background image

Specifying Security Constraints

<< Security Constraint Element | Web Resource Collection >>
<< Security Constraint Element | Web Resource Collection >>

Specifying Security Constraints

<user-data-constraint>
element: User data constraints specify network security
requirements, in particular, this constraint specifies how data communicated between
the client and the container should be protected. If a user transport guarantee of
INTEGRAL or CONFIDENTIAL is declared, all user name and password information
will be sent over a secure connection using HTTP over SSL (HTTPS). Network security
requirements are discussed in
"Specifying a Secure Connection" on page 857
.
<login-config>
The login configuration element is used to specify the user authentication method to be used
for access to web content, the realm in which the user will be authenticated, and, in the case
of form-based login, additional attributes. When specified, the user must be authenticated
before access to any resource that is constrained by a security constraint will be granted. The
types of user authentication methods that are supported include basic, form-based, digest,
and client certificate. Read
"Specifying an Authentication Mechanism" on page 858
for more
detail on this element.
Some of the elements of web application security must be addressed in server configuration files
rather than in the deployment descriptor for the web application. Configuring security on the
Application Server is discussed in the following sections and books:
"Securing the Application Server" on page 777
"Managing Users and Groups on the Application Server" on page 781
"Installing and Configuring SSL Support" on page 785
"Deploying Secure Enterprise Beans" on page 819
Sun Java System Application Server 9.1 Administration Guide
Sun Java System Application Server 9.1 Developer's Guide
The following sections provide more information on deployment descriptor security elements:
"Specifying Security Constraints" on page 854
"Working with Security Roles" on page 841
"Specifying a Secure Connection" on page 857
"Specifying an Authentication Mechanism" on page 858
Specifying Security Constraints
Security constraints are a declarative way to define the protection of web content. A security
constraint is used to define access privileges to a collection of resources using their URL
mapping. Security constraints are defined in a deployment descriptor. The following example
shows a typical security constraint, including all of the elements of which it consists:
<security-constraint>
<display-name>ExampleSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>
ExampleWRCollection
</web-resource-name>
Defining Security Requirements for Web Applications
The Java EE 5 Tutorial · September 2007
854