Java EE/Servlet-Based Authentication and Authorization

, In addition to providing ACL-based authentication, Sun Java System Web Server 7.0 also implements the security model defined in the Java EE 1.4 specification to provide several features that help you develop and deploy secure Java web applications.

A typical Java EE-based web application consists of the following parts, access to any or all of which can be restricted:

• Servlets

• JavaServer Pages (JSP) components

• HTML documents

• Miscellaneous resources, such as image files and compressed archives

The Java EE servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information. The container then passes the information for verification to the realm that is currently active in the security service.

A realm, represents a set of known users along with optional group membership information. The main implementation also encapsulates a mechanism for performing authentication against the data set.

The main features of the Java EE/Servlet-based access control model are described below:

• Java EE/Servlet-based authentication uses the following configuration files:

  • The web application deployment descriptor files web.xml and sun-web.xml

  • install_dir/config/server.xml

  Authentication is performed by Java security realms that are configured through <auth-realm> entries in the server.xml file.

• Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.