security4.html

j2eePDF格式的电子书

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <title>Web-Tier Security</title>
    <link rel="StyleSheet" href="document.css" type="text/css" media="all" />
    <link rel="StyleSheet" href="catalog.css" type="text/css" media="all" />
    <link rel="Table of Contents" href="J2EETutorialTOC.html" />
    <link rel="Previous" href="Security3.html" />
    <link rel="Next" href="Security5.html" />
    <link rel="Index" href="J2EETutorialIX.html" />
  </head>

  <body>

    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security3.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security5.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

    <blockquote>
<a name="wp299872"> </a><h2 class="pHeading1">
Web-Tier Security
</h2>
<a name="wp298648"> </a><p class="pBody">
Security in a Web application is configured in the Web application deployment descriptor using <code class="cCode">deploytool</code>. When the settings are entered in <code class="cCode">deploytool</code>, they are saved to the deployment descriptor contained in the WAR. To view the generated deployment descriptor, choose Descriptor Viewer from <code class="cCode">deploytool</code>'s Tools menu. For more information on deployment descriptors, see Chapter&nbsp;<a  href="WebApp.html#wp83291">3</a>. 
</p>
<a name="wp468173"> </a><p class="pBody">
After a WAR is created, select the Security tabbed pane to configure its security elements. See <a  href="Security4.html#wp298711">Setting Security Requirements Using deploytool</a> for more information on using <code class="cCode">deploytool</code> to accomplish these tasks:
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp298652"> </a><div class="pSmartList1"><li>User Authentication Method</li></div>
<a name="wp298653"> </a><p class="pBodyRelative">
The User Authentication Method box on the Security tab of <code class="cCode">deploytool</code> enables you to specify how the user is prompted to login in. If specified, the user must be authenticated before it can access any resource that is constrained by a Security Constraint. The User Authentication Method is discussed in <a  href="Security5.html#wp182253">Using Login Authentication</a>.
</p>
<a name="wp298657"> </a><div class="pSmartList1"><li>Security Constraints</li></div>
<a name="wp298658"> </a><p class="pBodyRelative">
The Security Constraint is used to define the access privileges to a collection of resources using their URL mapping. Security constraints are discussed in <a  href="Security4.html#wp298689">Protecting Web Resources</a>.
</p>
<a name="wp298662"> </a><div class="pSmartList1"><li>Web Resource Collections</li></div>
<a name="wp298663"> </a><p class="pBodyRelative">
The Web Resource Collections is part of a security constraint and describes a URL pattern and HTTP method pair that refer to resources that need to be protected. Web Resource Collections are discussed in <a  href="Security4.html#wp298689">Protecting Web Resources</a>.
</p>
<a name="wp298667"> </a><div class="pSmartList1"><li>Network Security Requirement</li></div>
<a name="wp304656"> </a><p class="pBodyRelative">
The Network Security Requirement is used to configure HTTP basic or form-based authentication over SSL. Select a Network Security Requirement for each Security Constraint. Network Security Requirements are discussed in <a  href="Security6.html#wp80703">What is Secure Socket Layer Technology?</a>.
</p>
<a name="wp298672"> </a><div class="pSmartList1"><li>Authorized Roles</li></div>
<a name="wp298673"> </a><p class="pBodyRelative">
The Authorized Roles section is used to specify which roles that have been defined for an application are authorized to access this Web Resource Collection. The roles defined for the application must be mapped to users and groups defined on the server. Authorized roles are discussed in <a  href="Security3.html#wp79740">Setting up Security Roles</a>.
</p>
</ul></div>
<a name="wp298677"> </a><p class="pBody">
These elements of the deployment descriptor may be entered directly into the <code class="cCode">web.xml</code> file, or created using an application deployment tool, such as <code class="cCode">deploytool</code>. This document describes creating the deployment descriptor using <code class="cCode">deploytool</code>.
</p>
<a name="wp298678"> </a><p class="pBody">
Some elements of Web application security need to be addressed in the deployment descriptor for the Web server, rather than the deployment descriptor for the Web application. This information is discussed in <a  href="Security6.html#wp80702">Installing and Configuring SSL Support</a>, <a  href="Security5.html#wp298957">Using Programmatic Security in the Web Tier</a>, and <a  href="Security3.html#wp79740">Setting up Security Roles</a>.
</p>
<a name="wp298689"> </a><h3 class="pHeading2">
Protecting Web Resources
</h3>
<a name="wp80586"> </a><p class="pBody">
You protect Web resources by specifying a security constraint. A <em class="cEmphasis">security constraint</em> determines who is authorized to access a <span style="font-style: italic">Web resource collection</span>, which is a list of URL patterns and HTTP methods that describe a set of resources to be protected. Security constraints are defined using an application deployment tool, such as <code class="cCode">deploytool</code>, as discussed in <a  href="Security4.html#wp298711">Setting Security Requirements Using deploytool</a> or in a deployment descriptor. 
</p>
<a name="wp80591"> </a><p class="pBody">
If you try to access a protected Web resource as an unauthenticated user, the Web container will try to authenticate you. The container will only accept the request after you have proven your identity to the container and have been granted permission to access the resource. 
</p>
<a name="wp80592"> </a><p class="pBody">
Security constraints only work on the original request URI, not on calls made via a <code class="cCode">RequestDispatcher</code> (which include <code class="cCode">&lt;jsp:include&gt;</code> and <code class="cCode">&lt;jsp:forward&gt;</code>). Inside the application, it is assumed that the application itself has complete access to all resources and would not forward a user request unless it had decided that the requesting user had access also.
</p>
<a name="wp148159"> </a><p class="pBody">
Many applications feature unprotected Web content, which any caller can access without authentication. In the Web tier, unrestricted access is provided simply by not configuring a security constraint for that particular request URI. It is common to have some unprotected resources and some protected resources. In this case, you will have security constraints and a login method defined, but it will not be used to control access to the unprotected resources. The user won't be asked to log on until the first time they enter a protected request URI.
</p>
<a name="wp148160"> </a><p class="pBody">
In the Java Servlet Specification, the request URI is the part of a URL <em class="cEmphasis">after</em> the host name and port. For example, let's say you have an e-commerce site with a browsable catalog you would want anyone to be able to access and a shopping cart area for customers only. You could set up the paths for your Web application so that the pattern <code class="cCode">/cart/*</code> is protected, but nothing else is protected. Assuming the application is installed at context path <code class="cCode">/myapp</code>, 
</p>
<div class="pSmartList1"><ul class="pSmartList1">
<a name="wp148161"> </a><div class="pSmartList1"><li><code class="cCode">http://localhost:8080/myapp/index.jsp</code> is <em class="cEmphasis">not</em> protected</li></div>
<a name="wp148162"> </a><div class="pSmartList1"><li><code class="cCode">http://localhost:8080/myapp/cart/index.jsp</code> <em class="cEmphasis">is</em> protected</li></div>
</ul></div>
<a name="wp148163"> </a><p class="pBody">
A user will not be prompted to log in until the first time that user accesses a resource in the <code class="cCode">cart/</code> subdirectory.
</p>
<a name="wp298704"> </a><p class="pBody">
To set up a security constraint, see the section <a  href="Security4.html#wp298711">Setting Security Requirements Using deploytool</a>.
</p>
<a name="wp298711"> </a><h4 class="pHeading3">
Setting Security Requirements Using deploytool
</h4>
<a name="wp298712"> </a><p class="pBody">
To set security requirements for a WAR, select the WAR in the <code class="cCode">deploytool</code> tree, then select the Security tabbed pane. In the Security tabbed pane, you can define how users are authenticated to the server and which users have access to particular resources.