In the deployment descriptor, declare a security constraint, a Web resource, the transport guarantee, the login configuration, and a security role.

Specifying Security Constraints.

Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements:

A security constraint that does not contain an authorization constraint shall combine with authorization constraints that name or imply roles to allow unauthenticated access. The special case of an authorization constraint that names NO roles shall combine with any other constraints to OVERRIDE their affects and cause access to be PRECLUDED.

The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements:

An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name '*' is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names NO roles indicates that access to the constrained requests MUST NOT be permitted under any circumstances. An authorization constraint consists of the following element:

A user data constraint establishes a requirement that the constrained requests be received over a protected transport layer connection. The strength of the required protection is defined by the value of the transport guarantee. A transport guarantee of INTEGRAL is used to establish a requirement for content integrity and a transport guarantee of CONFIDENTIAL is used to establish a requirement for confidentiality. The transport guarantee of NONE indicates that the container must accept the constrained requests when received on any connection including an unprotected one. A user data constraint consists of the following element:

If no authorization constraint applies to a request, the container must accept the request without requiring user authentication. If no user data constraint applies to a request, the container must accept the request when received over any connection including an unprotected one.

				
<security-constraint>
	<web-resource-collection>
		<web-resource-name>restricted methods</web-resource-name>
		<url-pattern>/*</url-pattern>
		<url-pattern>/acme/wholesale/*</url-pattern>
		<url-pattern>/acme/retail/*</url-pattern>
		<http-method>DELETE</http-method>
		<http-method>PUT</http-method>
	</web-resource-collection>
	<auth-constraint/>
</security-constraint>

					

'/*' DELETE access precluded

'/*' PUT access precluded

'/acme/wholesale/*' DELETE access precluded


<security-constraint>
	<web-resource-collection>
		<web-resource-name>wholesale</web-resource-name>
		<url-pattern>/acme/wholesale/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>PUT</http-method>
	</web-resource-collection>
	<auth-constraint>
		<role-name>SALESCLERK</role-name>
	</auth-constraint>
</security-constraint>

					

'/acme/wholesale/*' GET SALESCLERK


<security-constraint>
	<web-resource-collection>
		<web-resource-name>wholesale</web-resource-name>
		<url-pattern>/acme/wholesale/*</url-pattern>
		<http-method>GET</http-method>
		<http-method>POST</http-method>
	</web-resource-collection>
	<auth-constraint>
		<role-name>CONTRACTOR</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
</security-constraint>

					

'/acme/wholesale/*' POST CONTRACTOR CONFIDENTIAL

								
<!--
The security-constraint element is used to associate security
constraints with one or more web resource collections

Used in: web-app
-->

<!ELEMENT security-constraint (display-name?, web-resource-collection+,
auth-constraint?, user-data-constraint?)>

					

Web resource.

				
<!--
The web-resource-collection element is used to identify a subset
of the resources and HTTP methods on those resources within a web
application to which a security constraint applies. If no HTTP methods
are specified, then the security constraint applies to all HTTP
methods.

Used in: security-constraint
-->

<!ELEMENT web-resource-collection (web-resource-name, description?,
url-pattern*, http-method*)>

					

Transport guarantee.


<!--
The user-data-constraint element is used to indicate how data
communicated between the client and container should be protected.

Used in: security-constraint
-->

<!ELEMENT user-data-constraint (description?, transport-guarantee)>

					

Login configuration.

				
<!--
The login-config element is used to configure the authentication
method that should be used, the realm name that should be used for
this application, and the attributes that are needed by the form login
mechanism.

Used in: web-app
-->

<!ELEMENT login-config (auth-method?, realm-name?, form-login-config?)>

					


<!-- login configuration uses form-based authentication -->
<login-config>
	<auth-method>FORM</auth-method>
	<realm-name>Form-Based Authentication Area</realm-name>
	<form-login-config>
		<form-login-page>/protected/login.jsp</form-login-page>
		<form-error-page>/protected/error.jsp</form-error-page>
	</form-login-config>
</login-config>

					

Security role.


<!--
The security-role element contains the definition of a security
role. The definition consists of an optional description of the
security role, and the security role name.

Used in: web-app

Example:

    <security-role>
	<description>
	    This role includes all employees who are authorized
	    to access the employee service application.
	</description>
	<role-name>employee</role-name>
    </security-role>
-->

<!ELEMENT security-role (description?, role-name)>

					

				
<!-- Security roles referenced by web application -->
<security-role>
	<role-name>user</role-name>
</security-role>
<security-role>
	<role-name>admin</role-name>
</security-role>    

					

Professional hosting     Belorussian informational portal         Free SCBCD 1.3 Study Guide     Free SCDJWS 1.4 Study Guide     SCDJWS 1.4 Quiz     Free IBM Certified Associate Developer Study Guide     Free SCJP 5.0 (Tiger) Study Guide     Free Mock Exam Engine     IBM Test 000-287. Enterprise Application Development with IBM WebSphere Studio, V5.0 Study Guide