. In this instance, the security provider must support the JACC specification and be set up to work with the WAS. Setting up and configuring a JACC provider requires additional configuration steps, depending on the provider. Unless you have an external security provider to use with WAS, use the default authorization.
See Also
Tivoli Access Manager integration as the JACC provider
JACC support in WAS
Enabling an external JACC provider
Configuring a JACC provider
Propagating security policy of installed applications to a JACC provider using wsadmin scripting
Interfaces used to support JACC
Troubleshooting authorization providers
JACC providers