Support User Manuals

Sun Microsystems 820433510 Server User Manual

Open as PDF

of 256

About Authentication and Authorization

Authentication and authorization are central concepts of application server security. The

following topics are discussed related to authentication and authorization:

■

“Authenticating Entities” on page 102

■

“Authorizing Users” on page 103

■

“Specifying JACC Providers” on page 103

■

“Auditing Authentication and Authorization Decisions” on page 103

■

“Conguring Message Security” on page 104

Authenticating Entities

Authentication is the way an entity (a user, an application, or a component) determines that

another entity is who it claims to be. An entity uses security credentials to authenticate itself.

The credentials may be a user name and password, a digital certicate, or something else.

Typically, authentication means a user logging in to an application with a user name and

password; but it might also refer to an EJB providing security credentials when it requests a

resource from the server. Usually, servers or applications require clients to authenticate;

additionally, clients can require servers to authenticate themselves, too. When authentication is

bidirectional, it is called mutual authentication.

When an entity tries to access a protected resource, the Enterprise Server uses the

authentication mechanism congured for that resource to determine whether to grant access.

For example, a user can enter a user name and password in a Web browser, and if the

application veries those credentials, the user is authenticated. The user is associated with this

authenticated security identity for the remainder of the session.

The Enterprise Server supports four types of authentication. An application species the type of

authentication it uses within its deployment descriptors.

TABLE9–1 EnterpriseServer AuthenticationMethods

Authentication Method Communication Protocol Description User Credential

Encryption

BASIC HTTP (SSL optional) Uses the server'sbuilt-in pop-up

login dialog box.

None,unless using SSL.

FORM HTTP (SSL optional) Application providesits own

custom login anderror pages.

None,unless using SSL.

CLIENT-CERT HTTPS (HTTP overSSL) Server authenticates theclient using

a public keycerticate.

SSL

AboutAuthenticationand Authorization

SunGlassFishEnterpriseServer2.1AdministrationGuide • December2008102

previous next