Form login requirements in a Web application when using HTTPS (SSL)  Chapter 4: Using SSL in Java Clients

Chapter 3: Using Web Application Security

Authorization

Security constraints enable you to set various levels of authorization within the elements of your Web application. You create J2EE roles and map them to EAServer roles, then limit access to JSPs, servlets, and HTML pages to entities that belong to an authorized J2EE role. In addition, you can define which HTTP methods have access to which URLs, and establish levels of transport guarantee.

For example, you could create a security constraint that blocks access to all users at the Web application level. You could then grant access to resources (HTML pages, JSPs, servlets) within the Web application to authorized users. To do this, you need at least two security constraints:

  1. Create a top-level security constraint and assign to it a Web resource collection with a URL pattern set to “/*”.

    Establish an authorized role for the security constraint that contains no users. For example, you could create the role of “None” and assign it to the security constraint.

  2. Create another security constraint and assign to it a Web resource collection with a URL pattern set to the URL locations for which you are providing access.

    Establish an authorized role that contains the users that are allowed access to the Web resources protected by this security constraint.

  3. Create additional security constraints and allow access to other Web resources as needed.

Use this same approach to define security constraints that require specific levels of transport guarantee.

StepsDefining a security constraint

  1. Defining security constraints for your Web application includes:

    • A Web resource collection – a list of URL patterns and HTTP methods available for those URLs.

      The URL pattern can have two forms:

      • /url_name – an individual URL.

      • /url_location/* – all of the URLs located in the url_location directory.

    • The HTTP operations that are allowed access to the defined URL patterns. HTTP operations include:

      • GET – the most common method used by browsers. GET receives its input through a query string.

      • POST – similar to a GET except that the input data is sent through standard input instead of using the query string. The POST method is normally used for an HTML form.

      • PUT – same as POST except PUT usually implies that the operation take effect immediately whereas POSTs action may be delayed.

      • OPTIONS – determines what HTTP options are supported.

      • DELETE – removes some entity.

      • TRACE – causes a response with a message containing all of the headers sent in the trace request.

    • Authorized roles – the authorized roles that have access to the HTTP methods for the URLs defined for this security constraint.

    • Transport guarantee – establish a level of transport security for each security constraint appropriate for the Web resources you are protecting. If you use basic or form-based authentication, passwords and other sensitive information is not protected for confidentiality. If you have sensitive information that you want to protect, establish a security constraint that uses a greater level of protection. Supported transport guarantee levels are:

      • None – uses insecure HTTP. Using SSL-protected sessions has more overhead than insecure HTTP sessions. Use None for transport guarantee if you do not need the added confidentiality of SSL.

      • Integral – uses an SSL-protected session that checks for data integrity.

      • Confidential – uses an SSL-protected session to ensure that all message content, including the client authenticators, are protected for confidentiality as well as data integrity. A Confidential transport guarantee has more overhead than None.

  2. Redeploy the Web application.

Sample web.xml configuration

<security-constraint>
    <web-resource-collection>
      <web-resource-name>securityZone</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>DELETE</http-method>
      <http-method>TRACE</http-method>
      <http-method>PUT</http-method>
      <http-method>POST</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <description>null</description>
      <role-name>admin-role</role-name>
      <role-name>Console_ReadOnly</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>userdata</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>



Copyright © 2006. Sybase Inc. All rights reserved. Chapter 4: Using SSL in Java Clients

View this document as PDF