security4.html

j2eePDF格式的电子书

</p>
<div class="pSmartList1"><ol type="1" class="pSmartList1">
<a name="wp298713"> </a><div class="pSmartList1"><li> Choose the Authentication Method.</li></div>
<a name="wp298714"> </a><p class="pBodyRelative">
Authentication refers to the method by which a client verifies the identity of a user to a server. The authentication methods supported in this release are shown below and are discussed in more detail in <a  href="Security5.html#wp182253">Using Login Authentication</a>. Select one of the following authentication methods from the Authentication Method list:
</p>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp298718"> </a><div class="pSmartList2"><li><code class="cCode">None</code></li></div>
<a name="wp298719"> </a><div class="pSmartList2"><li><code class="cCode">Basic</code> </li></div>
<a name="wp298720"> </a><div class="pSmartList2"><li><code class="cCode">Client Certificate</code></li></div>
<a name="wp298721"> </a><div class="pSmartList2"><li><code class="cCode">Digest</code></li></div>
<a name="wp298722"> </a><div class="pSmartList2"><li><code class="cCode">Form Based</code> </li></div>
<a name="wp298723"> </a><p class="pBodyRelative">
If you selected <code class="cCode">Basic</code> or <code class="cCode">Digest</code> authentication, click Settings to go to the User Authentication Settings dialog and enter the Realm Name. If you selected <code class="cCode">Form</code> <code class="cCode">Based</code> authentication, click Settings to go to the User Authentication Settings dialog and enter the Realm Name, Login Page, and Error Page. 
</p>
</ol></div>
<a name="wp298724"> </a><div class="pSmartList1"><li>Define a Security Constraint.</li></div>
<a name="wp298725"> </a><p class="pBodyRelative">
In the Security Constraints section of the screen, you can define the security constraints for accessing the content of your WAR file. Click the Add button adjacent to the Security Constraints field to add a security constraint. Double-click the cell containing the Security Constraint to change its name. Each Security Constraint consists of: 
</p>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp298726"> </a><div class="pSmartList2"><li>A Web Resource Collection, which describes a URL pattern and HTTP method pair that refer to resources that need to be protected.</li></div>
<a name="wp298727"> </a><div class="pSmartList2"><li>An Authorization Constraint, which is a set of roles that are defined to have access to the Web Resource Collection. </li></div>
<a name="wp298728"> </a><div class="pSmartList2"><li>A User Data Constraint, which defines whether a resource is accessed with confidentiality protection, integrity protection, or no protection.</li></div>
</ol></div>
<a name="wp298729"> </a><div class="pSmartList1"><li>Define a Web Resource Collection for this Security Constraint.</li></div>
<a name="wp298730"> </a><p class="pBodyRelative">
With the security constraint selected, click the Add button adjacent to the Web Resource Collections field to add a Web resource collection to the security constraint. A Web Resource Collection is part of a Security Constraint and describes a URL pattern and HTTP method pair that refer to resources that need to be protected. Double-click the cell containing the Web Resource Collection to edit its name.
</p>
<a name="wp298731"> </a><div class="pSmartList1"><li>Edit the contents of the Web Resource Collection by selecting it in the list, then clicking the Edit button. The Edit Contents dialog box displays. Use it to add individual files or whole directories to the Web resource collection, to add a URL pattern, or to specify which HTTP methods will be governed by this Web Resource Collection.</li></div>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp298732"> </a><div class="pSmartList2"><li>Select the files and directories that you want to the Web Resource Collection (WRC) in the top text field and then click the Add button to add them to the Web Resource Collection.</li></div>
<a name="wp298733"> </a><div class="pSmartList2"><li>Add URL patterns to the Web Resource Collection by clicking Add URL and entering the URL in the edit field. For example, specify <code class="cCode">/*</code> to protect all resources.</li></div>
<a name="wp298734"> </a><div class="pSmartList2"><li>Specify which HTTP Methods are to be added to the Web application. The options are: <code class="cCode">Delete</code>, <code class="cCode">Get</code>, <code class="cCode">Head</code>, <code class="cCode">Options</code>, <code class="cCode">Post</code>, <code class="cCode">Put</code>, and <code class="cCode">Trace</code>. </li></div>
<a name="wp298735"> </a><div class="pSmartList2"><li>Click OK to return to the Security tabbed pane. The contents of the WRC display in the box beside the Edit button.</li></div>
</ol></div>
<a name="wp298736"> </a><div class="pSmartList1"><li>Select the Network Security Requirement for this Security Constraint. The choices are <code class="cCode">None</code>, <code class="cCode">Integral</code>, and <code class="cCode">Confidential</code>.</li></div>
<div class="pSmartList2"><ol type="a" class="pSmartList2">
<a name="wp298737"> </a><div class="pSmartList2"><li>Specify <code class="cCode">NONE</code> when the application does not require a security constraint.</li></div>
<a name="wp298738"> </a><div class="pSmartList2"><li>Specify <code class="cCode">CONFIDENTIAL</code> when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission. </li></div>
<a name="wp298739"> </a><div class="pSmartList2"><li>Specify <code class="cCode">INTEGRAL</code> when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit. </li></div>
<a name="wp435009"> </a><p class="pBodyRelative">
If you specify <code class="cCode">CONFIDENTIAL</code> or <code class="cCode">INTEGRAL</code> as a security constraint, that type of security constraint applies to all requests that match the URL patterns in the Web Resource Collection, not just to the login dialog. For further discussion on Network Security Requirements, see <a  href="Security6.html#wp80703">What is Secure Socket Layer Technology?</a>.
</p>
</ol></div>
<a name="wp435010"> </a><div class="pSmartList1"><li>Select which roles are authorized to access the secure application. In the Authorized Roles pane, click Edit to specify which defined roles are authorized to access this secure application. </li></div>
<a name="wp298745"> </a><p class="pBodyRelative">
Select the role for which you want to authorize access from the list of Roles and click the Add button to add it to the list of Authorized Roles.
</p>
<a name="wp298746"> </a><p class="pBodyRelative">
If Roles have not been defined for this application, click the Edit Roles button and add the Roles for this application. If you add Roles in this fashion, make sure to select the Security Role Mapping tab and map the roles to the appropriate users and groups. For more information on Role Mapping, see <a  href="Security3.html#wp298631">Mapping Roles to Users and Groups</a>.
</p>
<a name="wp298750"> </a><div class="pSmartList1"><li>To add security specifically to a JSP page or to a servlet in the application, select the JSP page or servlet in the <code class="cCode">deploytool</code> tree and select the Security tab. For more information on the options displayed on this page, see <a  href="Security5.html#wp298963">Declaring and Linking Role References</a>.</li></div>
<a name="wp298754"> </a><p class="pBodyRelative">
The resulting deployment descriptor can be viewed by selecting the WAR file in the <code class="cCode">deploytool</code> tree and then selecting Descriptor Viewer from the Tools menu.
</p>
</ol></div>
<a name="wp159100"> </a><h3 class="pHeading2">
Specifying a Secure Connection
</h3>
<a name="wp160240"> </a><p class="pBody">
When the login authentication method is set to <code class="cCode">BASIC</code> or <code class="cCode">FORM</code>, passwords are not protected, meaning that passwords sent between a client and a server on a non-protected session can be viewed and intercepted by third parties.
</p>
<a name="wp159107"> </a><p class="pBody">
To configure HTTP basic or form-based authentication over SSL, specify <code class="cCode">CONFIDENTIAL</code> or <code class="cCode">INTEGRAL</code> as the Network Security Requirement on the WAR's Security page in <code class="cCode">deploytool</code>. Specify <code class="cCode">CONFIDENTIAL</code> when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission. Specify <code class="cCode">INTEGRAL</code> when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit. 
</p>
<a name="wp159109"> </a><p class="pBody">
If you specify <code class="cCode">CONFIDENTIAL</code> or <code class="cCode">INTEGRAL</code> as a security constraint, that type of security constraint applies to all requests that match the URL patterns in the Web resource collection, not just to the login dialog.
</p>
<a name="wp160252"> </a><p class="pBody">
If the default configuration of your server does not support SSL, you must configure it with an SSL connector to make this work. By default, the J2EE 1.4 Application Server is configured with an SSL Connector. To set up an SSL connector on other servers, see <a  href="Security6.html#wp80702">Installing and Configuring SSL Support</a>.
</p>
<hr>
<a name="wp159110"> </a><p class="pNote">
Note: <span style="font-weight: bold">Good Security Practice</span>: If you are using sessions, once you switch to SSL you should never accept any further requests for that session that are non-SSL. For example, a shopping site might not use SSL until the checkout page, then it may switch to using SSL in order to accept your card number. After switching to SSL, you should stop listening to non-SSL requests for this session. The reason for this practice is that the session ID itself was non-encrypted on the earlier communications, which is not so bad when you're just doing your shopping, but once the credit card information is stored in the session, you don't want a bad guy trying to fake the purchase transaction against your credit card. This practice could be easily implemented using a filter.
</p>
<hr>
    </blockquote>

