O'Reilly logo

Head First Servlets and JSP, 2nd Edition by Bert Bates, Bryan Basham, Kathy Sierra

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

How to implement data confidentiality and integrity sparingly and declaratively

Once again, we turn to the DD. In fact, we’ll use our old friend <security-constraint> for both confidentiality and integrity by adding an element called <user-data-constraint>. And when you think about it, it makes sense—if you’re thinking about authorization for a resource, you’re probably going to consider whether you want the data transmitted securely.

image with no caption

NONE

This is the default, and it means there’s no data protection.

INTEGRAL

The data must not be changed along the way.

CONFIDENTIAL

The data must not be seen by anybody along the way.

NOTE: although not guaranteed by the spec, in practice virtually every Container uses SSL for guaranteed transport, which means that both INTEGRAL and CONFIDENTIAL do the same thing—either one gives you both confidentiality and integrity. Since you can have only one <user-data-constraint> per <security-constraint>, some people recommend you use CONFIDENTIAL, but again, it will probably never matter in practice, unless you move to a new Container that doesn’t use SSL for guaranteed transport.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required