Security
<security-role> <!-- declares a role --> <description>administrator role</description> <!-- optional --> <role-name>admin</role-name> </security-role> <security-constraint> <!-- specifies who can access resources --> <web-resource-collection> <!-- repeat for additional data --> <web-resource-name>User Preferences</web-resource-name> <description>Pref and settings for users...</description> <!-- optional --> <url-pattern>/prefs/*</url-pattern> <url-pattern>/settings/*</url-pattern> <http-method>GET</http-method> <!-- optional (default: all methods) --> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <!-- optional (default: allow all users) --> <role-name>admin</role-name> <!-- refers to <security-role>, "*" for all roles --> <role-name>registered</role-name> </auth-constraint> <user-data-constraint> <!-- optional (default: SSL not required) --> <transport-guarantee>CONFIDENTIAL</transport-guarantee> <!-- "CONFIDENTIAL" means SSL --> </user-data-constraint> </security-constraint> <login-config> <!-- configures login --> <auth-method>FORM</auth-method> <!-- optional (main alternative: BASIC) --> <realm-name>My Realm</realm-name> <!-- optional, for BASIC only --> <form-login-config> <!-- optional, for FORM only --> <form-login-page>/login.jsp</form-login-page> <form-error-page>/login-error.html</form-error-page> </form-login-config> </login-config>
Security Examples
Servlet-implemented Security
This web.xml defines several roles and a way to log them in, but it does not restrict access to content. The servlet can make use of them.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <security-role> <role-name>plainUser</role-name> </security-role> <security-role> <role-name>powerUser</role-name> </security-role> <security-role> <role-name>root</role-name> </security-role> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.xhtml</form-login-page> <form-error-page>/loginFailed.xhtml</form-error-page> </form-login-config> </login-config> <servlet> <servlet-name>adminServlet</servlet-name> <servlet-class>com.jarfiller.example.AdminServlet</servlet-class> <security-role-ref> <role-name>Admin</role-name> <role-link>root</role-link> </security-role-ref> </servlet> <servlet-mapping> <servlet-name>adminServlet</servlet-name> <url-pattern>/admin/*</url-pattern> </servlet-mapping> <servlet> <servlet-name>mainServlet</servlet-name> <servlet-class>com.jarfiller.example.MainServlet</servlet-class> <security-role-ref> <role-name>User</role-name> <role-link>plainUser</role-link> </security-role-ref> <security-role-ref> <role-name>Operator</role-name> <role-link>powerUser</role-link> </security-role-ref> <security-role-ref> <role-name>Admin</role-name> <role-link>root</role-link> </security-role-ref> </servlet> <servlet-mapping> <servlet-name>mainServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> </web-app>
Declarative Security
This web.xml defines an area for administrators only, protected by HTTP Basic Authentication.
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <security-role> <role-name>admin</role-name> </security-role> <security-role> <role-name>operator</role-name> </security-role> <login-config> <auth-method>BASIC</auth-method> <realm-name>JF Administration</realm-name> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Admin Areas</web-resource-name> <url-pattern>/admin/*</url-pattern> <url-pattern>/control/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Statistics Area</web-resource-name> <url-pattern>/statistics/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> <role-name>operator</role-name> </auth-constraint> </security-constraint> </web-app>
