Step 3: URL Authorization (The Java EE 6 Tutorial)

The Java EE 6 Tutorial

Previous: Step 2: Initial Authentication
Next: Step 4: Fulfilling the Original Request

Step 3: URL Authorization

The credential is used for future determinations of whether the user is authorized to access restricted resources it may request. The web server consults the security policy associated with the web resource to determine the security roles that are permitted access to the resource. The security policy is derived from annotations or from the deployment descriptor. The web container then tests the user’s credential against each role to determine whether it can map the user to the role. Figure 24–3 shows this process.

Figure 24–3 URL Authorization

The web server’s evaluation stops with an “is authorized” outcome when the web server is able to map the user to a role. A “not authorized” outcome is reached if the web server is unable to map the user to any of the permitted roles.

Previous: Step 2: Initial Authentication
Next: Step 4: Fulfilling the Original Request