Tutorials for Using Roles and Permissions in Applications 

Purpose

There are numerous possibilities for protecting your applications using security roles and permissions. Therefore, the first step is to decide which approach works best for the type of application you have. For example, you can protect your Web client using authentication and security roles for authorization, or you can protect the application at the backend to protect access to individual EJB methods. If the application is provided as a Web service, then you can also apply protection to the Web service.

Approaches

The primary approaches for including access protection in your applications are:

·        Declarative

With the declarative approach, you specify that your application should check permissions and the name of the role that is to be checked. The AS Java performs the authorization check based on this declaration.

●      Programmatic

With the programmatic approach, you insert the authorization check into the application coding. In this case, the responsibility for the authorization check lies in the application and not in the Web container.

Another approach is the use of access control lists (ACLs) to protect access to specific resources (for example, files in the file system). However, because this set of tutorials focuses on protecting access at the application level, we do not show the use of ACLs here. These tutorials only show the use of roles and permissions using either the declarative or programmatic approaches.

Types of Permissions

There are also two different types of permissions that you can use for protecting access to your applications:

●      J2EE security roles

J2EE security roles are security roles that are constructed according to the J2EE specification. They support both the declarative and programmatic approaches. When using the declarative approach, the information is stored in deployment descriptors for the application. Alternatively, you can use the available methods to perform checks in the application.

●      UME permissions

UME permissions are provided by the User Management Engine (UME) and extend the possibilities provided by the J2EE security roles. However, they are only supported when using a programmatic approach.

One advantage for using UME permissions are that the administration is easier because you can consolidate permissions into actions. The administrator works with the actions and not with all of the individual permissions. In addition, you can perform more complex checks than those supported when using J2EE security roles, for example, you can use wildcards in the authorization check.

Determining Which Approach to Use

To determine which approach you should use, see the following table.

Approach	When to Use	Type of Permission to Use
Declarative	Use the declarative approach to protect access to static information or applications that are explicitly distinguishable from another, for example, to protect access to explicit EJB methods or to subsets of applications that are accessible using different URL paths.	J2EE security roles
Programmatic	Use the programmatic approach if you need more flexibility or more complex rules for allowing access. For example, use this approach to adjust screen items depending on the authorizations.	UME permissions

Although the J2EE security roles are also supported by the programmatic approach, in this case we recommend using UME permissions due to the increased flexibility.

Also, do not mix the use of J2EE security roles and UMEpermissions. If you decide to use UMEpermissions for a certain aspect of your application, then use UME permissions for the complete application. This makes the administration of the user and role assignments much easier.

For more information, see Using Security Roles and Security Role References in the Development Manual for the AS Java.