The security authentication mechanism of Java EE

The security mechanism for implementing Web applications is the task that designers and programmers of Web applications must face. In Java EE, the Web container supports the security mechanism built into the application.

The security mechanism for Web applications has two components: Authentication and authorization. The Web container based on Java EE provides three kinds of authentication mechanisms: Basic authentication, form based authentication and mutual authentication. Because of the ability to customize the authentication user interface, most Web applications use forms based authentication. The Web container authorizes access to the application's Web resources using the security roles defined in the deployment descriptor for the Web application.

In the use of a form-based authentication mechanism, application designers and developers encounter 3 types of problems:

• How to work with security mechanisms in other areas, such as databases and LDAP, based on form authentication. (This is necessary because many organizations have implemented authentication mechanisms in databases and LDAP forms.) ）

• How to add or remove the authoritative role of the junta in the deployment descriptor (Web.xml) of the Web application.

· Web containers are authorized at the Web resource level, and applications need to perform functional-level authorization in a single Web resource.

Although there are a number of documents and examples related to the form-based authentication, none of them can clarify this issue. As a result, most applications 襀 the security mechanism in their own way.

This article explains how form-based authentication works with other security mechanisms, especially the security mechanisms in the database. It also explains how Web windows can use security roles to perform authorization and how applications can extend these security roles to protect functionality in Web resources.

Form-based authentication

Form-based authentication enables developers to customize the authenticated user interface. The Login-config section of Web.xml defines the type of authentication mechanism, the URI of the login, and the error page.

FORM

/login.jsp

/fail_login.html

The login form must contain fields that enter the user's name and password, which must be named J_username and J_password, and the form sends the two values to the J_security_check logical name.

Here's an example of how this form can be implemented in an HTML Web page:

＜form method="POST" action="j_security_check"＞
＜input type="text" name="j_username"＞
＜input type="password" name="j_password"＞
＜/form＞

Unless all of the connections are implemented on SSL, the form can disclose the user name and password. When a protected web resource is accessed, the Web container activates the authentication mechanism configured for that resource.

To implement the security of the Web application, the Web container performs the following steps:

1. When a protected web resource is accessed, determine if the user is authenticated.

2. If the user is not authenticated, the user is required to provide a security trust by redirecting to the registration page defined in the deployment descriptor.

3, according to the security area configured for the container, confirm the user's trust-like effect.

4, determine whether the authenticated user is authorized to access the Web resources defined in the deployment descriptor (Web.xml).