Secure Acess in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Access</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>NetSightAdministrator</role-name>
<role-name>NetSightUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured Access</web-resource-name>
<url-pattern>/sessionDetails</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/failure.jsp</form-error-page>
</form-login-config>
</login-config>
The 1st "Restricted Access" requires login and https access. The 2nd "Secured Access" doesn't have auth-constraint tag and only requires https access. (*The empty auth-constraint tag has different meaning - to exclud access). The user-data-constraint tag to specify http/https access, value NONE or CONFIDENTIAL.
See: Configuring security on a resource
No comments:
Post a Comment