Security

Security constraints

Security constraints let you control access to a Web resource collection. A Web resource collection identifies the resources, defined by URL patterns, and the HTTP methods on those resources, to which the security constraints apply. The security constraints define the roles authorized to use the Web resource collection (authorization constraint) and the level of transport security required of the client server (user data constraint).

You define the Web resource collection and its constraints on the Security Constraints page.

If you do not assign a user role, no user has access to the resources in the specified collection. If you do not specify HTTP methods, the constraints apply to all methods.

**Table 12-10: Security constraint properties for a JSP target**
Setting	Value
Name	Specify a name for the Web resource collection.
URL Pattern	Select one or more URL patterns to specify the resources in this Web application to which the constraints apply.
HTTP Methods	(Optional) Specify the HTTP methods to which the constraints apply. If you do not specify any methods, the constraints apply to all methods.
Authorized Roles	Select the roles authorized to access the collection of Web resources defined in the URL Pattern and HTTP Methods boxes. You can define roles on the Roles page of the Deployment Configuration Properties dialog box.
Transport Guarantee	Establish a level of transport security appropriate for the Web resources you are protecting. If you use basic or form-based authentication, passwords and other sensitive information are not protected for confidentiality. If you have sensitive information that you want to protect, establish a security constraint that uses a greater level of protection: NONE – uses insecure HTTP. SSL-protected sessions require more overhead than insecure HTTP sessions. Use none for transport guarantee if you do not need the added confidentiality of SSL. INTEGRAL – uses an SSL-protected session that checks for data integrity. CONFIDENTIAL – uses an SSL-protected session to ensure that all message content, including the client authenticators, is protected for confidentiality as well as data integrity. A confidential transport guarantee has more overhead than none.

Table 12-10: Security constraint properties for a JSP target

Setting

Value

Name

Specify a name for the Web resource collection.

URL Pattern

Select one or more URL patterns to specify the resources in this Web application to which the constraints apply.

HTTP Methods

(Optional) Specify the HTTP methods to which the constraints apply. If you do not specify any methods, the constraints apply to all methods.

Authorized Roles

Select the roles authorized to access the collection of Web resources defined in the URL Pattern and HTTP Methods boxes. You can define roles on the Roles page of the Deployment Configuration Properties dialog box.

Transport Guarantee

Establish a level of transport security appropriate for the Web resources you are protecting. If you use basic or form-based authentication, passwords and other sensitive information are not protected for confidentiality. If you have sensitive information that you want to protect, establish a security constraint that uses a greater level of protection:

NONE – uses insecure HTTP. SSL-protected sessions require more overhead than insecure HTTP sessions. Use none for transport guarantee if you do not need the added confidentiality of SSL.
INTEGRAL – uses an SSL-protected session that checks for data integrity.
CONFIDENTIAL – uses an SSL-protected session to ensure that all message content, including the client authenticators, is protected for confidentiality as well as data integrity. A confidential transport guarantee has more overhead than none.

Protected resources on a server can be partitioned into separate protection spaces. Each protection space can be configured with a specific security scheme, such as an authentication protocol or authorization database. When a Web server asks a client to authenticate a user, it passes a realm to the client. A realm is a string that defines a protection space.

Use of the term realm In J2EE applications, the term realm is also used to refer to a security policy domain. In this deployment descriptor, it refers to the string passed as part of HTTP basic authentication.

The client passes the user name and password to the Web server, and the Web server authenticates the user in the specified realm. The login-config element is used to configure the authentication method, the realm name that should be used for this application, and the attributes that are needed by the form login mechanism.

**Table 12-11: Login authentication properties for a JSP target**
Setting	Value
Authentication Method	Select the authentication method to be used to configure the authentication mechanism for the Web application: BASIC – the server asks the client for a user name and password. You must also provide a realm name. DIGEST – advanced form of BASIC authentication using an MD5 message-digest hash of the credentials and a unique value supplied by the server. The password is not sent in clear, unencrypted text as with BASIC authentication. FORM – the Web application developer creates an HTML login page, where the client enters a user name and password. The entire HTML page is sent to the server. You also create an error page that is returned to the client in the event of a server error. CLIENT-CERT – the client connects to the server using SSL tunneled within HTTP. The client must provide a certificate that the server accepts and authenticates.
Realm Name	Specify the realm name to be used in HTTP basic authentication.
Form Login Page	Specify the location in the Web application where the page to be used for login can be found. The path begins with a leading / and is interpreted relative to the root of the Web application.
Form Error Page	Specify the location in the Web application where the error page that is displayed when login fails can be found. The path begins with a leading / and is interpreted relative to the root of the Web application.

Table 12-11: Login authentication properties for a JSP target

Setting

Value

Authentication Method

Select the authentication method to be used to configure the authentication mechanism for the Web application:

BASIC – the server asks the client for a user name and password. You must also provide a realm name.
DIGEST – advanced form of BASIC authentication using an MD5 message-digest hash of the credentials and a unique value supplied by the server. The password is not sent in clear, unencrypted text as with BASIC authentication.
FORM – the Web application developer creates an HTML login page, where the client enters a user name and password. The entire HTML page is sent to the server. You also create an error page that is returned to the client in the event of a server error.
CLIENT-CERT – the client connects to the server using SSL tunneled within HTTP. The client must provide a certificate that the server accepts and authenticates.

Realm Name

Specify the realm name to be used in HTTP basic authentication.

Form Login Page

Specify the location in the Web application where the page to be used for login can be found. The path begins with a leading / and is interpreted relative to the root of the Web application.

Form Error Page

Specify the location in the Web application where the error page that is displayed when login fails can be found. The path begins with a leading / and is interpreted relative to the root of the Web application.

Roles

A security role is a grouping of permissions that a given type of user of an application must have to successfully use an application and its components. The Roles page allows you to define security roles—for example, admin or user—that you can associate with specific resources on the Security Constraints page.

Security

Security constraints

Login configuration

Roles