Java Reference
In-Depth Information
Figure 6.5. Most common Java EE security management scenario using JAAS
As shown in figure 6.5 , a user enters the application through the web tier. The web tier
gathers authentication information from the user and authenticates the supplied creden-
tials using JAAS against an underlying security system. A successful authentication res-
ults in a valid user Principal . At this point, the Principal is associated with one or
more roles. For each secured web/EJB tier resource, the application server checks to see
if the principal/role is authorized to access the resource. The Principal is transparently
passed from the web tier to the EJB tier as needed.
A detailed discussion of web tier authentication and authorization is beyond the scope of
this topic, as is the extremely rare scenario of standalone EJB authentication using JAAS.
But we'll give you a basic outline of web-tier security to serve as a starting point for further
investigation before diving into authorization management in EJB 3.
Web-tier authentication and authorization
The web-tier servlet specification ( http://java.sun.com/products/servlet ) successfully hides
many low-level details for both authentication and authorization. As a developer, you
simply need to tell the servlet container what resources you want secured and how they're
 
Search WWH ::




Custom Search