Welcome to the jGuard's wiki » jGuard Documentation » Which jGuard authentication configuration?

Which jGuard authentication configuration?

Last modified by XWikiGuest on 2010/10/28 16:48

Which jGuard authentication configuration?

jGuard distinguish 3 types of "users" in a J2EE environment:

  • administrator
  • webapp developer
  • webapp user
jGuard provides two types of authentication configurations:

'usual' authentication

'usual' authentication provides a good security level. It allows protection of the webapp resources against webapp users. Each webapp user will be authenticated, and access control will be provided according to his roles.

This authentication configuration will not protect webapp developers against webapp developers of others webapps, or administrators. The first webapp which uses jGuard configures all the JVM security configuration. The authentication configuration is easier, because everything should be configured in the web.xml.

There is no need to configure things on the JVM side. Security is present after the first webapp which uses jGuard is loaded by the application server. This security level is reliable for these use cases:

  • The webapp is used to test jGuard
  • There is only one webapp on the application server
  • There are multiple webapps on the same application servers, and there are 'friendly' each others
  • One 'friendly' webapp is loaded firstly

'advanced' authentication

'advanced' configuration allows for a more secure environment, but is more difficult to configure: You must install two jars: one for the webapp, and one dedicated to the JVM-side.some bootclasspath tricks are needed too.

This configuration allows for protection of webapp resources against users like the 'usual' configuration, to protect webapp developers against others webapps, and to protect administrator against any webapp developers. The administrator machine should also restrict the java rights to protect against the application sever administrator. This configuration is highly secure, and should be used by hosting companies.

This is a cascading security delegation model: webapp users are controlled by webapps; webapps are isolated from others webapps (others webapps cannot make damages);webapps are controlled by the application server administrator which configure the JVM security.
The application server administrator is controlled by the operating system administrator which assign restricted rights to java.the operating system administrator security relies on BIOS security, which relies on the physical machine security.

to have this very secured configuration, you must enable the securityManager.

Created by diabolo512 on 2006/02/09 14:34

jGuard team copyright 2004-2009