Within a Java ES environment, an end user has a single integrated identity. Based on this single identity, a user can be allowed access to various resources, such as a portal, web pages, and services such as messaging, calendar, and instant messaging.
This integrated identity and security capability is based on close collaboration between Directory Server, Access Manager, and other Java ES components.
User access to a Java ES service or resource is achieved by storing user-specific information in a single user entry in a user repository or directory. That information normally includes information such as a unique name and password, an email address, a role in an organization, web page preferences, and so forth. The information in the user entry can be used to authenticate the user, authorize access to specific resources, or provide various services to that user.
In the case of Java Enterprise System, user entries are stored in a directory provided by Directory Server. When a user wants to request a service provided by a Java ES component, that service uses Access Manager to authenticate the user and authorize access to specific resources. The requested service checks user-specific configuration information in the user’s directory entry. The service uses that information to perform the work requested by the user.
The following figure illustrates access to user entries for performing user authentication and authorization and for providing services to a user.
One of the features derived from this system is the ability of a web-based user to sign on to any Java ES service, and in so doing be automatically authenticated to other system services. This capability, known as single sign-on, is a powerful feature provided by Java Enterprise System.