Chapter 25 Configuring Web Application Security
A Web container holds your Web application elements, including components, servlets, JSPs, HTML pages, and so on. The Web application's deployment descriptor describes how a Web application is deployed, including the level of security for the various elements of your Web application. For example, your Web application may include an HTML page that is available to all visitors to your site, while other HTML pages, servlets, and JSPs are restricted to existing or preferred customers.
This chapter discusses how to establish authentication and authorization levels for your Web application elements using declarative security provided by Jaguar Manager.
Authentication means that an entity's (person, client, or server) identity has been verified to either a server or a client. In contrast, authorization means that an entity has permission to use a resource or file. An entity must be authenticated before it can be authorized to use a resource or file.
When a user tries to access a protected Web application resource, the Web container activates the authentication mechanism defined in the application's deployment descriptor. Jaguar supports these authentication mechanisms:
Jaguar does not support HTTP digest authentication.
If you specify digest authentication, the default, Basic, is used
instead.
Jaguar supports lazy authentication , which means that the server attempts to identify a client only when the client attempts to access a restricted resource. As long as the client accesses only resources that do not require authorization, the server does not attempt to authenticate the client.
When a server authenticates a client, the client is authenticated for all applications and references on the server. You can implement authentication of a client for an entire server by using cookies or rewriting the URL. A reference to the client's security credentials is saved in a cookie or encoded in the URL.
| Copyright © 2000 Sybase, Inc. All rights reserved. |
| |