InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.2: The WebSphere authentication model

5.1.2: The WebSphere authentication model

Authentication is the process of determining if a user is who the user claims to be. WebSphere Application Server authenticates users by using one of several authentication mechanisms. J2EE does not specify how to authenticate to an enterprise-bean container. However, WebSphere uses the Secure Association Service (SAS) to authenticate Java clients to enterprise beans.

The authentication mechanism for Web resources is specified by using the login-config element of the web.xml deployment descriptor for the Web application. Each Web application in an enterprise application can have a different login-config value specified. Here is an example of a login-config element where form login is specified:

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>

The servlet specification identfies the following authentication methods:

  • Basic authentication:

    This is the familiar style of authentication in which the Web browser presents a dialog window requesting the user to enter a user ID and password when the user attempts to access a protected Web resource.

    After the user provides the identifier and password, the security service validates them against a database of known users, the user registry. If the user-provided information is valid, the security system considers the user authenticated.

    In this edition, the registry must be the local operating-system registry.

  • Digest authentication

    This authentication mechanism is not supported by WebSphere. You must specify one of the other authentication mechanisms.

  • Form-based authentication

    This authentication mechanism permits a site-specific login through an HTML page or a JSP form.

See 5.4.2.3: Accessing secured resources from Java clients for information on authenticating Java clients to enterprise beans.

Go to previous article: Security features Go to next article: Authorization model

 

 
Go to previous article: Security features Go to next article: Authorization model