Friday, July 9, 2010

Secure Acess in web.xml 


 <security-constraint>
        <web-resource-collection>
            <web-resource-name>Restricted Access</web-resource-name>
            <url-pattern>/jsp/*</url-pattern>
            <http-method>POST</http-method>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>NetSightAdministrator</role-name>
            <role-name>NetSightUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
     
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secured Access</web-resource-name>
            <url-pattern>/sessionDetails</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/failure.jsp</form-error-page>
        </form-login-config>
    </login-config>


The 1st "Restricted Access" requires login and https access. The 2nd "Secured Access" doesn't have auth-constraint tag and only requires https access. (*The empty auth-constraint tag has different meaning - to exclud access). The user-data-constraint tag to specify http/https access, value NONE or CONFIDENTIAL.

See: Configuring security on a resource

Posted by Ginger at 11:07 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)