NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

351

352

353

354

355

356

357

358

359

360

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-3

Authenticating a User

The process of authentication involves obtaining user credentials and validating them

against a database of user credentials. In NSJSP, this database is called a Realm. A

web application need not always authenticate a user using a password. The user can

also be authenticated using a certificate presented by the user. Because iTP Secure

WebServer supports X.509 certificates, a user can also be authenticated in NSJSP

using the X.509 certificates. A web application is configured to specify the method of

obtaining the user credentials. When user credentials are obtained, the user is

authenticated against the credentials stored in the Realm.

This section discusses the various configuration alternatives for obtaining user

credentials. The process to validate the user credentials is discussed in Realms on

page 8-7.

The following configurations can be used to obtain user credentials:



HTTP Basic Authentication



HTTP Digest Authentication



Form-Based Authentication



HTTPS Client Authentication

HTTP Basic Authentication

HTTP basic authentication is the authentication mechanism defined in the HTTP/1.0

specification. When a user tries to access a secured resource, NSJSP requests the

web browser to obtain the username and password. The web client obtains the

username and the password from the user and sends them back. NSJSP then

authenticates the user and if the user is authorized to access the resource, NSJSP

provides access to the secured resource. For more information on authorization, see

Authorizing a User

on page 8-29.

The HTTP basic authentication is not a secure authentication protocol because user

passwords are sent in the simple base64 encoding format. A secured transport layer,

such as Secure Socket Layer (SSL), provides a more secure connection.

You can configure a web application for the HTTP basic authentication by setting the

auth-method element in the application’s web.xml (located in the

<NSJSP_HOME>/webapps/<application_directory>/WEB-INF directory for a

web application deployed in the <application_directory>) file to BASIC:

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>Realm_Name</realm-name>

</login-config>