About Authentication And Authorization; Authenticating Entities; Enterprise Server Authentication Methods - Sun Microsystems GlassFish Enterprise Server 2.1 Administration Manual

Hide thumbs Also See for GlassFish Enterprise Server 2.1:

Tuning manual (128 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

page of 256

/ 256
Contents
Table of Contents
Bookmarks

Table of Contents

About Authentication and Authorization

Authentication and authorization are central concepts of application server security. The

following topics are discussed related to authentication and authorization:

"Authenticating Entities" on page 102

■

"Authorizing Users" on page 103

■

"Specifying JACC Providers" on page 103

■

"Auditing Authentication and Authorization Decisions" on page 103

■

"Configuring Message Security" on page 104

■

Authenticating Entities

Authentication is the way an entity (a user, an application, or a component) determines that

another entity is who it claims to be. An entity uses security credentials to authenticate itself.

The credentials may be a user name and password, a digital certificate, or something else.

Typically, authentication means a user logging in to an application with a user name and

password; but it might also refer to an EJB providing security credentials when it requests a

resource from the server. Usually, servers or applications require clients to authenticate;

additionally, clients can require servers to authenticate themselves, too. When authentication is

bidirectional, it is called mutual authentication.

When an entity tries to access a protected resource, the Enterprise Server uses the

authentication mechanism configured for that resource to determine whether to grant access.

For example, a user can enter a user name and password in a Web browser, and if the

application verifies those credentials, the user is authenticated. The user is associated with this

authenticated security identity for the remainder of the session.

The Enterprise Server supports four types of authentication. An application specifies the type of

authentication it uses within its deployment descriptors.

Enterprise Server Authentication Methods

TABLE 9–1

Authentication Method

BASIC

FORM

CLIENT-CERT

102

Sun GlassFish Enterprise Server 2.1 Administration Guide • December 2008

Communication Protocol

HTTP (SSL optional)

HTTPS (HTTP over SSL)

Description

Uses the server's built-in pop-up

Application provides its own

custom login and error pages.

Server authenticates the client using

a public key certificate.

User Credential

Encryption

None, unless using SSL.

SSL

Table of Contents

Chapters

Table of Contents

About Authentication And Authorization; Authenticating Entities; Enterprise Server Authentication Methods - Sun Microsystems GlassFish Enterprise Server 2.1 Administration Manual

About Authentication and Authorization

Authenticating Entities

Enterprise Server Authentication Methods

Chapters

Related Manuals for Sun Microsystems GlassFish Enterprise Server 2.1

Related Content for Sun Microsystems GlassFish Enterprise Server 2.1

Table of Contents