web server - Borland Technical Publications
web server - Borland Technical Publications
web server - Borland Technical Publications
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
System Contracts<br />
Security Management<br />
In compliance with the Connectors 1.0 specification, VisiConnect supports both<br />
container-managed and component-managed sign-on. At runtime, VisiConnect<br />
determines the selected sign-on mechanism based on information specified in<br />
deployment descriptor of the invoking component. If VisiConnect is unable to<br />
determine the sign-on mechanism requested by the component (most often due to an<br />
improper JNDI lookup of the Resource Adapter connection factory), VisiConnect will<br />
attempt container-managed sign-on. If the component has specified explicit security<br />
information, this will be presented in the call to obtain the connection, even in the case<br />
of container-managed sign-on.<br />
Component-Managed Sign-on<br />
When employing component-managed sign-on, the component provides all the<br />
required security information - most commonly a username and a password - when<br />
requesting to obtain a connection to an EIS. The application <strong>server</strong> provides no<br />
additional security processing other than to pass the security information along on the<br />
request for the connection. The Resource Adapter uses the component-provided<br />
security information to perform EIS sign-on in an implementation-specific manner.<br />
Container-Managed Sign-on<br />
When employing container-managed sign-on, the component does not present any<br />
security information, and the container must determine the necessary sign-on<br />
information, providing this information to the Resource Adapter in the request to obtain<br />
a connection. The container must determine an appropriate resource principal and<br />
provide this resource principal information to the Resource Adapter in the form of a<br />
Java Authentication and Authorization Service (JAAS) Subject object.<br />
EIS-Managed Sign-on<br />
When employing EIS-managed sign-on, the Resource Adapter internally obtains all of<br />
its EIS connections with a pre-configured, hard-coded set of security information. In<br />
this scenario the Resource Adapter does not depend upon the security information<br />
passed to it in the invoking component's requests for new connections.<br />
Authentication Mechanisms<br />
<strong>Borland</strong> Enterprise Server user must be authenticated whenever they request access<br />
to a protected <strong>Borland</strong> Enterprise Server resource. For this reason, each user is<br />
required to provide a credential (a username/password pair or a digital certificate) to<br />
<strong>Borland</strong> Enterprise Server. The following types of authentication mechanisms are<br />
supported by <strong>Borland</strong> Enterprise Server:<br />
■<br />
■<br />
■<br />
Password authentication a user ID and password are requested from the user and<br />
sent to <strong>Borland</strong> Enterprise Server in clear text. <strong>Borland</strong> Enterprise Server checks the<br />
information and if it is trustworthy, grants access to the protected resource.<br />
The SSL (or HTTPS) protocol can be used to provide an additional level of security<br />
to password authentication. Because the SSL protocol encrypts the data transferred<br />
between the client and <strong>Borland</strong> Enterprise Server, the user ID and password of the<br />
user do not flow in the clear. Therefore, <strong>Borland</strong> Enterprise Server can authenticate<br />
the user without compromising the confidentiality of the user's ID and password.<br />
Certificate authentication: when an SSL or HTTPS client request is initiated, <strong>Borland</strong><br />
Enterprise Server responds by presenting its digital certificate to the client. The<br />
client then verifies the digital certificate and an SSL connection is established. The<br />
CertAuthenticator class then extracts data from the client's digital certificate to<br />
determine which <strong>Borland</strong> Enterprise Server User owns the certificate and then<br />
retrieves the authenticated User from the <strong>Borland</strong> Enterprise Server security realm.<br />
250 BES Developer’s Guide