Authentication and authorization are central concepts of application server security. The following topics are discussed related to authentication and authorization:
Authentication is the way an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials may be a user name and password, a digital certificate, or something else.
Typically, authentication means a user logging in to an application with a user name and password; but it might also refer to an EJB providing security credentials when it requests a resource from the server. Usually, servers or applications require clients to authenticate; additionally, clients can require servers to authenticate themselves, too. When authentication is bidirectional, it is called mutual authentication.
When an entity tries to access a protected resource, the Communications Server uses the authentication mechanism configured for that resource to determine whether to grant access. For example, a user can enter a user name and password in a Web browser, and if the application verifies those credentials, the user is authenticated. The user is associated with this authenticated security identity for the remainder of the session.
The Communications Server supports four types of authentication. An application specifies the type of authentication it uses within its deployment descriptors.
Table 9–1 Communications Server Authentication Methods| Authentication Method | Communication Protocol | Description | User Credential Encryption | 
| BASIC | HTTP (SSL optional) | Uses the server's built-in pop-up login dialog box. | None, unless using SSL. | 
| FORM | HTTP (SSL optional) | Application provides its own custom login and error pages. | None, unless using SSL. | 
| CLIENT-CERT | HTTPS (HTTP over SSL) | Server authenticates the client using a public key certificate. | SSL | 
| DIGEST | HTTP and SIP | Server authenticates the client based on an encrypted response. | SSL and TLS | 
Single sign-on enables multiple applications in one virtual server instance to share the user authentication state. With single sign-on, a user who logs in to one application becomes implicitly logged in to other applications that require the same authentication information.
Single sign-on is based on groups. All Web applications whose deployment descriptor defines the same group and use the same authentication method (BASIC, FORM, CLIENT-CERT) share single sign-on.
Single sign-on is enabled by default for virtual servers defined for the Communications Server.
Once a user is authenticated, the level of authorization determines what operations can be performed. A user's authorization is based on his role. For example, a human resources application may authorize managers to view personal employee information for all employees, but allow employees to view only their own personal information. For more on roles, see Understanding Users, Groups, Roles, and Realms.
JACC (Java Authorization Contract for Containers) is part of the Java EE specification that defines an interface for pluggable authorization providers. This enables the administrator to set up third-party plug-in modules to perform authorization.
By default, the Communications Server provides a simple, file-based authorization engine that complies with the JACC specification. It is also possible to specify additional third-party JACC providers.
JACC providers use the Java Authentication and Authorization Service (JAAS) APIs. JAAS enables services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework.
The Communications Server can provide an audit trail of all authentication and authorization decisions through audit modules. The Communications Server provides a default audit module, as well as the ability to customize the audit modules.
Message Security enables a server to perform end-to-end authentication of web service invocations and responses at the message layer. The Communications Server implements message security using message security providers on the SOAP layer. The message security providers provide information such as the type of authentication that is required for the request and response messages. The types of authentication that are supported include the following:
Sender authentication, including username-password authentication.
Content authentication, including XML Digital Signatures.
Two message security providers are included with this release. The message security providers can be configured for authentication for the SOAP layer. The providers that can be configured include ClientProvider and ServerProvider.
Support for message layer security is integrated into the Communications Server and its client containers in the form of (pluggable) authentication modules. By default, message layer security is disabled on the Communications Server.
Message level security can be configured for the entire Communications Server or for specific applications or methods. Configuring message security at the Communications Server level is discussed in Chapter 10, Configuring Message Security. Configuring message security at the application level is discussed in the Developer's Guide.