Using Authentication

  

Application Component Providers determine what application resources should have restricted access. For instance, not all users can access some image files, HTML documents, and so on. At the Web- tier , when a user tries to access a protected Web resource, the Web container prompts the user for a password and username. If the user has an identity that has permission to access the resource, the user can continue. Otherwise, the Web container rejects the request.

Configuring the Web-tier for authentication

The container uses the authentication mechanism defined in the deployment descriptor. The three types of authentication mechanisms that a J2EE Web container must support are as follows :

  • HTTP basic authentication : The Web browser displays a username and password dialog box. The Web client provides the principal's username and password to the Web server to be authenticated against the realm. This is not a secured authentication because the information (username and password) is not secured during transmission and the server has not been authenticated. The following code fragment shows how to define a basic authentication in the application's web.xml file:

     <web-app>  <login-config>         <auth-method>BASIC</auth-method>         <realm-name>myrealm</realm-name>    </login-config> </web-app> 
  • Form-based authentication : This allows the application to use a customized user interface for authentication. This type of authentication is also not secure since the Web server is not authenticated and the username and password are transmitted as plaintext.

    The following code fragmet shows how to define a form-based authentication in the application's web.xml file:

     <web-app>     <login-config>         <auth-method>FORM</auth-method>         <form-login-config>             <form-login-page>/login.jsp</form-login-page>             <form-error-page>/fail_login.html</form-error-page>         </form-login-config>     </login-config> </web-app> 

    The resource used to generate the HTML form may be an HTML page, a JSP, or a servlet, and is defined in the <form-login-page> element. The fields returned from the form elements must be j_username and j_password , and the action attribute must be j_security_check . Here is an example of the HTML code:

     <form method="POST" action="j_security_check">   <input type="text" name="j_username">   <input type="password" name="j_password"> </form> 
  • HTTPS mutual authentication : Both the Web client and Web browser use X.509 certificates to establish their identities and the mutual authentication over a an SSL channel. The following code example uses client certificates to authenticate the request:

     <web-app>     <login-config>         <auth-method>CLIENT-CERT</auth-method>     </login-config> </web-app> 

Web containers may also support HTTP digest authentication . The Web client sends the Web server a message digest along with the HTTP request message. The HTTP request message and the client's password are combined in a one-way hash to compute the message digest.

In addition, there are hybrid authentication mechanisms in which an SSL channel is used for either HTTP basic, form-based, or HTTP digest authentication. Running these authentication protocols over an SSL session protects the password and all message content for confidentiality. The following example demonstrates how to configure an HTTP basic authentication over SSL using the transport-guarantee element:

 <web-app>   <security-constraint>         <user-data-constraint>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>     </user-data-constraint> </web-app> 

In order for the client authenticator to be fully protected, when using hybrid authentication, the transport-guarantee element of each protected resource should be set to CONFIDENTIAL .

Exploring Web-tier authentication issues

As discussed earlier, there are several ways to authenticate users in the Web-tier. You, however, must be careful on how applications (multitier and multicomponent) and their resources are protected and used. For instance, the Web-tier does not authenticate a user unless the user is accessing a protected resource (this is known as lazy authentication ), but an unprotected Web resource may still call protected EJB resources.

In addition, a Web resource usually has a link to another Web resource. For instance, if the link is relative , the HTTP container protects the access to the linked resource based on the current resource security properties. When the link is absolute , the HTTP client container ignores the context of the current resource and accesses the linked resource based on the URL. For instance, if the URL starts with http:// , the request is tried over an insecure transport. If the URL starts with https:// , a secure session is established with the server before the request is sent.

Tip  

The application deployer could configure both current and linked resources with a confidential transport guarantee, so the HTTP client container protects the request between them.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net