J2EE^TM Developer's Guide
Security

Authentication

Authentication is the process by which a user proves his or her identity to a system. For example, when you log on to a computer and provide a password, the software that verifies your user name and password is performing authentication. The J2EE server controls client access with a distributed authentication service. This service controls whether or not a J2EE user can access the components within a J2EE application.

Note: This section describes the authentication service of the J2EE SDK. Other J2EE implementations might perform authentication differently. In a commercial implementation of J2EE, for example, a J2EE user and an operating system user might be the same, but in the J2EE SDK they are not.

J2EE Users, Realms, and Groups

A J2EE user is similar to an operating system user. Typically, both types of users represent people. However, these two types of users are not the same. The J2EE authentication service has no knowledge of the user and password you provide when logging on to the operating system. The J2EE authentication service is not connected to the security mechanism of the operating system. The two security services manage users that belong to different realms.

A realm is a collection of users that are controlled by the same authentication policy. The J2EE authentication service governs users in two realms: certificate and default.

Certificates are used with the HTTPS protocol to authenticate Web browser clients. (For more information on certificates, see the Security in JDK 1.2 chapter of the Java^TM Tutorial.) To verify the identity of a user in the certificate realm, the authentication service verifies a X509 certificate. (For step-by-step instructions, see the Setting Up a Server Certificate section.) The common name field of the X509 certificate is used as the principal name.

In most cases, the J2EE authentication service verifies user identity by checking the default realm. This realm is used for the authentication of all clients except for Web browser clients that use the HTTPS protocol and certificates.

A J2EE user of the default realm may belong to J2EE group. (A user in the certificate realm may not.) A group is a category of users, classified by common traits such as job title or customer profile. For example, most customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users. A later section, Authorization, discusses controlling user access to enterprise beans.

Client Authentication

The J2EE authentication service controls access from all types of bean clients: J2EE application clients, stand-alone Java applications, and web components.

When a J2EE application client starts running, its container pops open a window that requests the J2EE user name and password. If you run the J2EEClient program of the Clients chapter (J2EE Application Clients section), you'll see this log-on window in action. The authentication service verifies that the user name and password from the log-on window exist in the default realm. After authentication, the user's security context is associated with any call that the client makes to enterprise beans deployed in the J2EE server.

Most of the examples in this book feature clients that are stand-alone Java applications. Because these clients do not log on, they are assigned the unauthenticated and anonymous user named guest. (The password is guest123.) Other types of clients, including Web browsers, may also access the J2EE server without authentication. Such clients are always assigned the user guest, indicating that their access in unauthenticated.

Many applications do not require authentication. For example, an online product catalog would not force customers to log on if they are merely browsing. Also, when you first start developing an application, you may find it convenient to allow anyone (guest) to access the application's components.

During deployment, you specify whether or not a web component is a protected resource. If the web component is unprotected, anyone may access it from their browser. If an unprotected web component accesses an enterprise bean, the authentication service assigns it a certificate for the guest user. Any subsequent calls to enterprise beans are associated with the guest user.

If a web component is protected, you may specify three types of authentication: basic, form, and certificate. With basic authentication, the server instructs the Web browser to prompt for the user name and password. With form authentication, you can specify the .html form or .jsp file that prompts for the user name and security:passwordspassword. With certificate authentication, the server requests a certificate from the browser. In all types of authentication, if the web component calls as enterprise bean, the call is associated with the authenticated user.

Managing J2EE Users and Groups

The realmtool utility is a command-line program that allows you to add and remove users in the default and certificate realms.

To display all users in the default realm, type this command:

realmtool -list default

To add a user to the default realm you specify the -add flag. The following command will add a user named robin who is protected by the password red, and will include robin in the bird and wing groups:

realmtool -add robin red bird,wing

To add a user to the certificate realm, you import a file containing the X509 certificate that identifies the user:

realmtool -import certificate-file

To remove a user you specify the -remove flag. For example, to remove a user named sparrow from the default realm, you would type the following command:

realmtool -remove default sparrow

To add a group to the default realm you specify the -addGroup flag. The following command adds the wing group:

realmtool -addGroup wing

(You cannot add a group to the certificate realm.)

To remove a group from the default realm, you specify the -removeGroup flag:

realmtool -removeGroup wing

Prev | Next

TOC | Index