   <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">


    <table width="550" summary="layout" id="SummaryNotReq1">
      <tr>
	<td align="left" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/download.html#tutorial" target="_blank">Download</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/faq.html" target="_blank">FAQ</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/history.html" target="_blank">History</a>
	</td>
        <td align="center" valign="center">
<a accesskey="p" href="Security3.html"><img id="LongDescNotReq1" src="images/PrevArrow.gif" width="26" height="26" border="0" alt="Prev" /></a><a accesskey="c" href="J2EETutorialFront.html"><img id="LongDescNotReq1" src="images/UpArrow.gif" width="26" height="26" border="0" alt="Home" /></a><a accesskey="n" href="Security5.html"><img id="LongDescNotReq3" src="images/NextArrow.gif" width="26" height="26" border="0" alt="Next" /></a><a accesskey="i" href="J2EETutorialIX.html"></a>
        </td>
	<td align="right" valign="center">
	<font size="-1">
	<a href="http://java.sun.com/j2ee/1.4/docs/api/index.html" target="_blank">API</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/search.html" target="_blank">Search</a>
	<br>
	<a href="http://java.sun.com/j2ee/1.4/docs/tutorial/information/sendusmail.html" target="_blank">Feedback</a></font>
	</font>
	</td>
      </tr>
    </table>

    <img src="images/blueline.gif" width="550" height="8" ALIGN="BOTTOM" NATURALSIZEFLAG="3" ALT="Divider">

<p><font size="-1">All of the material in <em>The J2EE(TM) 1.4 Tutorial</em> is 
<a href="J2EETutorialFront2.html">copyright</a>-protected and may not be published in other works
without express written permission from Sun Microsystems.</font>

  </body>
</html>