Security constraints are a declarative way of annotating the intended protection of web content. A constraint consists of the following elements:
A web resource collection is a set of URL patterns and HTTP methods that describe a set of resources to be protected. All requests that contain a request path that matches the URL pattern described in the web resource collection is subject to the constraint. An authorization constraint is a set of roles that users must be a part of to access the resources described by the web resource collection. If the user is not part of an allowed role, the user is denied access to that resource. A user data constraint indicates that the transport layer of the client server communication process satisfies the requirement of either guaranteeing content integrity (preventing tampering in transit) or guaranteeing confidentiality (preventing reading while in transit). SRV.11.7.1 Default PoliciesBy default, authentication is not needed to access resources. Authentication is needed only for requests in a specific web resource collection when specified by the deployment descriptor. |