InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.2: The WebSphere authentication model
Authentication
is the process of determining if a user is who the user
claims to be. WebSphere Application Server authenticates users
by using one of several authentication mechanisms.
J2EE does not specify how to
authenticate to an enterprise-bean container. However, WebSphere uses
the Secure Association Service (SAS) to authenticate Java clients
to enterprise beans.
The authentication mechanism for Web resources is specified
by using the login-config element of the web.xml deployment
descriptor for the Web application. Each Web application in an enterprise
application can have a different login-config value specified.
Here is an example of a login-config element where form
login is specified:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
The servlet specification identfies the following authentication methods:
- Basic authentication:
This is the familiar style of
authentication in which the Web browser presents a dialog window
requesting the user to enter a user ID and password when the user
attempts to access a protected Web resource.
After the user provides the identifier and password, the security
service validates them against a database of known users, the user
registry. If the user-provided information is valid, the security
system considers the user authenticated.
In this edition, the registry must be the local operating-system
registry.
- Digest authentication
This authentication mechanism is not supported by WebSphere.
You must specify one of the other authentication mechanisms.
- Form-based authentication
This authentication mechanism permits a site-specific login
through an HTML page or a JSP form.
See 5.4.2.3: Accessing secured resources from Java
clients for information on authenticating Java clients to enterprise
beans.
|
|