In addition to supporting the Java EE 1.4 security model, Web Server also supports the following features that are specific to the Web Server:
Single sign-on across all Web Server applications within a single security domain
Programmatic login
The parallel Access Control List (ACL)-based security model, in addition to the Java EE/Servlet security model
Support for secure ACL-based Java web applications, in addition to native content
This section discusses the following:
Secure applications require a client to be authenticated as a valid application user and have authorization to access servlets and JSPs.
Applications with a secure web container may enforce the following security processes for clients:
Authenticate the caller
Authorize the caller for access to each servlet/JSP based on the applicable access control configuration
Authentication is the process of confirming an identity. Authorization means granting access to a restricted resource to an identity. Access control mechanisms enforce these restrictions. Authentication and authorization can be enforced by a number of security models and services.
Web Server provides authentication and authorization support through the following mechanisms, which are discussed in this section:
ACL-based authentication and authorization
Java EE/Servlet-based authentication and authorization
Whether performed by the ACL subsystem or the Java EE/Servlet authentication subsystem, authentication and authorization are still the two fundamental operations that define secure web content.
ACL-based access control is described at length in the Configuring Access Control in Sun Java System Web Server 7.0 Update 8 Administrator’s Guide. This section provides a brief overview of the key concepts.
Web Server supports authentication and authorization through the use of locally stored ACLs, which describe what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:
acl "path=/export/user/990628.1/docs/misc/"; authenticate (user,group) { database = "default"; method = "basic"; }; deny (all) (user = "John"); allow (read); |
The core ACLs in Web Server support three types of authentication: basic, certificate, and digest.
Basic authentication relies .
On lists of user names and passwords passed as cleartext.
Certificates bind a name to a public key.
Digest authentication uses encryption techniques to encrypt the user’s credentials.
The ACL-based access control model includes the following features:
ACL-based authentication uses the following configuration files:
install_dir/config/*.acl files
install_dir/config/server.xml
Authentication is performed by auth-db modules that are configured in the server.xml file.
Authorization is performed by access control rules set in the install_dir/config/*.acl files, if ACLs are configured.
In addition, the Web Server SSL engine supports external crypto hardware to offload SSL processing and to provide optional tamper-resistant key storage.
For more information about ACL-based access control and the use of external crypto hardware, see the Web Server Administrator’s Guide.
, In addition to providing ACL-based authentication, Web Server also implements the security model defined in the Java EE 1.4 specification to provide several features that help you develop and deploy secure Java web applications.
A typical Java EE-based web application consists of the following parts, access to any or all of which can be restricted:
Servlets
JavaServer Pages (JSP) components
HTML documents
Miscellaneous resources, such as image files and compressed archives
The Java EE servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information. The container then passes the information for verification to the realm that is currently active in the security service.
A realm, represents a set of known users along with optional group membership information. The main implementation also encapsulates a mechanism for performing authentication against the data set.
The main features of the Java EE/Servlet-based access control model are described below:
Java EE/Servlet-based authentication uses the following configuration files:
The web application deployment descriptor files web.xml and sun-web.xml
install_dir/config/server.xml
Authentication is performed by Java security realms that are configured through <auth-realm> entries in the server.xml file.
Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.
Secure web applications may have authentication and authorization properties. The web container supports three types of authentication: basic, certificate, and form-based. The core ACLs support basic, certificate, and digest. For more information about ACL configuration, see the Sun Java System Web Server 7.0 Update 8 Administrator’s Guide.
When a browser requests an application URL that requires authentication, the web container collects the user authentication information, for example, user name and password and passes it to the security service for authentication.
For Java EE web applications, Web Server checks the application's web.xml file for information on which parts of the application are protected, and which roles are authorized to access. It also checks sun-web.xml to see whether the currently authenticated user belongs to one of the required roles, either directly through user mapping or indirectly through group mapping.