• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security Questions

 
Luke Shannon
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi;

I am trying to implement security on my site and have a few questions. They are WEB-INF/web.xml questions, I hope it is appropriate to ask them here:

The web.xml in my projects WEB-INF contains the following:

<!-- security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>fw</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</security-constraint>

Right now I don't want any one to use a servlet that is not authorized
first. Once I got BASIC working as I expected I wanted to shift to a custom form login:

<login-config>
<auth-method>FORM</auth-method>
<form-login-page>/loginpage.html</form-login-page>
<form-error-page>/loginpage.html</form-error-page>
</login-config>

Can I do this with the url-pattern of *.do? Or do I need to put an actual
directory? The reason I ask is how will Tomcat find the login pages?

Another question concerning:

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Is it a good idea to have this? I understand it encrypts all data that is
sent to the server. It seems to me that no system should be without. But I
wanted to check with someone more experienced first whether there were
concerns or limitations I am unaware of.

If anyone else has any security tips they would like to share I would love to hear them.

Thanks,

Luke
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic