6.4. Identification and Authentication
Each user is assigned a unique user identifier. Access control decisions and auditing use this identifier. JBoss Enterprise Application Platform authenticates the user's claimed identity before allowing the user to perform any actions. After successful authentication JBoss Enterprise Application Platform associates the identifier with the thread spawned for the user.
JBoss Enterprise Application Platform provides different identification and authentication mechanisms for various request types.
- HTTP and Web Services
- HTTP-basic authentication, HTTP-digest authentication, form-based authentication, client certificate based authentication.
- EJB
- Username and password-based authentication, and client certificate based authentication.
- JMS
- Username and password-based authentication.
- JNDI
- Username and password-based authentication.
- JMX Invokers
- Username and password-based authentication.
JBoss Enterprise Application Platform uses JBoss SX framework to implement identification and authentication. The JBossSX framework utilizes the Java Authentication and Authorization Service (JAAS) provided by the Java Virtual Machine. The authentication capabilities of JAAS are used to implement the declarative role-based J2EE security model.
The following authentication back-ends are configurable with the JAAS modules.
- File-based storage
- BaseCertLoginModule
- LDAP
- Databases accessible through JDBC
Password quality can be enforced with configuration options for the JAAS modules provided by JBoss Enterprise Application Platform.
For information on how to configure the JAAS modules, refer to the "Using JBoss Login Modules" section of the JBoss Security Guide.
