Authentication是j2ee engine在用户访问Web Application Resource之前验证用户身份的一种mechanism。J2EE规范里定义了四个标准的authentication schemes(authentication types):
(1)BASIC:在浏览器中输入用户名和密码;
(2)FORM:在form中输入用户名和密码;
(3)DIGEST:高级的BASIC,用户名和密码在发送时做编码处理。
(4)CLIENT-CERT:使用数字签名(digital certificates)。需要使用https protocal。
Pluggable Authentication using JAAS Login Modules:
意思是可以开发自己的Login Modules,然后在j2ee engine的security provider中注册。要把自己开发的Login Modules应用到Web Application中去,只要在web-j2ee-engine.xml 中设置一下就可以了。
Overview of the Login Process in JAAS:
1. The application calls the login()method of the LoginContext class.
2. 2、The LoginContext calls the login() method of each of the login modules in the stack in the order they are configured.
Each login module completes the user authentication in two phases:
a. First, when its login() method is called, it uses a CallbackHandler class to negotiate the required authentication information with the user.
b. The second phase refers to calling the commit() method of the login module if the user has successfully authenticated, or the abort() method, if the authentication fails.
The login process is successful if the user is authenticated by all the required login modules in the stack (that is, the commit() method of all login modules that successfully authenticated the user returns).