JSR-000058 Java TM 2 Platform, Enterprise Edition 1.3 Specification
JSR-000058 Java TM 2 Platform, Enterprise Edition 1.3 Specification
JSR-000058 Java TM 2 Platform, Enterprise Edition 1.3 Specification
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
SSL 3.0 1 and the means to perform mutual (client and server) certificate based<br />
authentication are required by this specification.<br />
All J2EE products must support the following cipher suites to ensure<br />
interoperable authentication with clients:<br />
■ SSL_RSA_EXPORT_WITH_RC4_40_MD5<br />
■ SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA<br />
These cipher suites are supported by the major web browsers and meet the U.S.<br />
government export restrictions.<br />
Form Based Login<br />
The web application deployment descriptor contains an element that causes a<br />
J2EE product to associate an H<strong>TM</strong>L form resource (perhaps dynamically<br />
generated) with the web application. If the Deployer chooses this form of<br />
authentication (over HTTP basic, or SSL certificate based authentication), this<br />
form must be used as the user interface for login to the application.<br />
The form based login mechanism and web application deployment descriptors<br />
are described in the Servlet 2.2 specification.<br />
3.4.1.4 Unauthenticated Users<br />
Web containers are required to support access to web resources by clients that<br />
have not authenticated themselves to the container. This is the common mode of<br />
access to web resources on the Internet. A web container reports that no user has<br />
been authenticated by returning null from the HttpServletRequest method<br />
getUserPrincipal.<br />
The EJB specification requires that the EJBContext method<br />
getCallerPrincipal always return a valid Principal object. It can never<br />
return null. However, it’s important that components running in a web<br />
container be able to call enterprise beans, even when no user has been<br />
authenticated in the web container. When a call is made in such a case from a<br />
component in a web container to an enterprise bean, a J2EE product must<br />
provide a principal for use in the call.<br />
A J2EE product may provide a principal for use by unauthenticated callers using<br />
many approaches, including, but not limited to:<br />
■ Always use a single distinguished principal.<br />
■ Use a different distinguished principal per server, or per session, or per<br />
application.<br />
1.The SSL 3.0 specification is available at: http://home.netscape.com/eng/ssl3<br />
3-16 <strong>Java</strong> 2 <strong>Platform</strong> <strong>Enterprise</strong> <strong>Edition</strong>, v<strong>1.3</strong> Proposed Final Draft (Sun Microsystems, Inc.)