Using Web container-managed (JEE) authentication

After you deploy a Rich UI application, you can secure the resources in your deployed project from unauthenticated users by using the Web container-based, JEE security that is provided by Apache Tomcat. After resources, such as the HTML file generated for your Rich UI application, are secured with JEE security, users will have to authenticate before they can access those resources. Every action that the Web container or JRE takes on behalf of the user is done only if the user belongs to a set of roles that have permission to take that action. The user is only requested to authenticate once even if multiple resources are secured.

In JEE authentication, a system administrator performs administration tasks, such as adding or deleting user data from a repository, independently of the applications that access the repository. Application servers support various types of repositories, or realms, such as the local OS registry, LDAP directories, and custom directories such as relational databases and flat files. You can use these repositories to store user ids, passwords, and other security information.

To secure the entire Rich UI application, the EGL Rich UI Proxy, and Web services, you can use JEE security.

In JEE role-based security, access to resources is granted to roles, which are then mapped to actual user registry entries. Security information, such as roles and constraints, are defined declaratively, or outside of the application, in deployment descriptors such as web.xml and application.xml. . In V7.5.1, you must use declarative JEE security with Rich UI applications. The J2EELib system functions that are available for programmatic security from JSF handlers (getRemoteUser(), isUserInRole(), and getAuthenticationType()) are not available from Rich UI handlers.

In both JEE basic and form-based authentication, the password is encoded using the Base64 encoding scheme, a format that is easy to decode. To ensure that the password is not compromised, use SSL in conjunction with these types of authentication. For an introduction to SSL, see Overview of SSL.

For more details on Web container-managed authentication, see Apache Tomcat documentation.


Feedback