blogger templates blogger widgets
This is part of a list of blog posts.
To browse the contents go to

Terminologies - Authentication on J2EE

The following terminologies help us understand authentication mechanisms involved in J2EE server.

A realm is defined on a web or application server. It contains a collection of users, which may or may not be assigned to a group, that are controlled by the same authentication policy.
The Java EE server authentication service can govern users in multiple realms.

A user is an individual (or application program) identity that has been defined in the Application Server.
In a web application, a user can have a set of roles associated with that identity, which entitles them to access all resources protected by those roles.
Users can be associated with a group.

A group is a set of authenticated users, classified by common traits, defined in the Application Server.
A Java EE user of the file realm can belong to an Application Server group. (A user in the certificate realm cannot.)
An Application Server group has a different scope from a role. An Application Server group is designated for the entire Application Server,
whereas a role is associated only with a specific application in the Application Server.

A role is an abstract name for the permission to access a particular set of resources in an application.
A role can be compared to a key that can open a lock. Many people might have a copy of the key.
The lock doesn’t care who you are, only that you have the right key.

A principal is an entity that can be authenticated by an authentication protocol in a security service that is deployed in an enterprise.
A principal is identified using a principal name and authenticated using authentication data.

Security policy domain (also known as security domain or realm):
A security policy domain is a scope over which a common security policy is defined and enforced by the security administrator of the
security service.

Security attributes:
A set of security attributes is associated with every principal. The security attributes have many uses, for example,
access to protected resources and auditing of users. Security attributes can be associated with a principal by an authentication protocol.

A credential contains or references information (security attributes) used to authenticate a principal for Java EE product services.
A principal acquires a credential upon authentication, or from another principal that allows its credential to be used.

The tags used in the deployment descriptor is explained here.


  1. I have read your blog its very attractive and impressive. I like it your blog.
    kajal hot

  2. It is very good and very informative. There is a useful information in it.Thanks for posting...