web.xml security-constraints form the cornerstone of web security for Java Enterprise Applications.
I would like to give out some examples of security-constraints that mean different things:
Excluded Resources:
<security-constraint>
<display-name>excluded</display-name>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/excluded/*</url-pattern>
<url-pattern>/restricted/get-only/excluded/*</url-pattern>
<url-pattern>/restricted/post-only/excluded/*</url-pattern>
<url-pattern>/restricted/any/excluded/*</url-pattern>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/restricted/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint />
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
In this case, because of the excluding auth-constraint element (shown in BOLD), all the url patterns shown in italics will be excluded from ANY access. Nobody will be able to access these resources.
Unchecked Resources:
<security-constraint>
<web-resource-collection>
<web-resource-name>All Access</web-resource-name>
<url-pattern>/unchecked/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
In this case, we are saying that the url pattern in italics for the http methods declared (HEAD,GET,POST etc), access should not be checked. The key here is the missing auth-constraint element.
Restricted GET operation:
<security-constraint>
<display-name>Restricted GET</display-name>
<web-resource-collection>
<web-resource-name>Restricted Access - Get Only</web-resource-name>
<url-pattern>/restricted/get-only/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>GetRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
In this case, we declare that the GET operation on the url pattern in italics can be performed only by a caller with "GetRole" role.
Reference: http://java.dzone.com/articles/understanding-web-security
No comments:
Post a Comment