Sun Java System Application Server Enterprise Edition 8.2 Administration Guide

Authenticating Entities

Authentication is the way an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials may be a user name and password, a digital certificate, or something else.

Typically, authentication means a user logging in to an application with a user name and password; but it might also refer to an EJB providing security credentials when it requests a resource from the server. Usually, servers or applications require clients to authenticate; additionally, clients can require servers to authenticate themselves, too. When authentication is bidirectional, it is called mutual authentication.

When an entity tries to access a protected resource, the Application Server uses the authentication mechanism configured for that resource to determine whether to grant access. For example, a user can enter a user name and password in a Web browser, and if the application verifies those credentials, the user is authenticated. The user is associated with this authenticated security identity for the remainder of the session.

The Application Server supports four types of authentication, as outlined in Authenticating Entities. An application specifies the type of authentication it uses within its deployment descriptors. For more information on using deploytool to configure the authentication method for an application, see The J2EE 1.4 Tutorial at

Table 9–1 Application Server Authentication Methods

Authentication Method

Communication Protocol


User Credential Encryption


HTTP (SSL optional) 

Uses the server's built-in pop-up login dialog box. 

None, unless using SSL. 


HTTP (SSL optional) 

Application provides its own custom login and error pages. 

None, unless using SSL. 

Client Certificate 


Server authenticates the client using a public key certificate. 


Verifying Single Sign-On

Single sign-on enables multiple applications in one virtual server instance to share user authentication state. With single sign-on, a user who logs in to one application becomes implicitly logged in to other applications that require the same authentication information.

Single sign-on is based on groups. All Web applications whose deployment descriptor defines the same group and use the same authentication method (basic, form, digest, certificate) share single sign-on.

Single sign-on is enabled by default for virtual servers defined for the Application Server.