Specifying Security Constraints
Specifying Security Constraints
<user-data-constraint>
element: User data constraints specify network security
requirements, in particular, this constraint specifies how data communicated between
the client and the container should be protected. If a user transport guarantee of
INTEGRAL or CONFIDENTIAL is declared, all user name and password information
will be sent over a secure connection using HTTP over SSL (HTTPS). Network security
requirements are discussed in
<login-config>
The login configuration element is used to specify the user authentication method to be used
for access to web content, the realm in which the user will be authenticated, and, in the case
of form-based login, additional attributes. When specified, the user must be authenticated
before access to any resource that is constrained by a security constraint will be granted. The
types of user authentication methods that are supported include basic, form-based, digest,
and client certificate. Read
for more
detail on this element.
Some of the elements of web application security must be addressed in server configuration files
rather than in the deployment descriptor for the web application. Configuring security on the
Application Server is discussed in the following sections and books:
Sun Java System Application Server 9.1 Administration Guide
Sun Java System Application Server 9.1 Developer's Guide
The following sections provide more information on deployment descriptor security elements:
Specifying Security Constraints
Security constraints are a declarative way to define the protection of web content. A security
constraint is used to define access privileges to a collection of resources using their URL
mapping. Security constraints are defined in a deployment descriptor. The following example
shows a typical security constraint, including all of the elements of which it consists:
<security-constraint>
<display-name>ExampleSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>
ExampleWRCollection
</web-resource-name>
Defining Security Requirements for Web Applications
The Java EE 5 Tutorial · September 2007
854