11.9. Letting the Container Manage Security
Problem
You want to let the container manage security for your Struts application instead of you having to write all the Java code to support log in (authentication) and access checks (authorization).
Solution
Use container-managed security, as defined by the Java Servlet Specification.
Discussion
A servlet container or J2EE application server can manage security for web applications. Container-managed security provides three main features:
- Authentication
You can specify to the container how users are to be authenticated using a login configuration. You indicate if you want the browser to prompt for the username and password, or if you want to use your own custom login page.
- Authorization
You can establish security constraints that allow users with certain roles access to specific URLs of the application. If users attempt to access a page to which they aren't authorized, they will be prompted to login using the login configuration.
- Secure transport
You can specify which URLs should be accessed using a secure protocol. In practical terms, you indicate which pages can be accessed with the HTTPS protocol (HTTP over Secure Socket Layer).
You configure container-managed security using special XML elements in your web.xml, as shown in Example 11-16.
Example 11-16. Configuring container-managed security in web.xml
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> ...
Get Jakarta Struts Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
