HTML and CSS Reference
In-Depth Information
An authorization constraint (
<auth-constraint>
) contains the
<role-name>
element. You can use as many
<role-name>
elements as needed inside the
<auth-constraint>
element. The roles defined for the application
must be mapped to users and groups defined on the application server (every application server has its own way for
declaring this roles to users and groups mapping; check the section on “Applying Managed Security in the Weather
Application” to understand how to do this on GlassFish application server version 4.0).
Data Protection
Data protection refers to securing data which is transferred between the client and the server. In Java EE, in order to
do data protection, you can use
<user-data-constraint>
element of
<security-constraint>
in
web.xml
as shown in
Listing 12-1 and highlighted in Listing 12-2.
Listing 12-2.
<user-data-constraint> of <security-constraint> Element in web.xml
<security-constraint>
<display-name>securityConstraint</display-name>
<web-resource-collection>
<web-resource-name>resources</web-resource-name>
<url-pattern>/protected/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>weatherUserRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
As shown in the bolded lines, the
<user-data-constraint>
element contains the
<transport-guarantee>
element. The
<transport-guarantee>
element specifies the communication between client and server, and it can
have one of the following possible values:
NONE
,
INTEGRAL
,
CONFIDENTIAL
.
INTEGRAL
means that the application
requires data (to be sent between the client and the server) to be sent in such a way that it cannot be changed from
a third malicious party, while
CONFIDENTIAL
means that the application requires preventing other malicious third
parties from observing the contents of the transmission. Both
INTEGRAL
and
CONFIDENTIAL
imply SSL.
Applying Managed Security in the Weather Application
In Chapter 10, we were introduced to the
Weather Application
as an example of a basic JSF 2.2 application. In the
Weather Application
, we handled the authentication (application login) and authorization (access to weather pages)
from the application code. Handling security from application code is not recommended, especially when we are
talking about typical authentication and authorization scenarios that do not have custom security requirements;
therefore, let's apply container-managed security (form-based authentication and authorization) to the weather
application.
First of all, let's modify
home.xhtml
to include the HTML form of the form-based authentication instead of
handling the login requirement from the application code. Listing 12-3 shows the updates to home.xhtml.
