The deployment descriptor, web.xml is the most important Java EE
configuration piece of Java EE Web applications. The security
configuration in this descriptor drives the semantics and operation of
web container security. Hence it is very critical that web developers
and administrators understand the various combinations possible in the
security configuration in this descriptor.
Security Constraints
Security
Constraints are least understood by web developers, even though they
are critical for the security of Java EE Web applications. Specifying a
combination of URL patterns, HTTP methods, roles and transport
constraints can be daunting to a programmer or administrator. It is
important to realize that any combination that was intended to be secure
but was not specified via security constraints, will mean that the web
container will allow those requests. Security Constraints consist of Web
Resource Collections (URL patterns, HTTP methods), Authorization
Constraint (role names) and User Data Constraints (whether the web
request needs to be received over a protected transport such as TLS). We will told you using 3 use cases.
No comments:
Post a Comment