Java Reference
In-Depth Information
Securing Application Clients
The Java EE authentication requirements for application clients are the same as for other
Java EE components, and the same authentication techniques can be used as for other Java
EE application components. No authentication is necessary when accessing unprotected
web resources.
When accessing protected web resources, the usual varieties of authentication can be used:
HTTP basic authentication, HTTP login-form authentication, or SSL client authentication.
“Specifying an Authentication Mechanism in the Deployment Descriptor” in
The Java EE
6 Tutorial: Basic Concepts
describes how to specify HTTP basic authentication and HTTP
login-form authentication. “
Client Authentication
”
on page
316
describes how to specify
SSL client authentication.
Authentication is required when accessing protected enterprise beans. The authentication
mechanisms for enterprise beans are discussed in “Securing Enterprise Beans” in
The Java
EE 6 Tutorial: Basic Concepts
.
An application client makes use of an authentication service provided by the application
client container for authenticating its users. The container's service can be integrated with
the native platform's authentication system so that a single sign-on capability is used. The
container can authenticate the user either when the application is started or when a protec-
ted resource is accessed.
An application client can provide a class, called a
login module
, to gather authentication
data. If so, the
javax.security.auth.callback.CallbackHandler
inter-
face must be implemented, and the class name must be specified in its deployment
descriptor. The application's callback handler must fully support
Callback
objects spe-
cified in the
javax.security.auth.callback
package.
Using Login Modules
An application client can use the Java Authentication and Authorization Service (JAAS)
to create login modules for authentication. A JAAS-based application implements the
javax.security.auth.callback.CallbackHandler
interface so that it can
interact with users to enter specific authentication data, such as user names or passwords,
or to display error and warning messages.
Applications implement the
CallbackHandler
interface and pass it to the login con-
text, which forwards it directly to the underlying login modules. A login module uses the
callback handler both to gather input, such as a password or smart card PIN, from users
and to supply information, such as status information, to users. Because the application