java.security.manageror use the Admin Console. When the security manager is disabled, GlassFish will have better performance, but the JVM will not perform code-based security checks. It is important to note that even if the security manager is disabled, GlassFish still enforces Java EE standard authentication/authorization.
com.sun.appserv.security.AppservPasswordLoginModulerespectively. You can configure a realm and JAAS module by modifying the
config/domain.xmlfile (adding your realm configuration information there) and
config/login.conffile (adding your login module there) respectively.
<property name="sso-enabled" value="false"/>
<http-listener>. Using this configuration, all requests through this listener will go through client certificate authentication.
client-auth-enabled="false"and, instead, configure the
<auth-method>element in the web application's
CLIENT-CERT. When this web application is accessed, the first request that qualifies for the
<auth-constraint>will trigger the client-certificate authentication. The following example shows how to configure client-certificate authentcation in the
Prior to invoking a Realm, the Glassfish runtime (typically) extracts a user name and password from the received request message. The runtime passes the user name and password through the Realm interface to the Realm implementation integrated at the pluggability point. The Realm implementation attempts to validate the password against it's repository, and on success, populates a JAAS subject with principals and credentials corresponding to the validated identity. In the Realm architecture, the Glassfish runtime, not the pluggable Realm is responsible for parsing the security information in the received message and extracting the information (that is, the user name and password) to be passed to the validation System (that is the Realm). The Realm interface is basically a pluggable password validation facility, which relies on the calling runtime to extract the username and password from the invocation message.
Server Authentication Modules are integrated in the Glassfish runtime such that the runtime passes the received request message (and the corresponding response message) across the pluggability interface to the Server Authentication Module integrated at the pluggability point. The authentication module is provided with access to the network messages, and it is expected to parse, validate, and modify their content as appropriate to the security mechanism implemented by the module. Like the realm implementation, the Server Authentication captures the results of a successful request message validation, by populating a JAAS Subject with principals and credentials corresponding to the authentication identity. Moreover, the message authentication SPI defines standard portable interfaces for password validation that can be used by an authentication module to invoke password validation functionality (when required by the authentication mechanism and not provided by the authentication module). Within Glassfish, the portable password validation interfaces are implemented as a veneer over the Realm pluggability point such that password validation is performed using the realm configured for the application.
Summary: Server Authentication Modules provide a standard, portable, pluggable network authentication facility. Glassfish Realms provide a pluggable password validation facility that is dependent on a message interpretation layer to extract the user name and password to be validated. Glassfish Realms are integrated within the GF implementation of the message authentication contract (that is, of JSR 196), such that when password validation is requested by a Server Authentication Modules, the Realm configured for the application is invoked to perform the validation.
Difference by Example: A server authentication module can implement FBL (Form Base Login), including constructing the redirects and validating the user name and password. The module could rely on a GF realm (e.g. A JDBC Realm) for the password validation. Conversely a GF Realm could not be expected to implement FBL.