Security Constraint Element

<< Security Role Reference Element | Specifying Security Constraints >>

Security Constraint Element

As shown in the preceding example, the <web-app> element is the root element for web
applications. The <web-app> element contains the following elements that are used for
specifying security for a web application:

<security-role-ref>

The security role reference element contains the declaration of a security role reference in the
web application's code. The declaration consists of an optional description, the security role
name used in the code, and an optional link to a security role.

The security role name specified here is the security role name used in the code. The value of
the role-name element must be the String used as the parameter to the
HttpServletRequest.isUserInRole(String role)

method. The container uses the

mapping of security-role-ref to security-role when determining the return value of
the call.

The security role link specified here contains the value of the name of the security role that
the user may be mapped into. The role-link element is used to link a security role
reference to a defined security role. The role-link element must contain the name of one of
the security roles defined in the security-role elements.

For more information about security roles, read

"Working with Security Roles" on page 841

<security-role>

A security role is an abstract name for the permission to access a particular set of resources in
an application. A security role can be compared to a key that can open a lock. Many people
might have a copy of the key. The lock doesn't care who you are, only that you have the right
key.

The security-role element is used with the security-role-ref element to map roles
defined in code to roles defined for the web application. For more information about
security roles, read

"Working with Security Roles" on page 841

<security-constraint>

A security constraint is used to define the access privileges to a collection of resources using
their URL mapping. Read

"Specifying Security Constraints" on page 854

for more detail on

this element. The following elements can be part of a security constraint:

<web-resource-collection>

element: Web resource collections describe a URL pattern

and HTTP method pair that identify resources that need to be protected.

<auth-constraint>

element: Authorization constraints indicate which users in specified

roles are permitted access to this resource collection. The role name specified here must
either correspond to the role name of one of the <security-role> elements defined for
this web application, or be the specially reserved role name *, which is a compact syntax
for indicating all roles in the web application. Role names are case sensitive. The roles
defined for the application must be mapped to users and groups defined on the server.
For more information about security roles, read

"Working with Security Roles" on

page 841

Defining Security Requirements for Web Applications

Chapter 30 · Securing Web Applications

853