Declarative and Programmatic Authorization

Declarative Authorization

With the declarative approach, the container enforces protection of the application. You declare these protections in a deployment descriptor or with annotations. This is also known as container-based authorization. Use this approach to protect servlets or EJBs with annotations. The advantage of declarative authorization over programmatic authorization is that the container enforces authentication. You do not have to require authentication in your coding.

More information: Getting Started .

Programmatic Authorization

With the programmatic approach, your write the enforcement of authorizations into the code of the application. You protect portions of your application with methods, which check if the user has the required permissions.

Use this approach if the following applies:

• You have multiple actions in the same method.

• Only part of the application needs protection.

The disadvantage of this approach is that you must force the user to log on or combine this approach with declarative authorization.

You have the option of using Java EE methods or methods of the user management engine (UME) API to enforce authorizations.

Java EE Methods

Java EE provides the following methods:

• isUserInRole()

• isCallerInRole()

UME Methods

The UME provides the following methods:

• hasPermission()

• checkPermission()

More information: Checking Permissions .

The UME methods extend the JEE methods. JEE methods are based purely on whether the user has the named permission or not. UME methods can add a second dimension to the permission check. The user must not only have the named permission, but must have the specified action within the permission.

More information: Named Permissions and Action Permissions .