Web Component Security
J2EE provides comprehensive support for security in the web tier including transport-level security with SSL as well as authentication and authorization for application-level security. These security services are provided as both declarative security features (configured through web.xml deployment descriptor elements) and programmatic security calls integrated with the Servlet and JSP APIs.
Web-Tier Transport-Level Security
The web tier provides fine-grained control over
transport-level security. There are three modes of transport-level
security: NONE, INTEGRAL, and CONFIDENTIAL. NONE, as the name implies, means no
transport-level security; all information is sent in the clear. This
is the default mode. INTEGRAL
means that the client and the server cooperate to ensure that
content is not changed in transit. CONFIDENTIAL means that the client and
server keep the content secret as it is transported over the wire.
INTEGRAL and CONFIDENTIAL imply using SSL to
communicate between the clients (typically browsers) and the server.
Such transport-level security is also known as one-way
SSL. You specify the transport-level security constraints
in the web.xml deployment descriptor as part of
the <security-constraint>
elements as depicted in Figure 10-1.
The <security-constraint> element uses
the <web-resource-collection> element to
specify the subset of the application that is the target of the
constraint. The <web-resource-collection> element also supports specification ...
Get Java Enterprise in a Nutshell, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
