Web Component Security

J2EE provides comprehensive support for security in the web tier including transport-level security with SSL as well as authentication and authorization for application-level security. These security services are provided as both declarative security features (configured through web.xml deployment descriptor elements) and programmatic security calls integrated with the Servlet and JSP APIs.

Web-Tier Transport-Level Security

The web tier provides fine-grained control over transport-level security. There are three modes of transport-level security: NONE, INTEGRAL, and CONFIDENTIAL. NONE, as the name implies, means no transport-level security; all information is sent in the clear. This is the default mode. INTEGRAL means that the client and the server cooperate to ensure that content is not changed in transit. CONFIDENTIAL means that the client and server keep the content secret as it is transported over the wire. INTEGRAL and CONFIDENTIAL imply using SSL to communicate between the clients (typically browsers) and the server. Such transport-level security is also known as one-way SSL. You specify the transport-level security constraints in the web.xml deployment descriptor as part of the <security-constraint> elements as depicted in Figure 10-1.

The <security-constraint> element uses the <web-resource-collection> element to specify the subset of the application that is the target of the constraint. The <web-resource-collection> element also supports specification ...

Get Java Enterprise in a Nutshell, Third Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.