J2EE provides comprehensive support for security in the web tier including transport-level security with SSL as well as authentication and authorization for application-level security. These security services are provided as both declarative security features (configured through web.xml deployment descriptor elements) and programmatic security calls integrated with the Servlet and JSP APIs.
The web tier provides fine-grained control over
transport-level security. There are three modes of transport-level
NONE, as the name implies, means no
transport-level security; all information is sent in the clear. This
is the default mode.
means that the client and the server cooperate to ensure that
content is not changed in transit.
CONFIDENTIAL means that the client and
server keep the content secret as it is transported over the wire.
CONFIDENTIAL imply using SSL to
communicate between the clients (typically browsers) and the server.
Such transport-level security is also known as one-way
SSL. You specify the transport-level security constraints
in the web.xml deployment descriptor as part of
elements as depicted in Figure 10-1.
<security-constraint> element uses
<web-resource-collection> element to
specify the subset of the application that is the target of the
<web-resource-collection> element also supports specification ...