NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

361

362

363

364

365

366

367

368

369

370

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-11

Realms

By default, the Realm authenticates a user by binding to the directory with the DN

of the entry for a user and the password provided by the user. If this bind

succeeds, the user is considered to be authenticated

For security reasons, a directory may store a digest of the user's password rather

than the plain text version. In this case, as part of the bind operation, the directory

automatically computes the correct digest of the plain text password before

validating it against the stored value. Therefore, in the bind mode, the Realm is not

involved in digest processing. The digest attribute is not used, and will be ignored if

the attribute is set.



Comparison Mode

In the comparison mode, a Realm can retrieve the password stored in the directory

and compare the password explicitly with the value presented by the user. You can

configure this mode by setting the userPassword attribute to the name of a

directory attribute in the user's entry that contains the password.

The comparison mode poses some disadvantages. The connectionName and

connectionPassword attributes must be configured to allow the Realm to read

users' passwords in the directory. Due to security reasons, it is not preferable for a

Realm to read users’ passwords. Many directory implementations do not allow

even the directory manager to read these passwords. Additionally, the Realm must

handle password digests itself, including variations in the algorithms and different

methods of representing password hashes in the directory. However, the Realm

might sometimes need access to the stored password, for instance to support

HTTP Digest Access Authentication.

Assigning Roles to a User

The JNDIRealm supports the following methods to represent roles in the directory:



Roles as explicit directory entries

You can represent roles by specifying explicit directory entries. A role entry is

usually an LDAP group entry with one attribute containing the name of the role and

another attribute specifying the distinguished names or usernames of users in that

role.

You can use the following attributes to configure a directory search to find role

names corresponding to the authenticated user:



roleBase - Specifies the base entry for the role search. If this attribute is not

specified, the search base is the top-level directory context.



roleSubtree - Specifies the search scope. Set this attribute to true, if you

want to search the entire subtree rooted at the roleBase entry. The default

value (false) requests a single-level search, including only the top level.

Note. You can use a combination of both these methods to represent a role.