Security Constraint Policy

A security constraint associates authorization and/or user data constraints with HTTP operations on web resources. A Security Constraint policy allows you to set security constraints on one or more web resource collections.

A security constraint, which is represented by security-constraint in the deployment descriptor, consists of two main elements:
  • Web resource collection. The HTTP operations and web resources to which a security constraint applies (i.e., the constrained requests) are identified by one or more web resource collections (web-resource-collection in the deployment descriptor). A web resource collection consists of URL patterns (url-pattern in deployment descriptor), and HTTP methods (http-method in deployment descriptor).
  • Authorization constraint. An authorization constraint (auth-constraint in the deployment descriptor) establishes a requirement for authentication, and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. An authorization constraint consists of the role name element (role-name in deployment descriptor).
Note: The special role name “*” is a shorthand for all role names defined, while an authorization constraint that names no roles indicates that access to the constrained requests is not permitted under any circumstances.