1. Technical Field
This disclosure relates generally to web application security and in particular to a method and system for allowing control over a displayable realm name associated with a security domain.
2. Background of the Related Art
In a web based application environment, “realms” may protect resources, such as files, directories, images, application resources, or the like. Typically, realms assign certain systems to trusted groups of systems using a web server, or they protect and control access using a proxy server.
The Java JEE standard supports the notion of declaring security constraints for Web-based applications using XML (outside of the application code). In addition, JEE standards put the control of security into a container, which removes the control of security from the application developer. Application developers are looking for an easier ways to declare these constraints during the development process. In addition, while developing these applications, developers need a better way to control the authentication process. To this end, the Java JEE Servlet 3.0 specification (Java specification: JSR315) resolves these issues using annotations and new Servlet methods. One specific enhancement in the specification allows for the developer to control the “realm” name that is displayed to the client during basic authentication (to help the user understand specifically what they are logging into). As is well-known, basic authentication (BA) is a standard HTTP-based method for providing a username and password to an authentication mechanism. Under the JEE standard, the developer can control the displayed realm name calls by specifying the name within the Servlet or providing an indication to leave the realm name blank.
A problem arises, however, if a realm name is not defined by an application developer. Most application developers do not define the realm name. The JEE specification does not specify any mechanism to allow the administrator to specify a default realm name in this situation.