Quick overview of security
To understand the basic workflow of security in Liberty, some common security terms are detailed along with an example.
Security key terms
- Authentication
- Authentication confirms the identity of a user. The most common form of authentication is user
name and password, such as through basic authentication or form login for web applications. When a
user is authenticated, the source of a request is represented as a
Subject
object at run time.
- Authorization
- Authorization determines whether a user has access to a specific role within the system. The Java™ EE model uses subjects, roles, and role mappings to determine if access is allowed.
- Role
- A role is defined within the Java EE application. Some roles, such as the Administrator role, are predefined by the system. Other roles are defined by the application developer. In Java EE, subjects are granted or denied access to a role based on the roles they perform within the application.
- Subject
- A subject is both a general term and a Java object:
javax.security.auth.Subject
. Generally, the term subject means active entities within the system, such as users on the system, and even the system process itself.
Security workflow example
The following example demonstrates how the
security is applied when a user requests access to a resource. For example, a user
Bob
wants to access a servlet myWebApp
. See the code samples in
Getting started with security in Liberty.
To access the servlet
If myWebApp
, the following conditions must be true:Bob
must be able to log in to the system because the servlet is protected.Bob
must be in thetesting
role because the servlet is restricted by using anauth-constraint
element in the deployment descriptor.
Bob
cannot log in to the system, or Bob
is not in
the testing
role, then the access to the servlet myWebApp
is
denied.Another user Alice
can log in to the system because
Alice
is a valid user. But Alice
is not in the
testing
role. An HTTP 403 error (Access Denied/Forbidden) displays when
Alice
logs in.