Java Reference
In-Depth Information
Enforcing Encryption
By default, the servlet specification will not require access over HTTPS to any user con-
straints you declare in your
web.xml
file. If you want to enforce HTTPS access for these con-
straints, you can specify a
<user-data-constraint>
within your
<security-constraint>
definitions. Let's modify our previous example to enforce HTTPS:
<web-app>
<web-app>
...
<security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-collection>
<web-resource-name>
<web-resource-name>
customer creation
</web-resource-name>
</web-resource-name>
<url-pattern>
<url-pattern>
/services/customers
</url-pattern>
</url-pattern>
</http-method>
</web-resource-collection>
<http-method>
<http-method>
POST
</http-method>
</web-resource-collection>
<auth-constraint>
<auth-constraint>
<role-name>
<role-name>
admin
</role-name>
</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>
CONFIDENTIAL
</transport-guarantee>
</user-data-constraint>
</security-constraint>
</auth-constraint>
</security-constraint>
...
</web-app>
</web-app>
All you have to do is declare a
<transport-guarantee>
element within a
<user-data-
constraint>
that has a value of
CONFIDENTIAL
. If a user tries to access the URL pattern
with HTTP, she will be redirected to an HTTPS-based URL.
Authorization Annotations
Java EE defines a common set of annotations that can define authorization metadata. The
JAX-RS specification suggests, but does not require, vendor implementations to support
these annotations in a non-Java EE 6 environment. These annotations live in the
javax.annotation.security
package and are
@RolesAllowed
,
@DenyAll
,
@PermitAll
,
and
@RunAs
.
The
@RolesAllowed
annotation defines the roles permitted to execute a specific operation.
When placed on a JAX-RS annotated class, it defines the default access control list for all
HTTP operations defined in the JAX-RS class. If placed on a JAX-RS method, the constraint
applies only to the method that is annotated.