Home > Articles > Programming > Java

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Web Application Security Elements

This section provides a reference to security elements from the Servlet 2.2 specification. A number of the examples in this chapter have illustrated the use of most of these elements; for example, see Example 9-1.c on page 258.

Table 9-5 lists the elements contained within a security-constraint element, which is the outermost security element in a deployment descriptor.

Table 9-5 <security-constraint> Elements

Element

Type5

Description

web-resource-collection

+

A subset of a web application's resources to which security constraints apply

auth-constraint

?

Authorization constraints placed on one or more web resource collections

user-data-constraint

?

A specification of how data sent between a client and a container should be protected


Web resource collections identify one or more protected resources, and authorization constraints specify one or more roles that can access those resources. User data constraints specify how data should be protected while in transit.

Table 9-6 lists web resource collection elements.

Table 9-6 <web-resource-collection> Elements

Element

Type6

Description

web-resource-name

1

The name of a web resource

description

?

A description of a web resource

url-pattern

*

A url pattern associated with a web resource

http-method

?

An HTTP method associated with a web resource


Each web resource collection is associated with the name of a resource and an optional description of that resource. One or more URL patterns are associated with a resource name.

HTTP methods may also be associated with a web resource collection; for example, if GET is specified as the HTTP method, the security constraint is only enforced for GET requests. If no HTTP methods are specified, the corresponding security constraint applies to all HTTP requests for the specified resources.

Table 9-7 lists authorization constraint elements.

Table 9-7 <auth-constraint> Elements

Element

Type7

Description

description

?

A description of an authorization constraint

role-name

*

The role(s) to which a constraint applies


Authorization constraints specify one or more roles that are allowed access to protected resources. Optionally, those roles can be accompanied by a description.

Table 9-8 lists user data constraint elements.

Table 9-8 <user-data-constraint> Elements

Element

Type8

Description

description

?

A description of a user data constraint

transport-guarantee

1

NONE, INTEGRAL, or CONFIDENTIAL


User data constraints consist of a transport-guarantee and an optional description. That guarantee can be either NONE, INTEGRAL, or CONFIDENTIAL. A guarantee of NONE means there are no restrictions on the transport of data, and INTEGRAL means the servlet container must ensure that data cannot be changed in transit. A value of CONFIDENTIAL means that the data cannot be read while in transit.

The servlet specification does not specify how servlet containers should implement transport guarantees; however, a value of INTEGRAL or CONFIDENTIAL typically indicates a secure transport layer, such as SSL. Resin, for example, will only provide access to confidential data if ServletRequest.isSecure returns true.9

  • + Share This
  • 🔖 Save To Your Account