, In addition to providing ACL-based authentication, Web Server also implements the security model defined in the Java EE 1.4 specification to provide several features that help you develop and deploy secure Java web applications.
A typical Java EE-based web application consists of the following parts, access to any or all of which can be restricted:
JavaServer Pages (JSP) components
Miscellaneous resources, such as image files and compressed archives
The Java EE servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information. The container then passes the information for verification to the realm that is currently active in the security service.
A realm, represents a set of known users along with optional group membership information. The main implementation also encapsulates a mechanism for performing authentication against the data set.
The main features of the Java EE/Servlet-based access control model are described below:
Java EE/Servlet-based authentication uses the following configuration files:
The web application deployment descriptor files web.xml and sun-web.xml
Authentication is performed by Java security realms that are configured through <auth-realm> entries in the server.xml file.
Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.