For security topic, I am quite confused on followings: 1. Login mechanisms specified by the J2EE platform (HTTP basic authentication, SSL authentication, or form-based login) 2. JAAS approaches 3. Customized login and authoriazation application modules
My quesitons are: 1. Does JAAS support both 1 and 3?
2. Is it correct always: There are two kinds of users in an application: J2EE system users and application users. System users are created as users in the J2EE platform, using vendor-specific tools. Application users are represented and managed by application code.
3. What are different of JAAS and Customized login and authoriazation application modules for applicaiton users?
To Provide or proctect Web resource , and make force the authentication,whenever unknown user or request comes to this secured web resource, be it jsp or servlet,
There are four methods available 1. Basic - JUst popup for user authentication and credentials are sent in base64 2. Client cert - or mutual authentication 3. Form based - To have customized and a cool authentication login page 4. digest - here credentials are digested in md5 or sha specified.
These are ways by which user authentication is forced.
Now How to Validate the credentials with already you hae to know whether the user is the real user with correct credentials
For that we have JAAS other means are realms. You can authenticate using LDAP, DB [RDBMS Realm]
SCJP 1.4 SCWCD 1.4 SCDJWS 1.4
subject: J2EE authentication/authorizaion: does JAAS handle system users and applicaiton users