Define: Authorization is the process by which a program calculates whether a given identity is permitted to access a source such as an application component or a file. Now that you are authenticated, but Are you allowed to use the resource or component you are requesting?
Authorization: Process of calculating what type of access (if any) the security policy gives to a resource by a principal.
Security role: A logical grouping of users who gives a level of access permissions.
Security domain: A scope that describes where a set of security policies are enforced and maintained.
J2EE uses the concept of security roles for both programmatic and declarative access controls. This is distinct from the traditional model.
Permission-based authorization: Typically in permission-based security both resources and users are described in a registry and the association of groups and users with the resources takes place through Access Control Lists (ACL). The maintenance of registry and ACLs needs a security administrator.
Role based authorization: In J2EE role based model, the groups and users of users are still stored in a user registry. A mapping can also be given between users and groups to the security constraints. This can exist in J2EE applications or a registry themselves can have their own role based security constraints described through deployment descriptors like ejb-jar.xml, web.xml, and/or application.xml.