InfoCenter Home > 5.1.3: The WebSphere authorization modelAuthorization information is used to determine if a caller has the necessary privilege to request a service. Authorization information can be stored in many ways. For example, with each resource, you can store a list of users and what they are permitted to do. Such a list is called an access-control list. Another way to store the information is to associate with each user a list of resources and the corresponding privilege held by the user. This is called a capability list. WebSphere, like the Java security manager, uses a capability-based model for security. In WebSphere, individual resources are collected into applications, and methods are collected into method groups. Each user has a set of (application, method-group) pairs, which indicates the methods within an application on which the user has rights. Each (application, method-group) pair is called a permission. The WebSphere administrator grants users access to applications by doing the following:
When a user attempts to perform an operation, the security runtime determines the permissions that will grant access. If the requesting user has at least one of the necessary lists, the authorization check succeeds and the user is permitted to perform the operation. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|