Sun Java System Web Server 7.0 Update 4 Developer's Guide to Java Web Applications

ACL-Based Authentication and Authorization

ACL-based access control is described at length in the Configuring Access Control in Sun Java System Web Server 7.0 Update 4 Administrator’s Guide. This section provides a brief overview of the key concepts.

Web Server supports authentication and authorization through the use of locally stored ACLs, which describe what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:

acl "path=/export/user/990628.1/docs/misc/";
  authenticate (user,group) {
      database = "default";
      method = "basic";
   deny (all)
  (user = "John");
   allow (read);


The core ACLs in Web Server support three types of authentication: basic, certificate, and digest.

Basic authentication relies .

The ACL-based access control model includes the following features:

In addition, the Web Server SSL engine supports external crypto hardware to offload SSL processing and to provide optional tamper-resistant key storage.

For more information about ACL-based access control and the use of external crypto hardware, see the Web Server Administrator’s Guide.