Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
Security in the Web-Tier
Your Web application is defined using a standard
web.xml
deployment descriptor. The deployment descriptor must indicate which version of the Web application schema (2.2, 2.3 or 2.4) it is using, and the elements specified within the deployment descriptor must comply with the rules for processing that version of the deployment descriptor. For version 2.4 of the Java Servlet Specification (which can be downloaded athttp://java.sun.com/products/servlet/
), this is "SRV.13.2, Rules for Processing the Deployment Descriptor". For more information on deployment descriptors, see Chapter 4.The deployment descriptor is used to convey the elements and configuration information of a Web application. Security in a Web application is configured using the following elements of the deployment descriptor:
<security-role>
The
<security-role>
element represents which roles from a defined group for the realm are authorized to access this Web Resource Collection. Security roles are discussed in Realms, Users, Groups, and Roles.<security-constraint>
The
<security-constraint>
element is used to define the access privileges to a collection of resources using their URL mapping. Security constraints are discussed in Specifying Security Constraints.<login-config>
The
<login-config>
element specifies how the user is prompted to login in. If this element is present, the user must be authenticated before it can access any resource that is constrained by a<security-constraint>
. The<login-config>
element is discussed in Using Login Authentication.These elements of the deployment descriptor are entered directly into the
web.xml
file. If, for example, we were to create a deployment descriptor for a simple application that implements security, theweb.xml
file might look something like this example from Section SRV.13.5.2, An Example of Security, from the Java Servlet Specification, version 2.4:<?xml version="1.0"encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version=?2.4 ?> <display-name>A Secure Application</display-name> <servlet> <servlet-name>catalog</servlet-name> <servlet-class>com.mycorp.CatalogServlet </servlet-class> <init-param> <param-name>catalog</param-name> <param-value>Spring</param-value> </init-param> <security-role-ref> <role-name>MGR</role-name> <!--role name used in code --> <role-link>manager</role-link> </security-role-ref> </servlet> <security-role> <role-name>manager</role-name> </security-role> <servlet-mapping> <servlet-name>catalog</servlet-name> <url-pattern>/catalog/*</url-pattern> </servlet-mapping> <!-- SECURITY CONSTRAINT --> <security-constraint> <web-resource-collection> <web-resource-name>SalesInfo</web-resource-name> <url-pattern>/salesinfo/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL </transport-guarantee> </user-data-constraint> </security-constraint> <!-- LOGIN AUTHENTICATION --> <login-config> <auth-method>BASIC</auth-method> </login-config> <!-- SECURITY ROLES --> <security-role> <role-name>manager</role-name> </security-role> </web-app>Configuring authorized users and configuring the server to use SSL is addressed not in the application's deployment descriptor, but in the Web server's configuration files. In Tomcat, the user configuration is done in the
<
JWSDP_HOME
>/conf/tomcat-users.xml
file and the SSL configuration is done in the<
JWSDP_HOME
>/conf/server.xml
file. Configuring SSL is discussed in Installing and Configuring SSL Support. Configuring authorized users is discussed in Setting up Security Roles and Using Programmatic Security in the Web Tier.
Download
FAQ History |
![]() ![]() ![]() |
API
Search Feedback |
All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.