O'Reilly logo

Java Enterprise in a Nutshell, Third Edition by William Crawford, Jim Farley

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Web Component Security

J2EE provides comprehensive support for security in the web tier including transport-level security with SSL as well as authentication and authorization for application-level security. These security services are provided as both declarative security features (configured through web.xml deployment descriptor elements) and programmatic security calls integrated with the Servlet and JSP APIs.

Web-Tier Transport-Level Security

The web tier provides fine-grained control over transport-level security. There are three modes of transport-level security: NONE, INTEGRAL, and CONFIDENTIAL. NONE, as the name implies, means no transport-level security; all information is sent in the clear. This is the default mode. INTEGRAL means that the client and the server cooperate to ensure that content is not changed in transit. CONFIDENTIAL means that the client and server keep the content secret as it is transported over the wire. INTEGRAL and CONFIDENTIAL imply using SSL to communicate between the clients (typically browsers) and the server. Such transport-level security is also known as one-way SSL. You specify the transport-level security constraints in the web.xml deployment descriptor as part of the <security-constraint> elements as depicted in Figure 10-1.

The <security-constraint> element uses the <web-resource-collection> element to specify the subset of the application that is the target of the constraint. The <web-resource-collection> element also supports specification ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required