Securing Application Clients
The Java EE authentication requirements for application clients are the same as for other Java EE components, and the same authentication techniques can be used as for other Java EE application components.
No authentication is necessary when accessing unprotected web resources. When accessing protected web resources, the usual varieties of authentication can be used, namely HTTP basic authentication, SSL client authentication, or HTTP login form authentication. These authentication methods are discussed in Specifying an Authentication Mechanism (page 957).
Authentication is required when accessing protected enterprise beans. The authentication mechanisms for enterprise beans are discussed in Securing Enterprise Beans. Lazy authentication can be used.
An application client makes use of an authentication service provided by the application client container for authenticating its users. The container's service can be integrated with the native platform's authentication system, so that a single sign-on capability is employed. The container can authenticate the user when the application is started, or it can use lazy authentication, authenticating the user when a protected resource is accessed.
An application client can provide a class to gather authentication data. If so, the
javax.security.auth.callback.CallbackHandler
interface must be implemented, and the class name must be specified in its deployment descriptor. The application's callback handler must fully supportCallback
objects specified in thejavax.security.auth.callback
package. Gathering authentication data in this way is discussed in Using Login Modules.Using Login Modules
An application client can use the Java Authentication and Authorization Service (JAAS) to create login modules for authentication. A JAAS-based application implements the
javax.security.auth.callback.CallbackHandler
interface so that it can interact with users to enter specific authentication data, such as user names or passwords, or to display error and warning messages.Applications implement the
CallbackHandler
interface and pass it to the login context, which forwards it directly to the underlying login modules. A login module uses the callback handler both to gather input (such as a password or smart card PIN) from users and to supply information (such as status information) to users. Because the application specifies the callback handler, an underlying login module can remain independent of the various ways applications interact with users.For example, the implementation of a callback handler for a GUI application might display a window to solicit user input. Or the implementation of a callback handler for a command-line tool might simply prompt the user for input directly from the command line.
The login module passes an array of appropriate callbacks to the callback handler's
handle
method (for example, aNameCallback
for the user name and aPasswordCallback
for the password); the callback handler performs the requested user interaction and sets appropriate values in the callbacks. For example, to process aNameCallback
, theCallbackHandler
might prompt for a name, retrieve the value from the user, and call thesetName
method of theNameCallback
to store the name.For more information on using JAAS for login modules for authentication, go to the following URLS:
- Java Authentication and Authorization Service (JAAS) in Java 2, Standard Edition (J2SE) 1.4
http://java.sun.com/developer/technicalArticles/Security/jaasv2/index.html
- Java Authentication and Authorization Service (JAAS) Reference Guide
http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html
- Java Authentication and Authorization Service (JAAS): LoginModule Developer's Guide
http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASLMDevGuide.html
Using Programmatic Login
Programmatic login enables the client code to supply user credentials. If you are using an EJB client, you can use the
com.sun.appserv.security.ProgrammaticLogin
class with their convenientlogin
andlogout
methods.Because programmatic login is specific to a server, information on programmatic login is not included in this document, but is included in the Sun Java System Application Server Developer's Guide, a link to which is provided in Further Information.