2.2 Possible Configurations

You can configure your J2EE server so that users have direct access to it or so that it is a protected resource of the Access Gateway. Both configurations use the Identity Server for authentication.

2.2.1 Allowing Direct Access to the J2EE Server

When you configure the Identity Server to provide authentication for the applications on the J2EE server, the communication process follows the paths illustrated in Figure 2-1.

Figure 2-1 JBoss Applications Using the Identity Server

  1. The user requests access to an application on the J2EE server. The user is redirected to the Identity Server.

  2. The Identity Server prompts the user for a username and password.

  3. The Identity Server verifies the username and password against a user store (an LDAP directory).

  4. The Identity Server builds the roles for the user and redirects the user back to the application server.

  5. The agent verifies the user’s credentials and obtains the user’s role information.

  6. The application server allows access to the requested application.

This scenario is most often used when you have users behind your firewall that need access to the application server. You also have an internal DNS server that resolves the DNS name of the application server to its IP address.

For configuration information, see Section 2.3, Configuring the Agent for Direct Access.

2.2.2 Protecting the Application Server with the Access Gateway

When you configure the Access Gateway to protect the application server, the communication process follows the paths illustrated in Figure 2-2.

Figure 2-2 The J2EE Server as a Protected Resource

  1. The user requests access to the application server by using a published DNS name. The request is sent to the Access Gateway, and the Access Gateway proxies the request to the agent.

  2. The agent redirects the request back to the Access Gateway, and the Access Gateway redirects the user to the Identity Server, which prompts the user for a username and password.

  3. The Identity Server verifies the username and password against a user store (an LDAP directory).

  4. The Identity Server builds the roles for the user and redirects the user back to the Access Gateway.

  5. The Access Gateway directs the user’s request to the application server.

  6. The agent verifies the user’s credentials and obtains the user’s role information.

  7. The application server allows the user to access to the requested application.

For configuration information, see Section 2.4, Protecting the Application Server with the Access Gateway.