Specifying an Authentication Mechanism in the Deployment Descriptor

In this section, you will learn how to specify an authentication mechanism in the deployment descriptor.

Specifying an Authentication Mechanism in the Deployment Descriptor

Specifying an Authentication Mechanism in the Deployment Descriptor

In this section, you will learn how to specify an authentication mechanism in the deployment descriptor.

Types of Security in Java EE

In a multitier enterprise application, several containers are needed to deploy various components of Enterprise tiers. These container also provide security to these components. Two types of security is provided by the container :

  • Declarative security  
    It uses deployment descriptor (web.xml) or annotations , to define security essentials of application's components.

  • Programmatic security
    When declarative security is not enough to hold the application's security model, programmatic security is employed.

Authentication Mechanism in the Deployment Descriptor

In declarative security , we can define security requirements of application's components in deployment descriptor (web.xml).

<login-config> element is employed to define authentication mechanism. The sub elements of this elements are given below :

  • <auth-method> sub element is used to sets up the authentication mechanism for the web application. It can have the following values : NONE, BASIC, DIGEST, FORM, or CLIENT-CERT.
  • <realm-name> sub element is used to define the realm name which is utilized when the basic authentication scheme is selected for the web-application.
  • <form-login-config> sub-element is used to define the login and error pages which will be used when form-based login is employed.

Security Roles

You can declare all the roles used in the application using <security-role> element of the deployment descriptor. Where as <auth-constraint> element tells us which of these roles is authorized to access protected resources.

EXAMPLE

You can declare form-based authentication and security roles in your deployment descriptor as follows :

web.xml

<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>User Auth</web-resource-name>
			<url-pattern>/auth/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
			<role-name>manager</role-name>
		</auth-constraint>
	</security-constraint>
	
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>User Auth</realm-name>
		<form-login-config>
			<form-login-page>login.jsp</form-login-page>
			<form-error-page>error.jsp</form-error-page>
		</form-login-config>
	</login-config> 
	
	<security-role>
		<role-name>admin</role-name>
	</security-role>
	<security-role>
		<role-name>manager</role-name>
	</security-role>
</web-app>