Web Server Security Model

Secure applications require a client to be authenticated as a valid application user and have authorization to access servlets and JSPs.

Applications with a secure web container may enforce the following security processes for clients:

• Authenticate the caller

• Authorize the caller for access to each servlet/JSP based on the applicable access control configuration

Authentication is the process of confirming an identity. Authorization means granting access to a restricted resource to an identity. Access control mechanisms enforce these restrictions. Authentication and authorization can be enforced by a number of security models and services.

Web Server provides authentication and authorization support through the following mechanisms, which are discussed in this section:

• ACL-based authentication and authorization

• Java EE/Servlet-based authentication and authorization

Whether performed by the ACL subsystem or the Java EE/Servlet authentication subsystem, authentication and authorization are still the two fundamental operations that define secure web content.

ACL-Based Authentication and Authorization

ACL-based access control is described at length in the Configuring Access Control in Sun Java System Web Server 7.0 Update 1 Administrator’s Guide. This section provides a brief overview of the key concepts.

Web Server supports authentication and authorization through the use of locally stored ACLs, which describe what access rights a user has for a resource. For example, an entry in an ACL can grant a user named John read permission to a particular folder named misc:

acl "path=/export/user/990628.1/docs/misc/";
  authenticate (user,group) {
      database = "default";
      method = "basic";
   };
   deny (all)
  (user = "John");
   allow (read);

            

The core ACLs in Web Server support three types of authentication: basic, certificate, and digest.

Basic authentication relies .

• On lists of user names and passwords passed as cleartext.

• Certificates bind a name to a public key.

• Digest authentication uses encryption techniques to encrypt the user’s credentials.

The ACL-based access control model includes the following features:

• ACL-based authentication uses the following configuration files:

  • install_dir/config/*.acl files

  • install_dir/config/server.xml

  Authentication is performed by auth-db modules that are configured in the server.xml file.

• Authorization is performed by access control rules set in the install_dir/config/*.acl files, if ACLs are configured.

In addition, the Web Server SSL engine supports external crypto hardware to offload SSL processing and to provide optional tamper-resistant key storage.

For more information about ACL-based access control and the use of external crypto hardware, see the Web Server Administrator’s Guide.

Java EE/Servlet-Based Authentication and Authorization

, In addition to providing ACL-based authentication, Web Server also implements the security model defined in the Java EE 1.4 specification to provide several features that help you develop and deploy secure Java web applications.

A typical Java EE-based web application consists of the following parts, access to any or all of which can be restricted:

• Servlets

• JavaServer Pages (JSP) components

• HTML documents

• Miscellaneous resources, such as image files and compressed archives

The Java EE servlet-based access control infrastructure relies on the use of security realms. When a user tries to access the main page of an application through a web browser, the web container prompts for the user's credential information. The container then passes the information for verification to the realm that is currently active in the security service.

A realm, represents a set of known users along with optional group membership information. The main implementation also encapsulates a mechanism for performing authentication against the data set.

The main features of the Java EE/Servlet-based access control model are described below:

• Java EE/Servlet-based authentication uses the following configuration files:

  • The web application deployment descriptor files web.xml and sun-web.xml

  • install_dir/config/server.xml

  Authentication is performed by Java security realms that are configured through <auth-realm> entries in the server.xml file.

• Authorization is performed by access control rules in the deployment descriptor file, web.xml, in case any such rules have been set.