About Sun Java System Web Server Security

You can protect resources that reside on your Web server through several security services and mechanisms, including authentication, authorization, and access control.

Authentication is the process of confirming an identity. Authorization means granting access to a restricted resource to an identity, and access control mechanisms enforce these restrictions. Authentication and authorization can be enforced by a number of security models and services.

Sun Java System Web Server 6.1 supports two security models: the ACL-based security model provided by the HTTP engine and the J2SE Servlet version 2.3 specification -based provided by the web container.

Both models co-exist in the life time of a Sun Java System Web Server 6.1 process. Each model supports both client authentication and authorization security services.

The Sun Java System Web Server 6.1 web container provides client authentication through the Java Authentication and Authorization Service (JAAS)-based realm mechanism, and authorization through the J2SE role-based mechanism. One of the realms provided by Sun Java System Web Server 6.1 is the Native Realm. It provides the bridge between the two security models.

Sun Java System Web Server 6.1 supports both declarative security and programmatic security.

Sun Java System Web Server 6.1 leverages the features of the J2SE platform to define declarative contracts between those who develop and assemble application components and those who configure applications in operational environments. In the context of application security, application providers are required to declare the security requirements of their applications in such a way that these requirements can be satisfied during application configuration. The declarative security mechanisms used in an application are expressed in a declarative syntax in a document called a deployment descriptor. An application deployer then employs container-specific tools to map the application requirements that are in a deployment descriptor to security mechanisms that are implemented by J2SE containers. The deployment descriptor files for web applications in Sun Java System Web Server 6.1 are the web.xml and sun-web.xml files.

Programmatic security refers to security decisions that are made by security-aware applications. Programmatic security is useful when declarative security alone is not sufficient to express the security model of an application. For example, an application might make authorization decisions based on the time of day, the parameters of a call, or the internal state of a web component. Another application might restrict access based on user information stored in a database.

The rest of this chapter runs you through the following key concepts in authentication and authorization supported by Sun Java System Web Server 6.1:

• ACL-based access control, described in the section Overview of ACL-based Access Control.

• J2SE-based access control, described in the section Overview of J2SE/Servlet-based Access Control.

• Native Realm support, described in the section Native Realm.

• Programmatic security, described in the section Using Programmatic Security.