Sun GlassFish Enterprise Server 2.1 Administration Guide

Authenticating Entities

Authentication is the way an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials may be a user name and password, a digital certificate, or something else.

Typically, authentication means a user logging in to an application with a user name and password; but it might also refer to an EJB providing security credentials when it requests a resource from the server. Usually, servers or applications require clients to authenticate; additionally, clients can require servers to authenticate themselves, too. When authentication is bidirectional, it is called mutual authentication.

When an entity tries to access a protected resource, the Enterprise Server uses the authentication mechanism configured for that resource to determine whether to grant access. For example, a user can enter a user name and password in a Web browser, and if the application verifies those credentials, the user is authenticated. The user is associated with this authenticated security identity for the remainder of the session.

The Enterprise Server supports four types of authentication. An application specifies the type of authentication it uses within its deployment descriptors.

Table 9–1 Enterprise Server Authentication Methods

Authentication Method

Communication Protocol


User Credential Encryption


HTTP (SSL optional) 

Uses the server's built-in pop-up login dialog box. 

None, unless using SSL. 


HTTP (SSL optional) 

Application provides its own custom login and error pages. 

None, unless using SSL. 



Server authenticates the client using a public key certificate. 




Server authenticates the client based on an encrypted response. 

SSL and TLS 

Verifying Single Sign-On

Single sign-on enables multiple applications in one virtual server instance to share the user authentication state. With single sign-on, a user who logs in to one application becomes implicitly logged in to other applications that require the same authentication information.

Single sign-on is based on groups. All Web applications whose deployment descriptor defines the same group and use the same authentication method (BASIC, FORM, CLIENT-CERT) share single sign-on.

Single sign-on is enabled by default for virtual servers defined for the Enterprise Server.