Authentication in JSF2 with JAAS: Part 1 – Understand the terminology

Ok, this will be a multi-part blog entry series.
What I want to do with this blog entries, is to document, how to make your JSF2 application use JAAS ( Java Authentication and Authorization Service ) to manage your/my users, authenticate them through a form with
the help of the server and use that security information in our JSF2 pages and our Java Beans.

In this first part of the series, I’ll try to cover the terminology used in easy to understand words.

These are the terms, you’ll need to know:

  • realm: A realm is basically a "user database", being it a flat file with user/pass + group info, database tables or even an ldap directory or something else you can imagine, like facebook connect or google authentication system. It may be used by n applications.
  • user: A user is a person or program wishing to authenticate against our server/app. If you only make your website for real persons, these are your users. If you also offer a webservice, other programs accessing that service are also users. A user belongs to a realm, so may be valid in n applications (see principal below)
  • role: Roles are assigned to users and/or groups in an application. E.g. GUEST for a not authenticated visitor, LOGGEDIN_USER for an authenticated user, MODERATOR or ADMIN for special people.
  • group: Groups are like roles, but they are used over multiple applications and mapped to specific ROLES on an per-application-basis
  • principal: A Principal is an authenticated user in the scope of an application. The same user may have different principals in different applications. A principal is identified by its name and authenticated using authentication data (credentials)
  • security policy domain: Also called security domain or realm. Basically, the database where you lookup users. But in this meaning, its where the realms are used, being it application1, application2, applicationN
  • Security attributes: are attributes associated with every principal, like " is allowed to access the admin area" or stuff like that.
  • credential: contains or references security attributes; are used to authenticate a Principal for a Java EE product service (your webapp)
  • If you want to get the original documentation, take a look at the Security chapter in the Java EE 6 Tutorial Volume I

    Further references, which I’ll probably be using in the next posts of these series:

Join the Conversation

2 Comments

Leave a comment

Your email address will not be published. Required fields are marked *