Deployment descriptor

To have a secured Web application, you need to declare security constraints in the web.xml deployment descriptor. You can use any supported authentication method; for this example, we used BASIC.

This is what the web.xml file looks like:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE
web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Web
Application 2.3//EN' 'http://java.sun.com/dtd/web
app_2_3.dtd'><web-app>
<display-name>ssoapp</display-name>
<servlet>
<servlet-name>SSO</servlet-name>
<display-name>SSO</display-name>
<jsp-file>/sso.jsp</jsp-file>
</servlet>

<session-config>
<session-timeout>30</session-timeout>
</session-config>

<error-page>
<error-code>403</error-code>
<location>/authorize_error.jsp</location>
</error-page>

<error-page>
<error-code>401</error-code>
<location>/authorize_error.jsp</location>
</error-page>

<security-constraint>
<web-resource-collection>
<web-resource-name>ssoZone</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Role required to access the sso
jsp</description><role-name>PortalUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SSO App</realm-name>
</login-config>

<security-role>
<description>Whatever</description>
<role-name>PortalUser</role-name>
</security-role>
</web-app>

This code secures a Web application—ssoapp—with sso.jsp. This JSP is a protected Web resource.

Programming notes

• To access sso.jsp, users must have the PortalUser role. If an authenticated user does not have the PortalUser role, the container responds by presenting authorize_error.jsp to the user.

• If the portal receives an unauthenticated request for sso.jsp, the container uses BASIC authentication to authenticate the user before checking to see if the user has the PortalUser role.

• Since “/*” is used in the URL, all resources—if there is more than one JSP—under the ssoapp Web application are protected.

• If you use roles that are not in the Web Studio Web container, be sure to follow the Web container's documentation to add the required roles and add authorized portal users to those roles. You must also add the required roles in Web Studio.

Copyright © 2004. Sybase Inc. All rights reserved.

View this book as PDF