When designing Web-based applications, security is a criticalcomponent. Before the advent of J2EE, to implement a securedistributed application you had to code all of the security directlyinto the application.
J2EE introduced a powerful security infrastructure forapplications that greatly assists developers and enterprises insecuring their applications. When used properly, this infrastructuretakes much of the burden of securing the application off of thedevelopers, leaving them free to concentrate on implementing businesslogic.
The J2EE container-security services primarily address thesecurity requirements of authentication and authorization.Authentication is the mechanism by which callers and serviceproviders prove to each other that they are acting on behalf ofspecific users or systems. Authorization mechanisms provide controlover what resources an identified user or system has access to. Insimple terms, authentication provides the answer to "Who are you?"And authorization provides the answer to "What can you access?"
Authentication
The J2EE model supports several methods for authenticatingusers. These are basic, digest, form-based, and certificate-basedauthentications. In basic authentication, the Web server prompts theuser for a user name and password, which is then transmitted to theserver. Unless an SSL session has been established, this informationis sent in the clear, so it's not very secure. Digest authenticationimproves the security a bit by sending a digest of the user name andpassword along with some session-specific information to the serverinstead of transmitting the clear text password.
Both of these methods result in a standard dialog beingpresented to the user for entering user name and password.
Form-based authentication allows the developer to create acustom log-in page using a form. Like basic authentication, the username and password are sent in the clear, unless an SSL session hasbeen established.
Finally, the most secure method of authentication is thecertificate-based method. In this method, both client and server useX.509 certificates to prove their identities. This authenticationalways occurs over an SSL-protected channel.
The Web component deployment descriptor specifies whichresources are protected, thus requiring user authentication. Theactual step of authenticating the user is usually accomplished bylooking the user up in a corporate directory or database.
After successfully proving a user's or service's identity, anauthentication context is established. This allows the user orservice to be authenticated to other entities - without repeating theauthentication lookup step. A user may also delegate itsauthentication context to a component, allowing that component tocall another component while impersonating the original caller.
The authentication mechanism is configured in the Webcomponent deployment descriptor. Listing 1 shows an example ofconfiguring digest authentication. Listing 2 shows an example ofconfiguring form-based authentication. The error page specified inListing 2 is a page presented to the user when authentication fails.
