Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
Security in the Web-Tier
Your Web application is defined using a standard
web.xml
deployment descriptor. The deployment descriptor must indicate which version of the Web application schema (2.2, 2.3 or 2.4) it is using, and the elements specified within the deployment descriptor must comply with the rules for processing that version of the deployment descriptor. For version 2.4 of the Java Servlet Specification (which can be downloaded athttp://jcp.org/aboutJava/communityprocess/first/jsr154/index3.html
), this is "SRV.13.3, Rules for Processing the Deployment Descriptor". For more information on deployment descriptors, see Chapter 4.The deployment descriptor is used to convey the elements and configuration information of a Web application. Security in a Web application is configured using the following elements of the deployment descriptor:
<security-role>
The
<security-role>
element represents which roles from a defined group for the realm are authorized to access this Web Resource Collection. Security roles are discussed in Realms, Users, Groups, and Roles.<security-constraint>
The
<security-constraint>
element is used to define the access privileges to a collection of resources using their URL mapping. Security constraints are discussed in Specifying Security Constraints.<login-config>
The
<login-config>
element specifies how the user is prompted to login in. If this element is present, the user must be authenticated before it can access any resource that is constrained by a<security-constraint>
. The<login-config>
element is discussed in Using Login Authentication.These elements of the deployment descriptor are entered directly into the
web.xml
file. If, for example, we were to create a deployment descriptor for a simple application, theweb.xml
file might look something like this:<?xml version='1.0' encoding='UTF-8'?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" > <display-name>SimpleWebWar</display-name> <servlet> <display-name>GreetingServlet</display-name> <servlet-name>GreetingServlet</servlet-name> <servlet-class>GreetingServlet</servlet-class> </servlet> <!-- SECURITY-ROLE-REF --> <security-role-ref> <role-name>SimpleAppUser</role-name> <role-link>user</role-link> </security-role-ref> </servlet> <session-config> <session-timeout>30</session-timeout> </session-config> <!-- SECURITY CONSTRAINT --> <security-constraint> <web-resource-collection> <web-resource-collection> <web-resource-name>SWRCollection</web-resource-name> <url-pattern>/hello</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee> CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> <!-- LOGIN AUTHENTICATION --> <login-config> <auth-method>BASIC</auth-method> </login-config> <!-- SECURITY ROLES --> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>mgr</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role> </web-app>Users and SSL configuration of Web application security is addressed in the Web server's configuration files. In Tomcat the user configuration is done in the
<
JWSDP_HOME
>/conf/tomcat-user.xml
file and the SSL configuration is done in the<
JWSDP_HOME
>/conf/server.xml
file. This information is discussed in Installing and Configuring SSL Support, Using Programmatic Security in the Web Tier, and Setting up Security Roles.
Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.