Security Constraint Policy
A security constraint associates authorization and user data constraints with HTTP operations on web resources. A Security Constraint policy allows you to set security constraints on one or more web resource collections.
A security constraint, which is represented by
security-constraint
in the deployment descriptor,
consists of two main elements:
- Web resource
collection: The HTTP operations and web resources to which a security
constraint applies (that is, the constrained requests) are identified by one or
more web resource collections (
web-resource-collection
in the deployment descriptor). A web resource collection consists of URL patterns (url-pattern
in deployment descriptor), and HTTP methods (http-method
in deployment descriptor). - Authorization
constraint: An authorization constraint (
auth-constraint
in the deployment descriptor) establishes a requirement for authentication, and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. An authorization constraint consists of the role name element (role-name
in the deployment descriptor).
Note: The special role name “*” is a shorthand for all role names defined,
while an authorization constraint that names no roles indicates that access to
the constrained requests is not permitted under any circumstances.
Subtopics