The Java(TM) Servlet API Specification describes the configuration of a web application context. The web.xml file represents the deployment descriptor. Inside of this deployment descriptor you can describe the used Servlets, Filters, Mimetypes and so on. Furthermore you can configure security features how HTTP authentification methods or SSL contexts. Via the <security-role> element you can set the possible user roles. Inside of a Tomcat container additionaly you have to add this roles and the dependent users in the tomcat-users.xml file. The <security-constraint> specifies the secured URLs and SSL. The <login-config> element specifies the realm and the authentification method (BASIC or DIGEST).
<security-role>
<role-name>admin</role-name>
<role-name>editor</role-name>
</security-role>
<!-- Define a constraint to restrict access to /cms/* -->
<security-constraint>
<web-resource-collection>
<web-resource-name>CMS Area</web-resource-name>
<url-pattern>/cms/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- Only CMS admins nad editors can access this urls -->
<role-name>admin</role-name>
<role-name>editor</role-name>
</auth-constraint>
<user-data-constraint>
<!-- All access to this area will be SSL protected -->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- This application uses BASIC authentication -->
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>Admin or Editor Login</realm-name>
</login-config>
Regards
Rafael Sobek
Technorati Tags: Java Servlet Specification HTTP authenfication web.xml BASIC DISGEST SSL
