I have a question regarding servlet security. In the specification (in XSD) it stands:
A value of INTEGRAL means
that the application requires that the data sent between the
client and server be sent in such a way that it can’t be
changed in transit
CONFIDENTIAL means that the application
requires that the data be transmitted in a fashion that
prevents other entities from observing the contents of the
* does INTEGRAL enforce mutual SSL authentication (so called SSL-client authentication) ? Or does it only indicate that certificate-based one-side server authentication should be conducted
* CONFIDENTIAL - it's pretty clear - when it's off - no encryption (which apparently is not mandatory in SSL), when it's on, encryption is also on - can someone confirm that ?
* is it possible in SSL to have only encryption without cert-based server authentication ? so server's identity is not confirmed by the browser ?
* how can I specify both INTEGRAL and CONFIDENTIAL - user-data-constraint is limited to allow only one transport-guarantee - should I specify 2 user-data-constraint ?
I don't know the answer but the Servlet specification says:
A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
■ transport guarantee (transport-guarantee in deployment descriptor)
If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication. If no user data constraint applies to
a request, the container must accept the request when received over any
connection including an unprotected one.
I am also trying to understand this.
If you get to know the answer please update this thread accordingly.
Thanks and Regards,
Joined: Jan 25, 2012
Unfortunately up to now I wasn't able to find answers - I'm too busy at the moment to investigate further. Maybe someone else already knows answers ?