O'Reilly logo

Head First Servlets and JSP, 2nd Edition by Bert Bates, Bryan Basham, Kathy Sierra

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Picky <security-constraint> rules for <auth-constraint> sub-elements

Even though it’s got constraint in its name, this is the sub-element that specifies which roles are ALLOWED to access the web resources specified by the <web-resource-collection> sub-element(s).

The <auth-constraint> sub-element of <security-constraint>

image with no caption

<role-name> rules

  • Within an <auth-constraint> element, the <role-name> element is OPTIONAL.

  • If <role-name> elements exist, they tell the Container which roles are ALLOWED.

  • If an <auth-constraint> element exists with NO <role-name> element, then NO USERS ARE ALLOWED.

  • If <role-name>*</role-name> then ALL users are ALLOWED.

  • Role names are case-sensitive.

<auth-constraint> rules

  • Within a <security-constraint> element, the <auth-constraint> element is OPTIONAL.

  • If an <auth-constraint> exists, the Container MUST perform authentication for the associated URLs.

  • If an <auth-constraint> does NOT exist, the Container MUST allow unauthenticated access for these URLs.

  • For readability, you can add a <description> inside <auth-constraint>.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required