Quick overview of security

To understand the basic workflow of security in Liberty, some common security terms are detailed along with an example.

Security key terms

Authentication: Authentication confirms the identity of a user. The most common form of authentication is user name and password, such as through basic authentication or form login for web applications. When a user is authenticated, the source of a request is represented as a Subject object at run time.

Authorization: Authorization determines whether a user has access to a specific role within the system. The Java™ EE model uses subjects, roles, and role mappings to determine if access is allowed.

Role: A role is defined within the Java EE application. Some roles, such as the Administrator role, are predefined by the system. Other roles are defined by the application developer. In Java EE, subjects are granted or denied access to a role based on the roles they perform within the application.

Subject: A subject is both a general term and a Java object: javax.security.auth.Subject. Generally, the term subject means active entities within the system, such as users on the system, and even the system process itself.

Security workflow example

The following example demonstrates how the security is applied when a user requests access to a resource. For example, a user Bob wants to access a servlet myWebApp. See the code samples in Getting started with security in Liberty.

To access the servlet myWebApp, the following conditions must be true:

Bob must be able to log in to the system because the servlet is protected.
Bob must be in the testing role because the servlet is restricted by using an auth-constraint element in the deployment descriptor.

If Bob cannot log in to the system, or Bob is not in the testing role, then the access to the servlet myWebApp is denied.

Another user Alice can log in to the system because Alice is a valid user. But Alice is not in the testing role. An HTTP 403 error (Access Denied/Forbidden) displays when Alice logs in.