Introduction  Authorization

Chapter 3: Using Web Application Security


The types of Web application authentication methods available include:

NoteEAServer does not support HTTP digest authentication. If you specify digest authentication, the default, Basic, is used instead.

EAServer supports lazy authentication, which means that the server attempts to identify a client only when the client attempts to access a restricted resource. As long as the client accesses only resources that do not require authorization, the server does not attempt to authenticate the client.

When a server authenticates a client, the client is authenticated for all applications and references on the server. You can implement authentication of a client for an entire server by using cookies or rewriting the URL. A reference to the client’s security credentials is saved in a cookie or encoded in the URL.

Form login requirements in a Web application when using HTTPS (SSL)

To use the form login mechanism in your Web application, the client must support cookies. The client can be a browser or a standalone HTTP client. To convert your Web application, which uses the form login mechanism in conjunction with HTTPS, the transport guarantee for the form login page and the pages that require authorization must be identical. Otherwise, the client will receive multiple HTTP redirects to the same page, resulting in an error. See “Defining a security constraint from the Web Application Properties Security tab” for information about configuring transport guarantee.

Here are the steps required to enable HTTPS for the eStore application, which is a large, comprehensive sample application developed by Sun Microsystems to run on J2EE-compliant servers. eStore simulates an online pet store implemented with Java Server Pages, Java servlets, and Enterprise Java Beans. You can download eStore as part of the Sun Microsystems J2EE Blueprints.

  1. Change the transport guarantee for the existing two security constraints from None to Confidentiality or Integrity.

  2. Add a new security constraint. Set the transport guarantee for the new security constraint to the same value as the existing two security constraints.

  3. Add a Web resource collection to the new security constraint. Define a Web resource, and set the URL pattern to “/login.jsp”, which is the URL of the form login page.

  4. Refresh the eStore application. Connect to the eStore application from your browser. The form login and subsequent communication occurs using HTTPS.

Web application direct form login

EAServer supports direct form login, which allows you to access a Web application’s protected content directly without requiring the user to visit the Web application’s form login page.

To enable direct form login, set the following session property:

This property specifies the URL of the protected page that you want to access. With the property set, submit a post request to the form login URL with the user name and password specified in the request parameters. If the login succeeds, EAServer redirects the user to the specified page.If you do not specify a page to redirect to before posting a request to the login form, EAServer redirects the user to the page specified by this Web application property:

If this property is not set, EAServer redirects the user to the Web application’s welcome page.

Also, when authentication fails, the following properties are set in the servlet session before invoking the error page:

These settings are removed when authentication succeeds.

Copyright © 2005. Sybase Inc. All rights reserved. Authorization