Documentation Home > The Java EE 6 Tutorial > Part VII Security > Chapter 24 Introduction toSecurity in the Java EE Platkhung > Working with Realms, Users, Groups, and Roles > What Are Realms, Users, Groups, & Roles?
What Are Realms, Users, Groups, và Roles?
A realm isa security policy domain defined for a website or application hệ thống. A realmcontains a collection of users, who may or may not be assigned lớn a group.Managing users on the GlassFish Server is discussed in Managing Users và Groups on the GlassFish Server.
Bạn đang xem: Realm là gì
An application will often prompt for a user name & password beforeallowing access khổng lồ a protected resource. After the user name and passwordhave been entered, that information is passed lớn the hệ thống, which eitherauthenticates the user & sends the protected resource or does not authenticatethe user, in which case access to lớn the protected resource is denied. This typeof user authentication is discussed in Specifying an Authentication Mechanism in the Deployment Descriptor.
In some applications, authorized users are assigned khổng lồ roles. In thissituation, the role assigned to the user in the application must be mappedto lớn a principal or group defined on the application hệ thống. Figure24–6 shows this. More informationon mapping roles to lớn users & groups can be found in Setting Up Security Roles.
The following sections provide more information on realms, users, groups,và roles.Figure24–6 Mapping Roles lớn Users và Groups
What Is a Realm?
A realm is a security policy domain defined for a website or applicationhệ thống. The protected resources on a server can be partitioned into lớn a setof protection spaces, each with its own authentication scheme and/or authorizationdatabase containing a collection of users và groups. For a web application,a realm is a complete database of users và groups identified as valid usersof a website application or a phối of web applications và controlled by the sameauthentication policy.
The Java EE server authentication service can govern users in multiplerealms. The file, admin-realm, and certificate realms come preconfigured for the GlassFish Server.
In the file realm, the VPS stores user credentialslocally in a tệp tin named keyfile. You can use the Administration Console tomanage users in the tệp tin realm. When using the tệp tin realm,the server authentication service verifies user identity by checking the tệp tin realm. This realm is used for the authentication of all clientsexcept for web browser clients that use HTTPS & certificates.
In the certificate realm, the VPS storesuser credentials in a certificate database. When using the certificate realm,the server uses certificates with HTTPS to lớn authenticate website clients. To verifythe identity of a user in the certificate realm, the authenticationservice verifies an X.509 certificate. For step-by-step instructions for creatingthis type of certificate, see Working with Digital Certificates. The common name field of the X.509 certificate is usedas the principal name.
The admin-realm is also a file realmand stores administrator user credentials locally in a file named admin-keyfile. You can use the Administration Console to lớn manage users in this realmin the same way you manage users in the tệp tin realm. Formore information, see Managing Users và Groups on the GlassFish Server.
What Is a User?
A user is an individual or application programidentity that has been defined in the GlassFish Server. In a web application,a user can have sầu associated with that identify a phối of roles that entitlethe user khổng lồ access all resources protected by those roles. Users can be associatedwith a group.
A Java EE user is similar lớn an operating system user. Typically, bothtypes of users represent people. However, these two types of users are notthe same. The Java EE server authentication service has no knowledge of theuser name và password you provide when you log in to the operating system.The Java EE server authentication service is not connected lớn the securitymechanism of the operating system. The two security services manage usersthat belong to lớn different realms.
What Is a Group?
A group is a phối of authenticated users, classifiedby common traits, defined in the GlassFish Server. A Java EE user of the tệp tin realm can belong to lớn a group on the GlassFish Server. (A user in the certificate realm cannot.) A group on the GlassFish Server is a categoryof users classified by comtháng traits, such as job title or customer protệp tin.For example, most customers of an e-commerce application might belong lớn the CUSTOMER group, but the big spenders would belong khổng lồ the PREFERRED group. Categorizing users into lớn groups makes it easier khổng lồ controlthe access of large numbers of users.
A group on the GlassFish Server has a different scope from a role. A groupis designated for the entire GlassFish Server, whereas a role is associated onlywith a specific application in the GlassFish Server.
What Is a Role?
A role is an abstract name for the permissionkhổng lồ access a particular phối of resources in an application. A role can be comparedto lớn a key that can open a loông xã. Many people might have sầu a copy of the key. Thelochồng doesn’t care who you are, only that you have sầu the right key.
Some Other Terminology
The following terminology is also used khổng lồ describe the security requirementsof the Java EE platform:
Security attributes: Amix of attributes associated with every principal. The security attributeshave many uses: for example, access to lớn protected resources & auditing ofusers. Security attributes can be associated with a principal by an authenticationprotocol.