Specifying Security Constraints.
Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements:
web resource collection (web-resource-collection in deployment descriptor)
authorization constraint (auth-constraint in deployment descriptor)
user data constraint (user-data-constraint in deployment descriptor)
The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements:
URL patterns (url-pattern in deployment descriptor)
HTTP methods (http-method in deployment descriptor)
An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name '*' is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names NO roles indicates that access to the constrained requests MUST NOT be permitted under any circumstances. An authorization constraint consists of the following element:
role name (role-name in deployment descriptor)
A user data constraint establishes a requirement that the constrained requests be received over a protected transport layer connection. The strength of the required protection is defined by the value of the transport guarantee. A transport guarantee of INTEGRAL is used to establish a requirement for content integrity and a transport guarantee of CONFIDENTIAL is used to establish a requirement for confidentiality. The transport guarantee of NONE indicates that the container must accept the constrained requests when received on any connection including an unprotected one. A user data constraint consists of the following element:
transport guarantee (transport-guarantee in deployment descriptor)
If no authorization constraint applies to a request, the container must accept the request without requiring user authentication. If no user data constraint applies to a request, the container must accept the request when received over any connection including an unprotected one.
<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <url-pattern>/acme/wholesale/*</url-pattern> <url-pattern>/acme/retail/*</url-pattern> <http-method>DELETE</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint/> </security-constraint>
'/*' DELETE access precluded
'/*' PUT access precluded
'/acme/wholesale/*' DELETE access precluded
<security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint> <role-name>SALESCLERK</role-name> </auth-constraint> </security-constraint>
'/acme/wholesale/*' GET SALESCLERK
<security-constraint> <web-resource-collection> <web-resource-name>wholesale</web-resource-name> <url-pattern>/acme/wholesale/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>CONTRACTOR</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
'/acme/wholesale/*' POST CONTRACTOR CONFIDENTIAL
<!-- The security-constraint element is used to associate security constraints with one or more web resource collections Used in: web-app --> <!ELEMENT security-constraint (display-name?, web-resource-collection+, auth-constraint?, user-data-constraint?)>
Web resource.
<!-- The web-resource-collection element is used to identify a subset of the resources and HTTP methods on those resources within a web application to which a security constraint applies. If no HTTP methods are specified, then the security constraint applies to all HTTP methods. Used in: security-constraint --> <!ELEMENT web-resource-collection (web-resource-name, description?, url-pattern*, http-method*)>
Transport guarantee.
<!-- The user-data-constraint element is used to indicate how data communicated between the client and container should be protected. Used in: security-constraint --> <!ELEMENT user-data-constraint (description?, transport-guarantee)>
Login configuration.
<!-- The login-config element is used to configure the authentication method that should be used, the realm name that should be used for this application, and the attributes that are needed by the form login mechanism. Used in: web-app --> <!ELEMENT login-config (auth-method?, realm-name?, form-login-config?)>
<!-- login configuration uses form-based authentication --> <login-config> <auth-method>FORM</auth-method> <realm-name>Form-Based Authentication Area</realm-name> <form-login-config> <form-login-page>/protected/login.jsp</form-login-page> <form-error-page>/protected/error.jsp</form-error-page> </form-login-config> </login-config>
Security role.
<!--
The security-role element contains the definition of a security
role. The definition consists of an optional description of the
security role, and the security role name.
Used in: web-app
Example:
<security-role>
<description>
This role includes all employees who are authorized
to access the employee service application.
</description>
<role-name>employee</role-name>
</security-role>
-->
<!ELEMENT security-role (description?, role-name)>
<!-- Security roles referenced by web application --> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role>
|
|