Typically, software applications and systems are protected from unauthorized access. For example, authentication and authorization may be required before granting access to an application. An example of such application that is protected may be a web application accessed in a web browser and via the Internet. Usually, the protected application supports authentication and authorization mechanisms for requests from web browsers and application clients to access the protected application. Authentication and authorization mechanisms according to the Java® Platform, Enterprise Edition (EE) specification support access requests from web browsers and direct access requested by application clients based on user roles.
OAuth® is an open standard that provides application clients with delegated authorization mechanism. Java EE specification does not provide authentication based on scopes of rights. For example, authentication and authorization mechanisms in Java are based on user roles having access rights associated thereof, whereas authorization and authentication mechanism according to OAuth are based on scopes of rights delegated by the user to the application client. Modifying a protected application not only to support access based on user roles, but also to support access requests based on scopes of rights may be tiresome and error prone.