Prev | Next | J2EETM Developer's Guide
Security |
Note: This section describes the authentication service of the J2EE SDK. Other J2EE implementations might perform authentication differently. In a commercial implementation of J2EE, for example, a J2EE user and an operating system user might be the same, but in the J2EE SDK they are not.
A realm is a collection of users that are controlled by the same authentication policy. The J2EE authentication service governs users in two realms: certificate and default.
Certificates are used with the HTTPS protocol to authenticate Web browser clients. (For more information on certificates, see the Security in JDK 1.2 chapter of the JavaTM Tutorial.) To verify the identity of a user in the certificate realm, the authentication service verifies a X509 certificate. (For step-by-step instructions, see the Setting Up a Server Certificate section.) The common name field of the X509 certificate is used as the principal name.
In most cases, the J2EE authentication service verifies user identity by checking the default realm. This realm is used for the authentication of all clients except for Web browser clients that use the HTTPS protocol and certificates.
A J2EE user of the default realm may belong to J2EE group. (A user in the certificate realm may not.) A group is a category of users, classified by common traits such as job title or customer profile. For example, most customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users. A later section, Authorization, discusses controlling user access to enterprise beans.
When a J2EE application client starts running, its container pops open a window that requests the J2EE user name and password. If you run the J2EEClient
program of the Clients chapter (J2EE Application Clients section), you'll see this log-on window in action. The authentication service verifies that the user name and password from the log-on window exist in the default realm. After authentication, the user's security context is associated with any call that the client makes to enterprise beans deployed in the J2EE server.
Most of the examples in this book feature clients that are stand-alone Java applications. Because these clients do not log on, they are assigned the unauthenticated and anonymous user named guest
. (The password is guest123
.) Other types of clients, including Web browsers, may also access the J2EE server without authentication. Such clients are always assigned the user guest
, indicating that their access in unauthenticated.
Many applications do not require authentication. For example, an online product catalog would not force customers to log on if they are merely browsing. Also, when you first start developing an application, you may find it convenient to allow anyone (guest
) to access the application's components.
During deployment, you specify whether or not a web component is a protected resource. If the web component is unprotected, anyone may access it from their browser. If an unprotected web component accesses an enterprise bean, the authentication service assigns it a certificate for the guest
user. Any subsequent calls to enterprise beans are associated with the guest
user.
If a web component is protected, you may specify three types of authentication: basic, form, and certificate. With basic authentication, the server instructs the Web browser to prompt for the user name and password. With form authentication, you can specify the .html form or .jsp file that prompts for the user name and security:passwordspassword. With certificate authentication, the server requests a certificate from the browser. In all types of authentication, if the web component calls as enterprise bean, the call is associated with the authenticated user.
realmtool
utility is a command-line program that allows you to add and remove users in the default and certificate realms.
To display all users in the default realm, type this command:
To add a user to the default realm you specify therealmtool -list default
-add
flag. The following command will add a user named robin who is protected by the password red, and will include robin in the bird and wing groups:
To add a user to the certificate realm, you import a file containing the X509 certificate that identifies the user:realmtool -add robin red bird,wing
To remove a user you specify therealmtool -import certificate-file
-remov
e flag. For example, to remove a user named sparrow from the default realm, you would type the following command:
To add a group to the default realm you specify therealmtool -remove default sparrow
-addGroup
flag. The following command adds the wing group:
(You cannot add a group to the certificate realm.)realmtool -addGroup wing
To remove a group from the default realm, you specify the -removeGroup
flag:
realmtool -removeGroup wing