Web Application Security Elements
This section provides a reference to security elements from the Servlet 2.2 specification. A number of the examples in this chapter have illustrated the use of most of these elements; for example, see Example 9-1.c on page 258.
Table 9-5 lists the elements contained within a security-constraint element, which is the outermost security element in a deployment descriptor.
Table 9-5 <security-constraint> Elements
Element |
Type5 |
Description |
web-resource-collection |
+ |
A subset of a web application's resources to which security constraints apply |
auth-constraint |
? |
Authorization constraints placed on one or more web resource collections |
user-data-constraint |
? |
A specification of how data sent between a client and a container should be protected |
Web resource collections identify one or more protected resources, and authorization constraints specify one or more roles that can access those resources. User data constraints specify how data should be protected while in transit.
Table 9-6 lists web resource collection elements.
Table 9-6 <web-resource-collection> Elements
Element |
Type6 |
Description |
web-resource-name |
1 |
The name of a web resource |
description |
? |
A description of a web resource |
url-pattern |
* |
A url pattern associated with a web resource |
http-method |
? |
An HTTP method associated with a web resource |
Each web resource collection is associated with the name of a resource and an optional description of that resource. One or more URL patterns are associated with a resource name.
HTTP methods may also be associated with a web resource collection; for example, if GET is specified as the HTTP method, the security constraint is only enforced for GET requests. If no HTTP methods are specified, the corresponding security constraint applies to all HTTP requests for the specified resources.
Table 9-7 lists authorization constraint elements.
Table 9-7 <auth-constraint> Elements
Element |
Type7 |
Description |
description |
? |
A description of an authorization constraint |
role-name |
* |
The role(s) to which a constraint applies |
Authorization constraints specify one or more roles that are allowed access to protected resources. Optionally, those roles can be accompanied by a description.
Table 9-8 lists user data constraint elements.
Table 9-8 <user-data-constraint> Elements
Element |
Type8 |
Description |
description |
? |
A description of a user data constraint |
transport-guarantee |
1 |
NONE, INTEGRAL, or CONFIDENTIAL |
User data constraints consist of a transport-guarantee and an optional description. That guarantee can be either NONE, INTEGRAL, or CONFIDENTIAL. A guarantee of NONE means there are no restrictions on the transport of data, and INTEGRAL means the servlet container must ensure that data cannot be changed in transit. A value of CONFIDENTIAL means that the data cannot be read while in transit.
The servlet specification does not specify how servlet containers should implement transport guarantees; however, a value of INTEGRAL or CONFIDENTIAL typically indicates a secure transport layer, such as SSL. Resin, for example, will only provide access to confidential data if ServletRequest.isSecure returns true.9