Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

Security in the Web-Tier

Your Web application is defined using a standard web.xml deployment descriptor. The deployment descriptor must indicate which version of the Web application schema (2.2, 2.3 or 2.4) it is using, and the elements specified within the deployment descriptor must comply with the rules for processing that version of the deployment descriptor. For version 2.4 of the Java Servlet Specification (which can be downloaded at http://jcp.org/aboutJava/communityprocess/first/jsr154/index3.html), this is "SRV.13.3, Rules for Processing the Deployment Descriptor". For more information on deployment descriptors, see Chapter 4.

The deployment descriptor is used to convey the elements and configuration information of a Web application. Security in a Web application is configured using the following elements of the deployment descriptor:

These elements of the deployment descriptor are entered directly into the web.xml file. If, for example, we were to create a deployment descriptor for a simple application, the web.xml file might look something like this:

<?xml version='1.0' encoding='UTF-8'?> 
<web-app 
      version="2.4" 
      xmlns="http://java.sun.com/xml/ns/j2ee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
            http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" 
      > 
   <display-name>SimpleWebWar</display-name> 
   <servlet> 
      <display-name>GreetingServlet</display-name> 
      <servlet-name>GreetingServlet</servlet-name> 
      <servlet-class>GreetingServlet</servlet-class> 
   </servlet>

         <!-- SECURITY-ROLE-REF -->
    <security-role-ref>
      <role-name>SimpleAppUser</role-name>
      <role-link>user</role-link>
    </security-role-ref>
  </servlet>
  <session-config>
    <session-timeout>30</session-timeout>
  </session-config>

<!-- SECURITY CONSTRAINT -->
   <security-constraint> 
      <web-resource-collection> 
      <web-resource-collection> 
         <web-resource-name>SWRCollection</web-resource-name> 
         <url-pattern>/hello</url-pattern>
         <http-method>POST</http-method> 
         <http-method>GET</http-method>
      </web-resource-collection> 
      <auth-constraint> 
         <role-name>admin</role-name>
      </auth-constraint> 
      <user-data-constraint> 
         <transport-guarantee>
            CONFIDENTIAL
         </transport-guarantee>
      </user-data-constraint> 
   </security-constraint>

<!-- LOGIN AUTHENTICATION -->
  <login-config> 
      <auth-method>BASIC</auth-method> 
   </login-config>

<!-- SECURITY ROLES -->
 <security-role> 
      <role-name>user</role-name> 
   </security-role> 
   <security-role> 
      <role-name>mgr</role-name> 
   </security-role> 
   <security-role>
      <role-name>admin</role-name> 
   </security-role> 

</web-app> 

Users and SSL configuration of Web application security is addressed in the Web server's configuration files. In Tomcat the user configuration is done in the <JWSDP_HOME>/conf/tomcat-user.xml file and the SSL configuration is done in the <JWSDP_HOME>/conf/server.xml file. This information is discussed in Installing and Configuring SSL Support, Using Programmatic Security in the Web Tier, and Setting up Security Roles.

Divider
Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.