You can perform authorization through JEE security or through the application itself. JEE security uses roles to manage access to resources. A logical security role has permission to access certain resources. Actual users and groups who are mapped to that logical role can access those resources. The web.xml deployment descriptor specifies the type of access that is granted to each role. For Apache Tomcat, the binding occurs in a repository such as the tomcat-users.xml file, LDAP directory, or relational database.
Although you can check authorization in a JSF application by calling the J2EELib.isUserInRole and J2EELib.getRemoteUser EGL system functions, these system functions are not available from a Rich UI application in V7.5.1 because the JEE security that is used from a Rich UI application must be declarative.
If JEE authorization is not suitable for your Rich UI application, perhaps because programmatic security is unavailable or the overhead of administering JEE security roles is too high, authorization can be accomplished using your own application code. One way to implement authorization is to organize user entries into groups in a repository like an LDAP directory. You can then invoke a Web service from your Rich UI application to retrieve an entry from the repository and check if a user is in a group that has access a certain resource.
For details concerning authorization, see your Apache Tomcat or LDAP directory server documentation.