Sun Java System Web Server-specific Security Features

In addition to supporting the J2SE 1.3 security model, Sun Java System Web Server also supports the following features that are specific to the Web Server:

• Single sign-on across all Sun Java System Web Server applications within a single security domain.

• Programmatic login.

• The parallel Access Control List (ACL)-based security model, in addition to the J2SE/Servlet security model.

• Support for secure ACL-based Java web applications, in addition to native content.

This section discusses the following:

• Sun Java System Web Server Security Model

• Web Application and URL Authorizations

Sun Java System Web Server Security Model

Secure applications require a client to be authenticated as a valid application user and have authorization to access servlets and JSPs.

Applications with a secure web container may enforce the following security processes for clients:

• Authenticate the caller

• Authorize the caller for access to each servlet/JSP based on the applicable access control configuration

Authentication is the process of confirming an identity. Authorization means granting access to a restricted resource to an identity, and access control mechanisms enforce these restrictions. Authentication and authorization can be enforced by a number of security models and services.

Sun Java System Web Server 6.1 provides authentication and authorization support through the following mechanisms, which are discussed in this section:

• ACL-based authentication and authorization

• J2SE/Servlet-based authentication and authorization

Whether performed by the ACL subsystem or the J2SE/Servlet authentication subsystem, authentication and authorization are still the two fundamental operations that define secure web content.

ACL-based Authentication and Authorization

ACL-based access control is described at length in the Sun Java System Web Server 6.1 Administrator’s Guide. This section provides a brief overview of the key concepts.

Sun Java System Web Server 6.1 supports authentication and authorization through the use of locally stored access control lists (ACLs), which describe what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:

acl "path=/export/user/990628.1/docs/misc/";
  authenticate (user,group) {
      database = "default";
      method = "basic";
   };
   deny (all)
  (user = "John");
   allow (read);

            

The core ACLs in Sun Java System Web Server 6.1 support three types of authentication: basic, certificate, and digest.

Basic authentication relies on lists of user names and passwords passed as cleartext. Certificates bind a name to a public key. Digest authentication uses encryption techniques to encrypt the user’s credentials.

The main features of the ACL-based access control model are described below:

• ACL-based authentication uses the following configuration files:

  • server-install/httpacl/*.acl files

  • server-install/userdb/dbswitch.conf

  • server-install/config/server.xml

  Authentication is performed by auth-db modules that are configured in the dbswitch.conf file.

• Authorization is performed by access control rules set in the server-install/httpacl/*.acl files, if ACLs are configured.

In addition, the Sun Java System Web Server 6.1 SSL engine supports external crypto hardware to offload SSL processing and to provide optional tamper-resistant key storage.

For more information about access control and the use of external crypto hardware, see the Sun Java System Web Server 6.1 SP7 Administrator’s Guide.

J2SE/Servlet-based Authentication and Authorization

Sun Java System Web Server 6.1, apart from providing ACL-based authentication, also leverages the security model defined in the J2SE 1.3 specification to provide several features that help you develop and deploy secure Java web applications.

A typical J2SE-based web application consists of the following parts, access to any or all of which can be restricted:

• Servlets

• JavaServer Pages (JSP) components

• HTML documents

• Miscellaneous resources, such as image files and compressed archives

The J2SE/Servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information, and then passes it for verification to the realm that is currently active in the security service.

A realm, also called a security policy domain or security domain in the J2SE specification, is a scope over which a common security policy is defined and enforced by the security administrator of the security service.

The main features of the J2SE/Servlet-based access control model are described below:

• J2SE/Servlet-based authentication uses the following configuration files:

  • The web application deployment descriptor files web.xml and sun-web.xml

  • server-install/config/server.xml

  Authentication is performed by Java security realms that are configured through AUTHREALM entries in the server.xml file.

• Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.

Web Application and URL Authorizations

Secure web applications may have authentication and authorization properties. The web container supports three types of authentication: basic, certificate, and form-based. The core ACLs support basic, certificate, and digest. For more information about ACL configuration, see the Sun Java System Web Server 6.1 SP7 Administrator’s Guide.

When a browser requests the main application URL, the web container collects the user authentication information (for example, user name and password) and passes it to the security service for authentication.

For J2SE web applications, Sun Java System Web Server consults the security policies (derived from the deployment descriptors) associated with the web resource to determine the security roles used to permit resource access. The web container tests the user credentials against each role to determine if it can map the user to the role.