security3.html

j2eePDF格式的电子书

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>Realms, Users, Groups, and Roles</title>
    <link rel="StyleSheet" href="document.css" type="text/css" media="all" />
    <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" />
    <link rel="Table of Contents" href="J2EETutorialTOC.html" />
    <link rel="Previous" href="Security2.html" />
    <link rel="Next" href="Security4.html" />
    <link rel="Index" href="J2EETutorialIX.html" />
  </head>

  <body>

    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security2.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security4.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

    <blockquote>
<a name="wp147852"> </a><h2 class="pHeading1">
Realms, Users, Groups, and Roles
</h2>
<a name="wp143777"> </a><p class="pBody">
A J2EE user is similar to an operating system user. Typically, both types of users represent people. However, these two types of users are not the same. The J2EE server authentication service has no knowledge of the user name and password you provide when you log on to the operating system. The J2EE server authentication service is not connected to the security mechanism of the operating system. The two security services manage users that belong to different realms. 
</p>
<a name="wp85926"> </a><p class="pBody">
The J2EE server's authentication service includes and interacts with the following components:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp85950"> </a><div class="pSmartList1"><li><em class="cEmphasis">Realm</em> - A collection of users and groups that are controlled by the same authentication policy. </li></div>
<a name="wp85975"> </a><div class="pSmartList1"><li><em class="cEmphasis">User</em> - An individual (or application program) identity that has been defined in the J2EE 1.4 Application Server. Users can be associated with a group.</li></div>
<a name="wp85932"> </a><div class="pSmartList1"><li><em class="cEmphasis">Group</em> - A set of authenticated <em class="cEmphasis">users</em>, classified by common traits, defined in the J2EE Application Server.</li></div>
<a name="wp85964"> </a><div class="pSmartList1"><li><em class="cEmphasis">Role - </em>An abstract name for the permission to access a particular set of resources in an application. A <em class="cEmphasis">role</em> can be compared to a key that can open a lock. Many people might have a copy of the key, and the lock doesn't care who you are, just that you have the right key.</li></div>
</ul></div>
<a name="wp298597"> </a><p class="pBody">
The J2EE server authentication service can govern users in multiple realms. In this release of the J2EE 1.4 Application Server, the <code class="cCode">file</code> and <code class="cCode">certificate</code> realms come preconfigured for the Application Server. 
</p>
<a name="wp299758"> </a><p class="pBody">
When using the <code class="cCode">file</code> realm, the J2EE server authentication service verifies user identity by checking the <code class="cCode">file</code> realm. This realm is used for the authentication of all clients except for Web browser clients that use the HTTPS protocol and certificates. 
</p>
<a name="wp299767"> </a><p class="pBody">
A J2EE user of the <code class="cCode">file</code> realm can belong to a J2EE group. (A user in the <code class="cCode">certificate</code> realm cannot.) A <em style="font-style: italic" class="cEmphasis">J2EE group</em><span style="font-style: italic"> </span>is a category of users classified by common traits, such as job title or customer profile. For example, most customers of an e-commerce application might belong to the <code class="cCode">CUSTOMER</code> group, but the big spenders would belong to the <code class="cCode">PREFERRED</code> group. Categorizing users into groups makes it easier to control the access of large numbers of users. The section <a  href="Security8.html#wp299468">EJB-Tier Security</a> explains how to control user access to enterprise beans.
</p>
<a name="wp299743"> </a><p class="pBody">
When using the <code class="cCode">certificate</code> realm, certificates are used with the HTTPS protocol to authenticate Web browser clients. To verify the identity of a user in the <code class="cCode">certificate</code> realm, the authentication service verifies an X.509 certificate. For step-by-step instructions for creating this type of certificate, see <a  href="Security6.html#wp80737">Setting Up Digital Certificates</a>. The common name field of the X.509 certificate is used as the principal name. 
</p>
<a name="wp79740"> </a><h3 class="pHeading2">
Setting up Security Roles
</h3>
<a name="wp79741"> </a><p class="pBody">
When you design an enterprise bean or Web component, you should always think about the kinds of users who will access the component. For example, a Web application for a Human Resources department might have a different request URL for someone who has been assigned the role of <code class="cCode">admin</code> than for someone who has been assigned the role of <code class="cCode">director</code>. The <code class="cCode">admin</code> role may let you view some employee data, but the <code class="cCode">director</code> role enables you to view salary information. Each of these <span style="font-style: italic">security roles </span>is an abstract logical grouping of users that is defined by the person who assembles the application. When an application is deployed, the deployer will map the roles to security identities in the operational environment.
</p>
<a name="wp298618"> </a><p class="pBody">
A J2EE group also represents a category of users, but it has a different scope from a role. A J2EE group is designated for the entire J2EE server, whereas a role is associated with a specific application in a J2EE server only.
</p>
<a name="wp453249"> </a><p class="pBody">
To create a role for a Web application, see <a  href="Security4.html#wp298711">Setting Security Requirements Using deploytool</a>.
</p>
<a name="wp298620"> </a><p class="pBody">
To create a role for a J2EE application, declare it for the application EAR file. For example, you could use the following procedure to create a role with <code class="cCode">deploytool</code>:
</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">