O'Reilly logo

JavaServer Faces by Hans Bergsten

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Authentication and Authorization

In the sample application, each expense report has an owner; the actions a user can perform on a specific report depends on whether she owns it, and whether she's a manager or a regular employee. To implement these requirements, we need a way to identify application users and tell what type of user they are.

A process referred to as authentication identifies users. To access the application, the user has to provide personal information that only a real, registered user would know. The application authenticates the information, e.g., by comparing it to information in a registry of known users. If the information is authentic, the application recognizes the user as a specific person. Once the application knows who the user is, it can use this knowledge to decide what the person is allowed to do (also known as authorization).

Authenticating the User

A Java web container typically supports four methods of authentication, described in the servlet specification: HTTP basic authentication, HTTP digest authentication, HTTPS client authentication, and form-based authentication.

HTTP basic authentication is a simple and not very secure authentication scheme that I'm sure you've encountered. When a browser requests access to a protected resource, the server sends back a response asking for the user's credentials (username and password). The browser prompts the user for this information and sends the same request again, but this time with the credentials in ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required