The Application Server enforces its authentication and authorization policies upon the following entities:
NOTE: Users and groups are designated for the entire Application Server, whereas each application defines its own roles. When the application is being packaged and deployed, the application specifies mappings between users/groups and roles, as illustrated in the following figure.
A user is an individual (or application program) identity that has been defined in the Application Server. A user can be associated with a group. The Application Server authentication service can govern users in multiple realms.
A J2EE group (or simply group) is a category of users classified by common traits, such as job title or customer profile. For example, users of an e-commerce application might belong to the customer
group, but the big spenders would belong to the preferred
group. Categorizing users into groups makes it easier to control the access of large numbers of users.
A role defines which applications and what parts of each application users can access and what they can do. In other words, roles determine users’ authorization levels.
For example, in a personnel application all employees might have access to phone numbers and email addresses, but only managers would have access to salary information. The application might define at least two roles: employee
and manager
; only users in the manager
role are allowed to view salary information.
A role is different from a user group in that a role defines a function in an application, while a group is a set of users who are related in some way. For example, in the personnel application there might be groups such as full-time
, part-time
, and on-leave
, but users in all these groups would still be in the employee
role.
Roles are defined in application deployment descriptors. In contrast, groups are defined for an entire server and realm. The application developer or deployer maps roles to one or more groups for each application in its deployment descriptor.
A realm, also called a security policy domain or security domain, is a scope over which the server defines and enforces a common security policy. In practical terms, a realm is a repository where the server stores user and group information.
The Application Server comes pre-configured with three realms: file
(the initial default realm), certificate
, and admin-realm
. It is possible to also set up ldap
, solaris
, or custom realms. Applications can specify the realm to use in their deployment descriptor. If they do not specify a realm, the Application Server uses its default realm.
In the file
realm, the server stores user credentials locally in a file named keyfile
. You can use the Admin Console to manage users in the file
realm. For more information, see "Managing file Realm Users".
In the certificate
realm, the server stores user credentials in a certificate database. When using the certificate
realm, the server uses certificates with the HTTPS protocol to authenticate Web clients. For more information about certificates, see "Introduction to Certificates and SSL".
The admin-realm
is also a FileRealm
and stores administrator user credentials locally in a file named admin-keyfile
. Use the Admin Console to manage users in this realm in the same way you manage users in the file
realm. For more information, see "Managing file Realm Users".
In the ldap
realm the server gets user credentials from a Lightweight Directory Access Protocol (LDAP) server such as the Sun Java System Directory Server. LDAP is a protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. Consult your LDAP server documentation for information on managing users and groups in the ldap
realm.
In the solaris
realm the server gets user credentials from the Solaris operating system. This realm is supported on the Solaris 9 OS and later. Consult your Solaris documentation for information on managing users and groups in the solaris
realm.
A custom realm is any other repository of user credentials, such as a relational database or third-party component. For more information, see "Creating a Custom Realm" or he Developer’s Guide chapter titled Securing Applications.