Authorization providers
WebSphere Application Server v9 supports authorization based on the Java Authorization Contract for Containers 1.5 (JACC) specification in addition to the default authorization. JACC enables third-party security providers to manage authorization in the application server. JACC 1.5 supports Java EE7, including Servlet 3.1 and EJB 3.2. JACC specification 1.5 includes annotations for propagating security policy information.
The default authorization is used unless a JACC provider is specified. The default authorization does not require special setup, and the default authorization engine makes all of the authorization decisions. However, if a JACC provider is configured and set up for WAS to use, all of the enterprise beans and web authorization decisions are delegated to the JACC provider.
Java EE applications, such as Web and EJB components are protected per the Java EE specification. Administrative components are internal to WAS and are protected by the role-based authorizer. Administrative components include the administrative console, MBeans, and other components such as naming and security.
When a JACC provider is used for authorization in WAS, all of the Java EE application-based authorization decisions are delegated to the provider per the JACC specification. However, all administrative security authorization decisions are made by the WAS default authorization engine. The JACC provider is not called to make the authorization decisions for administrative security.
When a protected Java EE resource is accessed, the authorization decision to give access to the principal is the same whether using the default authorization engine or a JACC provider. Both of the authorization models satisfy the J2EE specification, and function the same. Choose a JACC provider only when we want to work with an external security provider such as ISAM. The security provider must support the JACC specification and be set up to work with WAS. Setting up and configuring a JACC provider requires additional configuration steps, depending on the provider.
To support the "**" role (all authenticated role) which is newly introduced by EE7, the JACC provider needs to be configured to map the role "**" to the appropriate role.
Subtopics
- JACC support in WAS
- JACC providers
- JACC policy context handlers
- JACC policy context identifiers (ContextID) format
- JACC policy propagation
- JACC registration of the provider implementation classes
- Role-based security with embedded ISAM
- ISAM integration as the JACC provider
- ISAM security for WAS
- Security annotations
- Java Servlet 3.0 support for security
- Servlet security dynamic annotations
Related:
Authorization technology Enable an external JACC provider Authorizing access to Java EE resources using ISAM Propagating security policy of installed applications to a JACC provider Interfaces that support JACC Security authorization provider troubleshooting tips