Securing Application Clients
Securing Application Clients
Adding authorized users and groups to the appropriate Application Server realm
Specifying method permissions for enterprise beans
Configuring Interoperable Object References (IOR)
Read
for more information on securing the Duke's
Bank example.
Securing Application Clients
The Java EE authentication requirements for application clients are the same as for other Java
EE components, and the same authentication techniques can be used as for other Java EE
application components.
No authentication is necessary when accessing unprotected web resources. When accessing
protected web resources, the usual varieties of authentication can be used, namely HTTP basic
authentication, SSL client authentication, or HTTP login form authentication. These
authentication methods are discussed in
Authentication is required when accessing protected enterprise beans. The authentication
mechanisms for enterprise beans are discussed in
Lazy authentication can be used.
An application client makes use of an authentication service provided by the application client
container for authenticating its users. The container's service can be integrated with the native
platform's authentication system, so that a single sign-on capability is employed. The container
can authenticate the user when the application is started, or it can use lazy authentication,
authenticating the user when a protected resource is accessed.
An application client can provide a class to gather authentication data. If so, the
javax.security.auth.callback.CallbackHandler
interface must be implemented, and the
class name must be specified in its deployment descriptor. The application's callback handler
must fully support Callback objects specified in the javax.security.auth.callback package.
Gathering authentication data in this way is discussed in the next section,
Using Login Modules
An application client can use the Java Authentication and Authorization Service (JAAS) to
create login modules for authentication. A JAAS-based application implements the
javax.security.auth.callback.CallbackHandler
interface so that it can interact with users
to enter specific authentication data, such as user names or passwords, or to display error and
warning messages.
Securing Application Clients
The Java EE 5 Tutorial · September 2007
832