Welcome to the jGuard's wiki » 全体像 » Which jGuard authentication configuration?

Which jGuard authentication configuration?

Last modified by RaffaelloPelagalli on 2006/01/13 05:39

Which jGuard authentication configuration?

jGuard distinguish 3 types of "users" in a J2EE environment:

  • administrator
  • webapp developer
  • webapp user
jGuard provide two types of authentication configuration:

'usual' authentication

'usual' authentication provide a good security level. it permits to protect webapp ressources against webapp users. each webapp user will be authenticated, and access control will be provided regarding his roles.

this authentication configuration will not protect webapp developers against webapp developers of others webapps, and don't protect administrator. the first webapp which use jGuard configure all the JVM security configuration.The authentication configuration is easier, because all should be configured in the web.xml.

there is no need to configure things on the JVM side. Security is present after the first webapp which use jGuard is loaded by the application Server.this security level is reliable for these use cases:

  • the webapp is used to test jGuard
  • there is only one webapp on the application server
  • there are multiple webapps on the same application servers, and there are 'friendly' each others
  • one 'friendly' webapp is loaded firstly

'advanced' authentication

'advanced' configuration permits to have the more secure level available, but is a little bit more tricky to configure: you have to install two jars: one for the webapp, and one dedicated to the JVM-side.some bootclasspath tricks are needed too.

this configuration permits to protect webapp ressources against users like the 'usual' configuration, to protect webapp developers against others webapps, and to protect administrator against any webapp developers.the administrator machine should restrict too the java rights to protect against application sever administrator. this configuration is highly secure, and should be used by hosting companies.

it's a cascading security delegation model: webapp users are controlled by webapps; webapps are isolated from others webapps (others webapps cannot make damages);webapps are controlled by the application server administrator which configure the JVM security.
The application server administrator is controlled by the operating system administrator which assign restricted rights to java.the operating system administrator security relies on BIOS security, which relies on the physical machine security.

to have this very secured configuration, you must enable the securityManager.

Created by Masa Naka on 2006/01/13 05:39

jGuard team copyright 2004-2009