Realms, Users, Groups, and Roles
Realms, users, groups, and roles are a package of abstract notions representing the authorization mechanism. Starting from this definition, the authorization mechanism is responsible for providing and monitoring access to protected resources. It's based on identification (a sub-mechanism responsible for entity recognition) and authentication (a sub-mechanism responsible for entity-identity verification).
These notions seem abstract, but the concepts are just a programmatic representation of real life. Consider how a company accesses and manages its protected resources. Only a limited number of persons have access to the company properties—typically employees and guests, all of whom must be authorized in some way. Every department has its own security-level access to the company resources. Therefore, an employee's access to a particular set of resources depends on the department with which he or she is identified (for example, only certain privileged departments might have a key to the company swimming pool or executive locker room).
Now think of the company as a web application, and we can make the following assumptions:
- User. An authorized person (employee or authorized guest). In a web application, a user is an individual identity (human, machine, application, or process) that has been defined in the SJSAS container. Users can belong to groups and can have associated roles. When a user is authenticated by an authentication protocol in a deployed security service, we name it principal. Principal identification is based on a name, and its authentication is based on authentication data.
- Group. All the authorized persons within a department. In a web application, a group is defined in the SJSAS container, and it represents a set of authenticated users related by the same scopes, goals, issues, and so on.
- Realm. The total number of authorized persons who can access the company resources. In a web application, a realm is a database of valid users and groups who are under the same authentication policy.
- Role. Access to a particular set of resources. In a web application, a role is like a key that unlocks access to servlets, JSPs, EJBs, and so on. The main administrator of the web application is like the company's doorkeeper—he or she has the all keys (roles).