Specifying security criteria in web.xml

You can specify security criteria in the deployment descriptor of your deployed project (web.xml) in two ways:

The Security Editor is used in this example because it provides an easy way to specify and view security criteria.

Using the Security Editor

You can use the Security Editor to define the following things in web.xml:
  • Security roles
  • Security constraints
  • Authentication method

From the Project Explorer in the EGL Rich UI perspective, open the Security Editor by double-clicking on the Security Editor icon of your deployed project.

Defining security roles

In JEE role-based security, users must be assigned roles to access resources. Roles are mapped to actual user registry entries.
  • In the Create a Security Role dialog, click OK.
  • In the Add Roles window, type user as the role name and click Add.
  • Click Finish.

Defining security constraints

To specify the resources that are protected and the roles that have access to the resources, define a security constraint.
  1. In the Resources pane, expand the folder with your project name, Servlets, EGLRichUIProxy, and Servlet Mappings. Under Servlet Mappings, you should see /___proxy.
  2. To secure the proxy and allow anyone in the user role to access the proxy, drag the user role from the Security Roles pane to /___proxy in the Resources pane.
  3. To see the security constraints, in the Resources pane, right click on /___proxy (user) and click Assign Roles. In the Select Roles window, select user and click Advanced>>>. You should see the userConstraint security constraint that is mapped to user, which specifies how you can access the /___proxy secure resource. The userConstraint security constraint contains the default HTTP method access (GET, PUT, HEAD, TRACE, POST, DELETE, OPTIONS). Click OK. To change the defaults for your security constraints, in the Security Editor, click Security Preferences.

Selecting an authentication method

To specify an authentication method:
  1. Click Authentication.
  2. For the authentication method, click BASIC.
  3. To name the example, type Sample registry.
  4. Click OK.
  5. Save your changes and close the Security Editor.

Defining a user data constraint

A user data constraint specifies how data is protected while it is in transit between a client and server. If you do not want to use the default user data constraint (NONE), you must specify the user data constraint directly into the web.xml because that information is not available from the Security Editor.

You can set a user data constraint to a value of NONE, INTEGRAL, or CONFIDENTIAL. An INTEGRAL value guarantees content integrity, preventing tampering of messages in transit between a client and server. A CONFIDENTIAL setting guarantees confidentiality, preventing reading of data by others during the transfer. If you use a value of INTEGRAL or CONFIDENTIAL, requests must be submitted over SSL.

To specify a user data constraint in the web.xml:
  • From the EGL Rich UI perspective, open the deployment descriptor of your deployed project by double-clicking on the deployment descriptor.
  • Select the Security tab.
  • Under Security Constraints, click userConstraint.
  • To require that requests be submitted over SSL, under User Data Constraint, select INTEGRAL or CONFIDENTIAL.

Feedback