When considering security threats, authenticating users when they execute applications helps to prevent system users from carrying out operations or acquiring information beyond the scope of the permission granted to them.

Application servers allow the use of the following three different protocols to ensure security via user authentication:

• HTTPS (Client authentication)
• HTTP (Basic authentication)
• HTTP (Form authentication)

Ensure security by using one of these protocols according to your particular purpose.

The table below shows where user authentication is carried out for each communication protocol, as well as the authentication engines used.

Table 4-8 Location of user authentication for each communication protocol and authentication engines used

Protocol used	Location of authentication	Authentication engine
HTTPS (Client authentication)	Cosminexus HTTP Server or Microsoft IIS	SSL
	SSL accelerator	SSL
HTTP (Basic authentication)	Cosminexus HTTP Server	HWS password file
		LDAP repository
	J2EE server (Web container)	Password file
HTTP (Form authentication)	J2EE server (Web container)	Password file
	J2EE server (integrated user management)	Integrated user management password file
		Database
		LDAP repository

Each protocol and authentication engine has certain features. Consider these features to select a suitable authentication method for the purpose of your system.

(a) Features of the protocols

The table below shows the features of the protocols that can be used for authentication on an application server system.

Table 4-9 Features of the protocols

Protocol used	Authentication interface flexibility	Ease of management from client	Network safety
HTTPS (Client authentication)	Available functions are limited to those provided by a Web browser.	Client certificates are required.	Due to encryption, authentication information is safe even if eavesdropping occurs.
HTTP (Basic authentication)	Available functions are limited to those provided by a Web browser.	Common user name/password-based authentication is possible.	Passwords will be leaked in plain text or equivalent format. Therefore, this authentication is usually used along with the HTTPS encryption function (for server authentication only).
HTTP (Form authentication)	Different functions can be designed for each application.	Common user name/password-based authentication is possible.	Passwords will be leaked in plain text or equivalent format. Therefore, this authentication is usually used along with the HTTPS encryption function (for server authentication only).

(b) Features of the authentication engines

The table below shows the features of the authentication engines.

Table 4-10 Features of the authentication engines

Engine type	Versatility	Maintainability	Effect on system configuration	Effect on performance
Password file	The format varies with the function used.	Each server or host has its own user information.	No special process is required for authentication.	Faster because no process or host communication occurs for authentication.
Database	Depending on the format, an existing user information database can be used.	User information management can be centralized.	A database server is required to store user information.	It takes additional time to access the database for authentication.
LDAP repository	Depending on the format, an existing user information repository can be used.	User information management can be centralized, including distributed user information.	An LDAP-compliant directory server is required to store user information.	It takes additional time to access the LDAP directory server for authentication.