Fabric3 includes an extensible security framework that implements authentication and authorization. Authentication is typically specified as part of binding (remote communications) configuration to perform client, server, or mutual authentication. When a client is authenticated, a security subject is associated with messages sent by the client. This security subject can then be used to authorize access to service operations based on roles.

The bindings chapters contain examples of how to configure authentication since specifics vary by binding type.

The security provider varies by runtime. The Standalone, Maven, and Ant runtimes are configured by default to use a basic security provider. The Tomcat runtime is configured with a provider that delegates to Tomcat security realms. Similarly, the WebLogic runtime delegates to WebLogic's security infrastructure.

Note there is also a Fabric3 security provider extension that uses Spring Security. This provider can be used in any of the Fabric3 runtimes.

The following sections detail how to enable security in application code and create custom security providers: