Initial Authentication

<< Overviewof Java EE Security | Fulfilling the Original Request >>

Initial Authentication

Since the client has not yet authenticated itself to the application environment, the server
responsible for delivering the web portion of the application (hereafter referred to as web server)
detects this and invokes the appropriate authentication mechanism for this resource. For more
information on these mechanisms, read

"Security Implementation Mechanisms" on page 771

Step 2: Initial Authentication

The web server returns a form that the web client uses to collect authentication data (for
example, user name and password) from the user. The web client forwards the authentication
data to the web server, where it is validated by the web server, as shown in

Figure 282

The validation mechanism may be local to a server, or it may leverage the underlying security
services. On the basis of the validation, the web server sets a credential for the user.

Step 3: URL Authorization

The credential is used for future determinations of whether the user is authorized to access
restricted resources it may request. The web server consults the security policy (derived from
the deployment descriptor) associated with the web resource to determine the security roles
that are permitted access to the resource. The web container then tests the user's credential
against each role to determine if it can map the user to the role.

Figure 283

shows this process.

Web Client

Web Server

Request access

to protected

resource

FIGURE 281

Initial Request

Web Client

Form

Authentication

data

Web Server

credential

FIGURE 282

Initial Authentication

Overview of Java EE Security

Chapter 28 · Introduction to Security in the Java EE Platform

767