By Administrator Updated: Wednesday, 18 May 2011 15:39

Tomcat Security-Constraint

Friday, 29 April 2011 09:29

Tomcat Security Constraint tutorial

Security constraint

Security Constraints are least understood by developers, even though they are critical for the security of you J2EE Web applications. Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests.

Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) and User Data Constraints (whether the web request needs to be received over a protected transport such as TLS)

Unchecked access

We would like to define a set of web resources that will have public or unchecked access. We will achieve this by omitting the authorization constrainsts ( auth-constraint element). 


    <security-constraint>
        <display-name>Public pages restriction</display-name>
        <web-resource-collection>
            <web-resource-name>Public pages</web-resource-name>
            <url-pattern>/public/*</url-pattern>            
        </web-resource-collection>
    </security-constraint>

Restricted access

Operation on a set of web resources should be accessible only by an user with the role "member". We will achieve this with the specification of authorization constraints (auth-constraint element with the role-name element). 

    <security-constraint>
        <display-name>Protected pages restriction</display-name>
        <web-resource-collection>
            <web-resource-name>Main pages</web-resource-name>
            <url-pattern>/protected/*</url-pattern>            
        </web-resource-collection>
        <auth-constraint>
            <role-name>member</role-name>
        </auth-constraint>
    </security-constraint>

Tomcat Authentication

A web container can authenticate a web client or user using either

  • HTTP BASIC;
  • HTTP DIGEST;
  • HTTPS CLIENT;
  • or FORM based authentication schemes.

e.g. : We would like to utilize the browser authentication mechanism, HTTP BASIC as defined in the HTTP 1.0 specification. The login-config element in web.xml would look like the following: 

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>defaultRealm</realm-name>
</login-config>

Related articles

Tags: user , http , security , tomcat , access , pages , constraints , constraint , authorization

Add comment


Security code
Refresh