J2SE/Servlet-based access control is described at length in the Sun Java System Web Server 6.1 Programmer’s Guide to Web Applications. The following section provides a brief overview of the key concepts.
Sun Java System Web Server 6.1, apart from providing ACL-based authentication, also leverages the security model defined in the J2SE 1.3 Specification to provide several features that help you develop and deploy secure Java Web applications.
A typical J2SE-based Web application consists of the following parts, access to any or all of which can be restricted:
JavaServer Pages (JSP) components
Miscellaneous resources, such as image files and compressed archives
The J2SE/Servlet-based access control infrastructure relies on the use of security realms. When a user tries to access an access-protected section of an application through a Web browser, the Web container prompts for the user’s credential information, and then passes it for verification to the realm which is currently active in the security service for this particular application.
The main features of the J2SE/Servlet-based access control model are described below:
J2SE/Servlet-based authentication uses the following configuration files:
The web application deployment descriptor files web.xml and sun-web.xml
Authentication is performed by Java security realms which are configured through AUTHREALM entries in the server.xml file.
Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.
The following section briefly explains the concept of security realms. For a detailed discussion on the J2SE security model and realm-based authentication, see the Sun Java System Web Server 6.1 SP11 Programmer’s Guide to Web Applications.