Chapter 7 Security

301

Protection

Protection

Domain

Domain

c3

c1

c2

Authentication

or Anonymous

c4

Trust

Trust

Figure 7.2

Protection Domain Established by Authentication Boundaries

7.2.1.2

Web Tier Authentication

Developers can specify that authentication be performed on the Web tier when

certain components and resources are accessed, in which case the authentication is

handled by the J2EE Web container. J2EE Web containers must support three differ 

ent authentication mechanisms: 

  HTTP basic authentication The Web server authenticates a principal using 

the username and password obtained from the Web client. The username and 

password are included in the HTTP headers and are handled at the transport 

layer.

  Form based authentication A developer can customize a form for entering 

username and password information, and then use this form to pass the infor 

mation to the J2EE Web container. This type of authentication, geared toward 

Web page presentation applications, is not used for Web services.

  HTTPS mutual authentication Both the client and the server use digital cer 

tificates to establish their identity, and authentication occurs over a channel 

protected by Secure Sockets Layer.

Generally, for Web tier authentication, the developer specifies an authoriza 

tion constraint to designate those Web resources such as Web service endpoints,

HTML documents, Web components, image files, archives, and so forth that

need to be protected. When a user tries to access a protected Web resource, the

Web container applies the particular authentication mechanism (either basic,