Module 4: Use Java Authentication and Authorization Service (JAAS) authorization in WebSphere Application Server

Now that you have configured authentication for clients, you can further configure authentication to give different users varying permissions. For example, an operator user might only be able to view data, while an administrator user can perform all operations.

After authenticating a client, as in the previous module in this tutorial, you can give security privileges through eXtreme Scale authorization mechanisms. The previous module of this tutorial demonstrated how to enable authentication for a data grid using integration with WebSphere® Application Server. As a result, no unauthenticated client can connect to the eXtreme Scale servers or submit requests to your system. However, every authenticated client has the same permission or privileges to the server, such as reading, writing, or deleting data that is stored in the ObjectGrid maps. Clients can also issue any type of query.

This part of the tutorial demonstrates how to use eXtreme Scale authorization to give authenticated users varying privileges. WebSphere eXtreme Scale uses a permission-based authorization mechanism. You can assign different permission categories that are represented by different permission classes. This module features the MapPermission class. For a list of all possible permissions, see Client authorization programming.

In WebSphere eXtreme Scale, the com.ibm.websphere.objectgrid.security.MapPermission class represents permissions to the eXtreme Scale resources, specifically the methods of the ObjectMap or JavaMap interfaces. WebSphere eXtreme Scale defines the following permission strings to access the methods of ObjectMap and JavaMap:
  • read: Grants permission to read the data from the map.
  • write: Grants permission to update the data in the map.
  • insert: Grants permission to insert the data into the map.
  • remove: Grants permission to remove the data from the map.
  • invalidate: Grants permission to invalidate the data from the map.
  • all: Grants all permissions to read, write, insert, remote, and invalidate.
The authorization occurs when an eXtreme Scale client uses a data access API, such as the ObjectMap ,JavaMap, or EntityManager APIs. The run time checks corresponding map permissions when the method is called. If the required permissions are not granted to the client, an AccessControlException exception results. This tutorial demonstrates how to use Java Authentication and Authorization Service (JAAS) authorization to grant authorization map access for different users.

Learning objectives

After completing the lessons in this module, you know how to:
  • Enable authorization for WebSphere eXtreme Scale.
  • Enable user-based authorization.
  • Configure group-based authorization.

Time required

This module takes approximately 60 minutes.

Prerequisites

You must complete the prior modules in this tutorial before configuring authentication.
  • Lesson 4.1: Enable WebSphere eXtreme Scale authorization
    To enable authorization in WebSphere eXtreme Scale, you must enable security on a specific ObjectGrid.
  • Lesson 4.2: Enable user-based authorization
    In the authentication module of this tutorial, you created two users: operator1 and admin1. You can assign varying permissions to these users with Java Authentication and Authorization Service (JAAS) authorization.
  • Lesson 4.3: Configure group-based authorization
    In the previous lesson, you assigned individual user-based authorization with user principals in the Java Authentication and Authorization Service. (JAAS) authorization policy. However, when you have hundreds or thousands of users, use group-based authorization, which authorizes access based on groups instead of individual users.
Related conceptsClient authorization programmingWebSphere eXtreme Scale supports Java Authentication and Authorization Service (JAAS) authorization that is ready to use and also supports custom authorization using the ObjectGridAuthorization interface.