Creating a Security Constraint

Use

Security constraints specify which set of resources are to be protected by the security role you just created. In addition, you can specify the level of transport layer security that is required when accessing this set of resources.

When specifying the security constraints, you need to consider the following:

·        You need to determine the set of resources that are to be protected. For this purpose, you specify a URL pattern.

·        You can also specify which HTTP methods are to be restricted. For example, you can specify that the HTTP POST method underlies the security constraint.

·        You then specify an authorization constraint, which specifies the security role that a user must be assigned to in order to access this set of resources.

·        You can also specify that protection at the transport layer is guaranteed.

For this tutorial, you will specify that the complete set of resources and HTTP methods are protected with the security role AccessQuickCarRental. You will not specify any transport layer security.

Prerequisites

The quick car rental application’s Web client project, J2EE_QuickCarRentalWeb, is displayed in the J2EE Explorer.

You have created the security role AccessQuickCarRental.

Procedure

Specifying the Set of Resources to Protect

...

       1.      Open or return to the web.xml file.

       2.      Choose the Security tab page.

The Security Constraints section appears.

       3.      Select Security Constraints and choose Add.

The default SecurityConstraint appears.

You can rename this constraint, however, for this tutorial, we will use the default name.

       4.      Choose the Web Resource Collection tab page.

The Web resources appear.

       5.      Expand Web Resource Collections ® WebResource.

Two items appear, one for URL patterns and one for HTTP methods as shown in the preview below.

       6.      Select URL patterns and choose Add.

The default URL pattern, which is a wildcard (*), is assigned to the security constraint. This means that all resources under the application’s URL underlie this security constraint. For this tutorial, we will use the default.

Also, for this tutorial, you will not specify any HTTP methods for the constraint.

Your security constraint is specified as shown in the figure below:

Specifying the Authorization Constraint

...

       1.      Continue by choosing the Auth Constraint tab page.

       2.      Under Role Names, choose Add.

The Choose role-names dialog appears.

       3.      Select the AccessQuickCarRental role and choose OK.

       4.      The role is added to the security constraint. Optionally, you can enter a short description for the authorization constraint.

See the figure below:

       5.      Save the data.

Result

The security constraint applies to the specified resources.

The <security-constraint> entries are added to the web.xml file as shown below:

   <security-constraint>
     
<display-name>SecurityConstraint</display-name>
     
<web-resource-collection>
        
<web-resource-name>WebResource</web-resource-name>
        
<url-pattern>*</url-pattern>
     
</web-resource-collection>
     
<auth-constraint>
        
<description>This constraint protects access to the quick
               car rental application
&apos;s resources.
        
</description>
         <role-name>AccessQuickCarRental</role-name>
  
   </auth-constraint>
   </security-constraint>

Next Step:

Protecting Access to the EJB Methods Using J2EE Security Roles