Hi;
I am trying to implement security on my site and have a few questions. They are WEB-INF/web.xml questions, I hope it is appropriate to ask them here:
The web.xml in my projects WEB-INF contains the following:
<!-- security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>fw</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</security-constraint>
Right now I don't want any one to use a
servlet that is not authorized
first. Once I got BASIC working as I expected I wanted to shift to a custom form login:
<login-config>
<auth-method>FORM</auth-method>
<form-login-page>/loginpage.html</form-login-page>
<form-error-page>/loginpage.html</form-error-page>
</login-config>
Can I do this with the url-pattern of *.do? Or do I need to put an actual
directory? The reason I ask is how will
Tomcat find the login pages?
Another question concerning:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
Is it a good idea to have this? I understand it encrypts all data that is
sent to the server. It seems to me that no system should be without. But I
wanted to check with someone more experienced first whether there were
concerns or limitations I am unaware of.
If anyone else has any security tips they would like to share I would love to hear them.
Thanks,
Luke