Deployment Descriptor
Deployment Descriptor
When you try to access a web resource that is constrained by a security-constraint element,
the web container activates the authentication mechanism that has been configured for that
resource. To specify an authentication method, place the <auth-method> element between
<login-config>
elements in the deployment descriptor, like this:
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
An example of a deployment descriptor that constrains all web resources for this application (in
italics below) and requires HTTP basic authentication when you try to access that resource (in
bold
below) is shown here:
<?xml version=
"1.0" encoding="UTF-8"?>
<web-app version=
"2.5"
xmlns=
"http://java.sun.com/xml/ns/javaee"
xmlns:xsi=
"http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation=
"http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
">
<display-name>basicauth</display-name>
<servlet>
<display-name>index</display-name>
<servlet-name>index</servlet-name>
<jsp-file>/index.jsp</jsp-file>
</servlet>
<security-role>
<role-name>loginUser</role-name>
</security-role>
<security-constraint>
<display-name>SecurityConstraint1</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>loginUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
Before you can authenticate a user, you must have a database of user names, passwords, and
roles configured on your web or application server. For information on setting up the user
database, refer to
and the
Sun Java System Application Server 9.1 Administration Guide.
Defining Security Requirements for Web Applications
Chapter 30 · Securing Web Applications
859
