Authentication and Authorization
There are two aspects of security for Web applications. You should implement both authentication and authorization in the environment where the application runs:
Authentication determines which users can access the application. Java Authentication and Authorization Service (JAAS) is a package that enables services to authenticate and enforce user-access controls. JAAS is a standard security Application Programming Interface (API) that is added to the Java language through the Java Community Process and enables applications to authenticate users and enforce authorization. JAZN (Java AuthoriZatioN) is Oracle’s implementation of JAAS. JAAS authentication is defined in the jazn-data.xml configuration file, which is referenced by the jazn.xml file. In the jazn-data.xml file, you can specify user IDs and passwords, create roles, and assign roles to users. You can also set application-specific roles that map to roles that you defined for JAAS.
Authorization determines what functions users are allowed to perform after they enter the application. You can control this by granting certain functionality to the roles that are defined for the application. You specify which objects, pages, and task flows are available to each role.