InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.3: The WebSphere authorization model

5.1.3: The WebSphere authorization model

Authorization information is used to determine if a caller has the necessary privilege to request a service. Authorization information can be stored in many ways. For example, with each resource, you can store a list of users and what they are permitted to do. Such a list is called an access-control list. Another way to store the information is to associate with each user a list of resources and the corresponding privilege held by the user. This is called a capability list.

WebSphere, like the Java security manager, uses a capability-based model for security. In WebSphere, individual resources are collected into applications, and methods are collected into method groups. Each user has a set of (application, method-group) pairs, which indicates the methods within an application on which the user has rights. Each (application, method-group) pair is called a permission. The WebSphere administrator grants users access to applications by doing the following:

  1. Mapping sets of related resource into applications.
  2. Mapping sets of related methods into method groups.
  3. Granting users permissions lists.

When a user attempts to perform an operation, the security runtime determines the permissions that will grant access. If the requesting user has at least one of the necessary lists, the authorization check succeeds and the user is permitted to perform the operation.

Go to previous article: Authentication model Go to next article: Securing resources and applications

 

 
Go to previous article: Authentication model Go to next article: Securing resources and applications