Why and when to perform this task
There are three types of Web login authentication mechanisms that
you can configure on a Web application: basic authentication, form-based authentication
and client certificate-based authentication. Protect Web resources in a Web
application by assigning security roles to those resources.
To secure Web
applications, determine the Web resources that need protecting and determine
how to protect them.
Steps for this task
- In an assembly tool, import your Web archive (WAR) file or an application
archive (EAR) file that contains one or more Web modules. For more
information, see the Importing WAR files article
or the Importing enterprise applications.
- In the Project Explorer, locate your Web application.
- Right-click the deployment descriptor and select Open With >
Deployment Descriptor Editor. The Deployment Descriptor window
opens. To see online information about the editor, press F1 and click the
editor name. If you selected Web archive (WAR) file, a Web
deployment descriptor editor opens. If you selected an enterprise application
(EAR) file, an application deployment descriptor editor opens.
- Create security roles either at the application level or at Web
module level. If a security role is created at the Web module level,
the role also displays in the application level. If a security role is created
at the application level, the role does not display in all the Web modules.
You can copy and paste a security role at the application level to one or
more Web module security roles.
- Create a role at a Web-module level. In a Web deployment descriptor
editor, select the Security tab. Under Security Roles, click Add..
Enter the security role name, describe the security role, and click Finish.
- Create a role at the application level. In an application deployment
descriptor editor, select the Security tab. Under the list of security
roles, click Add. In the Add Security Role wizard, name and describe
the security role; then click Finish.
- Create security constraints. Security constraints are a mapping
of one or more Web resources to a set of roles.
- On the Security tab of a Web deployment descriptor editor,
click Security Constraints. On the Security Constraints
tab that opens, you can do the following:
- Add or remove security constraints for specific security roles.
- Add or remove Web resources and their HTTP methods.
- Define which security roles are authorized to access the Web resources.
- Specify None, Integral, or Confidential constraints on user data. None means
that the application requires no transport guarantees. Integral means
that data cannot be changes in transit between client and server. And Confidential means
that data content cannot be observed while it is in transit. Integral and
Confidential usually require the use of SSL.
- Under Security Constraints, click Add.
- Under Constraint name, specify a display name for the
security constraint and click Next.
- Type a name and description for the Web resource collection.
- Select one or more HTTP methods. The HTTP method
options are: GET, PUT, HEAD, TRACE, POST, DELETE, and OPTIONS.
- Beside the Patterns field, click Add.
- Specify a URL Pattern. For example, type - /*,
*.jsp, /hello. Consult the Servlet specification Version 2.4 for instructions
on mapping URL patterns to servlets. Security run time uses the exact match
first to map the incoming URL with URL patterns. If the exact match is not
present, the security run time uses the longest match. The wild card (*.,*.jsp)
URL pattern matching is used last.
- Click Finish.
- Repeat these steps to create multiple security constraints.
- Map security-role-ref and role-name elements to the role-link element.
During the development of a Web application, you can create the security-role-ref
element. The security-role-ref element contains only the role-name field at
this stage. The role-name field contains the name of the role that is referenced
in the servlet or JavaServer Pages (JSP) code to determine if the caller is
in a specified role (isUserInRole()). Since security roles are created during
the assembly stage, the developer uses a logical role name in the role-name field
and provides enough description in the description field for the assembler
to map the role actual (role-link). The Security-role-ref element is at the
servlet level. A servlet or JSP file can have zero or more security-role-ref
elements.
- Go to the References tab of a Web deployment descriptor
editor. On the References tab, you can add or remove the
name of an enterprise bean reference to the deployment descriptor. There are
5 types of references you can define on this tab:
- EJB reference
- Service reference
- Resource reference
- Message destination reference
- Security role reference
- Resource environment reference
- Under the list of EJB references, click Add.
- Specify a name and a type for the reference in the Name and Ref
Type fields.
- Select either Enterprise Beans in the workplace or Enterprise
Beans not in the workplace.
- Optional: If you select Enterprise Beans not
in the workplace, select the type of enterprise bean in the Type field.
You can specify either an entity bean or a session bean.
- Optional: Click Browse to specify values
for the local home and local interface in the Local home and Local fields
before you click Next.
- Map every role-name used during development to the role (role-link)
using the previous steps. Every role name used during development
maps to the actual role.
- Specify the RunAs identity for servlets and JSP files. The
RunAs identity of a servlet is used to invoke enterprise beans from within
the servlet code. When enterprise beans are invoked, the RunAs identity is
passed to the enterprise bean for performing an authorization check on the
enterprise beans. If the RunAs identity is not specified, the client identity
is propagated to the enterprise beans. The RunAs identity is assigned at the
servlet level.
- On the Servlets tab of a Web deployment descriptor editor,
under Servlets and JSPs, click Add. The Add Servlet or JSP wizard
opens.
- Specify the servlet or JSP settings including the
name, initialization parameters, and URL mappings and click Next.
- Specify the class file destination.
- Click Next to specify additional settings or click Finish.
- Under Run As on the Servlets tab, select the security
role and describe the role.
- Specify a RunAs identity for each servlet and JSP file used
by your Web application.
- Configure the login mechanism for the Web module. This configured
login mechanism applies to all the servlets, JavaServer page (JSP) files and
HTML resources in the Web module.
- On the Pages tab of a Web deployment descriptor editor,
under Login, select the required authentication method. Available
method values include: Unspecified, Basic, Digest, Form, and Client-Cert.[
- Specify a realm name.
- If you select the Form authentication method, select a login
page and an error page URLs (for example: /login.jsp and /error.jsp).
The specified login and error pages are present in the .war file.
- Install
the client certificate on the browser or Web client and place the client certificate
in the server trust keyring file, if ClientCert is selected.
- Close the deployment descriptor editor and, when prompted, click Yes to
save the changes.
Result
After securing a Web application, the resulting WAR file contains
security information in its deployment descriptor. The Web module security
information is stored in the
web.xml file. When you work in the Web
deployment descriptor editor, you also can edit other deployment descriptors
in the Web project, including information on bindings and IBM extensions in
the
ibm-web-bnd.xmi and
ibm-web-ext.xmi files.
What to do next
After using an assembly tool to secure a Web application, you can
install the Web application using the administrative console. During the Web
application installation, complete the steps in the
Deploying secured applications article to finish securing the Web
application.