Logging Out

Previous page
Table of content
Next page


Authorization

All the authentication schemes we've documented here are activated only when some part of a site or application needs to be secured and designated as such. You cause this designation to occur by setting up a constraint. A Web application can define a set of secured pages or even a single page using the <security-constraint> element. This element contains a number of other elements that help determine who has access to the pages.

Consider the following example configuration:

 <security-constraint>   <web-resource-collection>     <url-pattern>/confidential.jsp</url-pattern>     <url-pattern>/safe/*.jsp</url-pattern>   </web-resource-collection>   <auth-constraint role-name='user'>   <ip-constraint>152.168.1.0/24</ip-constraint>   <user-data-constraint>     <transport-guarantee>CONFIDENTIAL</transport-guarantee>   </user-data-constraint> </security-constraint>

The configuration begins with the high-level <security-constraint> element, which holds all other elements. Next, the <web-resource-collection> element defines which pages are restricted from anonymous access. A <url-pattern> element defines the pattern to use when matching page requests; this example restricts access to the confidential.jsp file as well as all JSP files in the safe directory. If a user attempts to access any of these pages, an authenticator will attempt to obtain a username/password from the user. The <webresource-collection> element can also include a <method> element to restrict the HTTP request types, such as GET or POST.

Next, an element called <auth-constraint> further restricts access to the pages. In this element, the role-name attribute tells the system that even if the user enters the correct username/password, their role must still be of type user. The role value is an arbitrary string defined in the configuration file for the XmlAuthenticator or database for JdbcAuthenticator.

If the user gets past the username/password combination and the role, they are hit with a restriction on the IP address of the requesting machine. The <ip-constraint> element lets you restrict IPs based on an IP pattern or a specific IP address. Finally, a constraint based on the element <user-data-constraint> says the transport must be CONFIDENTIAL, which means SSL—the user must have accessed the pages using an HTTPS request instead of just HTTP. If you don't want to restrict the transport type, you can leave the element out or use a value of NONE.


Previous page
Table of content
Next page
Mastering Resin
Mastering Resin
ISBN: 0471431036
EAN: 2147483647
Year: 2002
Pages: 180
Authors: Richard Hightower, Joseph D. Gradecki
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Network Security Architectures
A Practitioners Guide to Software Test Design
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy