About Authentication and Authorization
Authentication and authorization are central concepts of application server security. The
following topics are discussed related to authentication and authorization:
■
“Authenticating Entities” on page 102
■
“Authorizing Users” on page 103
■
“Specifying JACC Providers” on page 103
■
“Auditing Authentication and Authorization Decisions” on page 103
■
“Conguring Message Security” on page 104
Authenticating Entities
Authentication is the way an entity (a user, an application, or a component) determines that
another entity is who it claims to be. An entity uses security credentials to authenticate itself.
The credentials may be a user name and password, a digital certicate, or something else.
Typically, authentication means a user logging in to an application with a user name and
password; but it might also refer to an EJB providing security credentials when it requests a
resource from the server. Usually, servers or applications require clients to authenticate;
additionally, clients can require servers to authenticate themselves, too. When authentication is
bidirectional, it is called mutual authentication.
When an entity tries to access a protected resource, the Enterprise Server uses the
authentication mechanism congured for that resource to determine whether to grant access.
For example, a user can enter a user name and password in a Web browser, and if the
application veries those credentials, the user is authenticated. The user is associated with this
authenticated security identity for the remainder of the session.
The Enterprise Server supports four types of authentication. An application species the type of
authentication it uses within its deployment descriptors.
TABLE9–1 EnterpriseServer AuthenticationMethods
Authentication Method Communication Protocol Description User Credential
Encryption
BASIC HTTP (SSL optional) Uses the server'sbuilt-in pop-up
login dialog box.
None,unless using SSL.
FORM HTTP (SSL optional) Application providesits own
custom login anderror pages.
None,unless using SSL.
CLIENT-CERT HTTPS (HTTP overSSL) Server authenticates theclient using
a public keycerticate.
SSL
AboutAuthenticationand Authorization
SunGlassFishEnterpriseServer2.1AdministrationGuide • December2008102