background image

Securing Application Clients

<< Troubleshooting the Secure Converter Example | Using Programmatic Login >>
<< Troubleshooting the Secure Converter Example | Using Programmatic Login >>

Securing Application Clients

Adding authorized users and groups to the appropriate Application Server realm
Specifying method permissions for enterprise beans
Configuring Interoperable Object References (IOR)
Read
Chapter 37, "The Duke's Bank Application"
for more information on securing the Duke's
Bank example.
Securing Application Clients
The Java EE authentication requirements for application clients are the same as for other Java
EE components, and the same authentication techniques can be used as for other Java EE
application components.
No authentication is necessary when accessing unprotected web resources. When accessing
protected web resources, the usual varieties of authentication can be used, namely HTTP basic
authentication, SSL client authentication, or HTTP login form authentication. These
authentication methods are discussed in
"Specifying an Authentication Mechanism" on
page 858
.
Authentication is required when accessing protected enterprise beans. The authentication
mechanisms for enterprise beans are discussed in
"Securing Enterprise Beans" on page 798
.
Lazy authentication can be used.
An application client makes use of an authentication service provided by the application client
container for authenticating its users. The container's service can be integrated with the native
platform's authentication system, so that a single sign-on capability is employed. The container
can authenticate the user when the application is started, or it can use lazy authentication,
authenticating the user when a protected resource is accessed.
An application client can provide a class to gather authentication data. If so, the
javax.security.auth.callback.CallbackHandler
interface must be implemented, and the
class name must be specified in its deployment descriptor. The application's callback handler
must fully support Callback objects specified in the javax.security.auth.callback package.
Gathering authentication data in this way is discussed in the next section,
"Using Login
Modules" on page 832
.
Using Login Modules
An application client can use the Java Authentication and Authorization Service (JAAS) to
create login modules for authentication. A JAAS-based application implements the
javax.security.auth.callback.CallbackHandler
interface so that it can interact with users
to enter specific authentication data, such as user names or passwords, or to display error and
warning messages.
Securing Application Clients
The Java EE 5 Tutorial · September 2007
832