0.18.9: Security usage scenario - Web pages

When a browser requests a Web page, the Web server must determine whether the page is protected. It uses the Application Server security plug-in to access security data from the security server.

Suppose the principal bob (from Scenario 1) attempts to access the Account.html Web page. Recall, bob has permission to:

This is how Application Server security responds to the request by bob to view Account.html:

  1. Application Server determines that Account.html requires basic HTTP authentication, meaning the user (client) must supply a user ID and password.

    Previously, the system administrator used the WebSphere Administrative Console to associate the authentication policy with the application containing the Web page.

  2. Application Server challenges bob for a user ID and password, which bob supplies. Application Server authenticates bob successfully.
  3. Application Server determines that a principal needs the Account Read permission to in order to perform the HTTP_GET method. The HTTP_GET method is required in order to view a Web page.
  4. Application Server checks whether bob has the Account Read permission. It finds that bob has the permission.
  5. Application Server informs the Web server that bob is allowed to see Account.html. The page is displayed.