Sun Java System Web Server 6.1 SP7 Programmer's Guide to Web Applications

J2SE/Servlet-based Authentication and Authorization

Sun Java System Web Server 6.1, apart from providing ACL-based authentication, also leverages the security model defined in the J2SE 1.3 specification to provide several features that help you develop and deploy secure Java web applications.

A typical J2SE-based web application consists of the following parts, access to any or all of which can be restricted:

The J2SE/Servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information, and then passes it for verification to the realm that is currently active in the security service.

A realm, also called a security policy domain or security domain in the J2SE specification, is a scope over which a common security policy is defined and enforced by the security administrator of the security service.

The main features of the J2SE/Servlet-based access control model are described below: