Download
FAQ
History
PrevHomeNext API
Search
Feedback
Divider

Security in the Web-Tier

Your Web application is defined using a standard web.xml deployment descriptor. The deployment descriptor must indicate which version of the Web application schema (2.2, 2.3 or 2.4) it is using, and the elements specified within the deployment descriptor must comply with the rules for processing that version of the deployment descriptor. For version 2.4 of the Java Servlet Specification (which can be downloaded at http://java.sun.com/products/servlet/), this is "SRV.13.2, Rules for Processing the Deployment Descriptor". For more information on deployment descriptors, see Chapter 4.

The deployment descriptor is used to convey the elements and configuration information of a Web application. Security in a Web application is configured using the following elements of the deployment descriptor:

These elements of the deployment descriptor are entered directly into the web.xml file. If, for example, we were to create a deployment descriptor for a simple application that implements security, the web.xml file might look something like this example from Section SRV.13.5.2, An Example of Security, from the Java Servlet Specification, version 2.4:

<?xml version="1.0"encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
  http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
  version=?2.4 ?>
  <display-name>A Secure Application</display-name>
  <servlet>
    <servlet-name>catalog</servlet-name>
      <servlet-class>com.mycorp.CatalogServlet
      </servlet-class>
    <init-param>
      <param-name>catalog</param-name>
      <param-value>Spring</param-value>
    </init-param>
    <security-role-ref>
      <role-name>MGR</role-name>
      <!--role name used in code -->
      <role-link>manager</role-link>
    </security-role-ref>
  </servlet>
  <security-role>
    <role-name>manager</role-name>
  </security-role>
  <servlet-mapping>
    <servlet-name>catalog</servlet-name>
    <url-pattern>/catalog/*</url-pattern>
  </servlet-mapping>

  <!-- SECURITY CONSTRAINT -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SalesInfo</web-resource-name>
      <url-pattern>/salesinfo/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>manager</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL
      </transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <!-- LOGIN AUTHENTICATION -->
  <login-config>
    <auth-method>BASIC</auth-method>
  </login-config>

  <!-- SECURITY ROLES -->
  <security-role>
    <role-name>manager</role-name>
  </security-role>

</web-app> 

Configuring authorized users and configuring the server to use SSL is addressed not in the application's deployment descriptor, but in the Web server's configuration files. In Tomcat, the user configuration is done in the <JWSDP_HOME>/conf/tomcat-users.xml file and the SSL configuration is done in the <JWSDP_HOME>/conf/server.xml file. Configuring SSL is discussed in Installing and Configuring SSL Support. Configuring authorized users is discussed in Setting up Security Roles and Using Programmatic Security in the Web Tier.

Divider
Download
FAQ
History
PrevHomeNext API
Search
Feedback
Divider

All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.