About Authentication and Authorization

About Authentication and Authorization

Authentication and authorization are central concepts of application server security. The following topics are discussed related to authentication and authorization:

“Authenticating Entities” on page 102

“Authorizing Users” on page 103

“Specifying JACC Providers” on page 103

“Auditing Authentication and Authorization Decisions” on page 103

“Configuring Message Security” on page 104

Authenticating Entities

Authentication is the way an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials may be a user name and password, a digital certificate, or something else.

Typically, authentication means a user logging in to an application with a user name and password; but it might also refer to an EJB providing security credentials when it requests a resource from the server. Usually, servers or applications require clients to authenticate; additionally, clients can require servers to authenticate themselves, too. When authentication is bidirectional, it is called mutual authentication.

When an entity tries to access a protected resource, the Enterprise Server uses the authentication mechanism configured for that resource to determine whether to grant access. For example, a user can enter a user name and password in a Web browser, and if the application verifies those credentials, the user is authenticated. The user is associated with this authenticated security identity for the remainder of the session.

The Enterprise Server supports four types of authentication. An application specifies the type of authentication it uses within its deployment descriptors.

TABLE 9–1Enterprise Server Authentication Methods

Authentication Method

Communication Protocol

Description

User Credential

 

 

 

Encryption

 

 

 

 

BASIC

HTTP (SSL optional)

Uses the server's built-in pop-up

None, unless using SSL.

 

 

login dialog box.

 

 

 

 

 

FORM

HTTP (SSL optional)

Application provides its own

None, unless using SSL.

 

 

custom login and error pages.

 

 

 

 

 

CLIENT-CERT

HTTPS (HTTP over SSL)

Server authenticates the client using

SSL

 

 

a public key certificate.

 

 

 

 

 

102

Sun GlassFish Enterprise Server 2.1 Administration Guide • December 2008

Page 102
Image 102
Sun Microsystems 820433510 manual About Authentication and Authorization, Authenticating Entities