4.4 The Deployment Descriptor of a Web Module

A Web application is a collection of servlets, JSP applications, and static content, such as HTML pages, that can be accessed over the Internet. A Web application is packaged in a single deployable unit called a Web module (see Section 3.2.2 on page 59). Each Web module is stored in a WAR file ”an enhanced JAR file having a .war extension.

A Web module always contains a special XML file, called deployment descriptor , which declares the contents of the Web module, contains information about the structure and external dependencies of the Web module's components , and declares the security policies applicable to the URIs that are mapped to the resources within the Web module. These security policies include both the authorization policy and the login configuration information. The deployment descriptor of a Web module is specified in a file named web.xml. This file is packaged along with the Web application in the Web module's WAR file. As discussed in Section 3.7 on page 64, a deployment descriptor contains hints about the deployment of a Web application. These hints are specified by an Application Assembler, who packages the various Web components forming the Web application. The Application Assembler is expected to be familiar with the Web application. In particular, the Application Assembler has to know which parts of the Web application are to be exposed to other services and the outside world. It is the responsibility of the Deployer to take the Application Assembler's hints in the deployment descriptor and make them relevant to the operational environment into which the application is deployed.

In terms of security, a Web application's deployment descriptor defines

• The mechanisms by which users should be authenticated to access the Web resources (see Section 3.9.1 on page 77)

• The privileges users are expected to have in order to access these resources (see Section 3.9.2 on page 83)

• The delegation policies that specify the principals whose credentials are propagated with the cascaded downstream requests (see Section 3.9.3 on page 86)

It is important to understand that the deployment descriptor is merely a hint for deployment. It is expected that the effective policy for a Web application will be different from what is originally specified in the deployment descriptor. For example, a Web application's deployment descriptor may say that the URI /travelAgent/* may be accessed only by those users with TravelAgent role. In the enterprise in which the Web application is deployed, however, the enterprise security policy may require that the same URI also be accessible by those users with Supervisor role. Even though the deployment descriptor may be modified at a later time, it is important to convey the intended security policy in the deployment descriptor. This allows the Deployers and the System Administrators to know less about the application logic itself.

The following sections explain how security policies can be described and specified in a Web application's deployment descriptor. These sections explain the semantics of the deployment descriptors and how they can be altered to achieve various security policies.