Java Reference
In-Depth Information
secured—that is, what roles can view secured resources. The servlet container takes care of
the rest.
Web-tier security is configured using the
login-config
and
security-con-
straint
elements of the web.xml file. The following listing shows how the administrat-
ive pages within the ActionBazaar application are secured.
Listing 6.5. Sample web.xml elements to secure order cancelling and other functionality
This listing specifies how the web container should gather and validate authentication. In
this case, a custom form for authentication is used, so authentication is set to
FORM
.
With form-based authentication, you supply a custom login form as well as a custom er-
ror form. There are two other options:
BASIC
and
CLIENT-CERT
. With
BASIC
, the web
browser will display a generic dialog prompting for a username and password.
CLIENT-
CERT
is an advanced form of authentication that bypasses username/password prompts al-
together. In this scheme, the client sends a public-key certificate stored in the client browser
to the web server using Secured Socket Layer (SSL) and the server authenticates the con-
tents of the certificate. The JAAS provider then validates the credentials.
