Application Component Providers determine what application resources should have restricted access. For instance, not all users can access some image files, HTML documents, and so on. At the Web- tier , when a user tries to access a protected Web resource, the Web container prompts the user for a password and username. If the user has an identity that has permission to access the resource, the user can continue. Otherwise, the Web container rejects the request. Configuring the Web-tier for authenticationThe container uses the authentication mechanism defined in the deployment descriptor. The three types of authentication mechanisms that a J2EE Web container must support are as follows :
Web containers may also support HTTP digest authentication . The Web client sends the Web server a message digest along with the HTTP request message. The HTTP request message and the client's password are combined in a one-way hash to compute the message digest. In addition, there are hybrid authentication mechanisms in which an SSL channel is used for either HTTP basic, form-based, or HTTP digest authentication. Running these authentication protocols over an SSL session protects the password and all message content for confidentiality. The following example demonstrates how to configure an HTTP basic authentication over SSL using the transport-guarantee element: <web-app> <security-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </web-app> In order for the client authenticator to be fully protected, when using hybrid authentication, the transport-guarantee element of each protected resource should be set to CONFIDENTIAL . Exploring Web-tier authentication issuesAs discussed earlier, there are several ways to authenticate users in the Web-tier. You, however, must be careful on how applications (multitier and multicomponent) and their resources are protected and used. For instance, the Web-tier does not authenticate a user unless the user is accessing a protected resource (this is known as lazy authentication ), but an unprotected Web resource may still call protected EJB resources. In addition, a Web resource usually has a link to another Web resource. For instance, if the link is relative , the HTTP container protects the access to the linked resource based on the current resource security properties. When the link is absolute , the HTTP client container ignores the context of the current resource and accesses the linked resource based on the URL. For instance, if the URL starts with http:// , the request is tried over an insecure transport. If the URL starts with https:// , a secure session is established with the server before the request is sent.
Java Security Solutions ISBN: 0764549286
EAN: 2147483647 Year: 2001
Pages: 222 Authors: Rich Helton, Johennie Helton
flylib.com © 2008-2017. If you may any questions please contact us: flylib@qtcs.net |