Chapter 15: Security

Overview

As a J2EE server, Geronimo needs to manage the execution of a variety of software components on behalf of many users. Great care is taken to ensure that a user can only access the allowable code, system resources, and data. This access control is performed through Geronimo’s flexible security system.

The basic facets of J2EE security serve some real practical purposes, including the following:

• Determining if you are who you claim to be - this is called authentication.

• Enabling you to access only the resources that you are explicitly allowed to - this is called authorization.

Obviously, Geronimo must authenticate you before it can authorize you to access specific resources.

Authentication and authorization in Geronimo leverage the features of the Java Authentication and Authorization Service (JAAS) and Java Authorization Contract for Containers (JACC) API specifications.

Geronimo provides a rich set of configurable components, together with a robust security model, allowing you to flexibly adapt the system to your specific security requirements.

This chapter explores how Geronimo delivers on this flexibility and adaptability through the Geronimo security architecture.

Key security components in this architecture, as well as their model of interaction and configuration, are covered in detail within this chapter. Concepts and components coverage includes the following:

• Security realms

• Login modules

• Login domains

• J2EE security descriptor

• Geronimo-specific security descriptor

You will see how to apply Geronimo security in your applications by creating customized security realms and configuring security descriptors in your deployment plans.

After reading this chapter, you will have a solid understanding of how security works in Geronimo and how to effectively secure your applications.