0.18.9: Security usage scenario - Web pages
When a browser requests a Web page, the Web server must determine whether
the page is protected. It uses the Application Server security plug-in to
access security data from the security server.
Suppose the principal bob (from Scenario 1) attempts to access the
Account.html Web page. Recall, bob has permission to:
- Create accounts (Account Create)
- Read or view accounts (Account Read)
This is how Application Server security responds to the request by bob to
view Account.html:
- Application Server determines that Account.html requires basic HTTP
authentication, meaning the user (client) must supply a user ID and password.
Previously, the system administrator used the WebSphere Administrative
Console to associate the authentication policy with the application containing
the Web page.
- Application Server challenges bob for a user ID and password, which
bob supplies. Application Server authenticates bob successfully.
- Application Server determines that a principal needs the Account Read
permission to in order to perform the HTTP_GET method. The HTTP_GET method
is required in order to view a Web page.
- Application Server checks whether bob has the Account Read permission.
It finds that bob has the permission.
- Application Server informs the Web server that bob is allowed to
see Account.html. The page is displayed.