File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Servlets and the fly likes INTEGRAL vs CONFIDENTIAL Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "INTEGRAL vs CONFIDENTIAL" Watch "INTEGRAL vs CONFIDENTIAL" New topic
Author

INTEGRAL vs CONFIDENTIAL

Marcin Cinik
Greenhorn

Joined: Jan 25, 2012
Posts: 5
Hello,

I have a question regarding servlet security. In the specification (in XSD) it stands:

A value of INTEGRAL means
that the application requires that the data sent between the
client and server be sent in such a way that it can’t be
changed in transit



CONFIDENTIAL means that the application
requires that the data be transmitted in a fashion that
prevents other entities from observing the contents of the
transmission


My questions:
* does INTEGRAL enforce mutual SSL authentication (so called SSL-client authentication) ? Or does it only indicate that certificate-based one-side server authentication should be conducted
* CONFIDENTIAL - it's pretty clear - when it's off - no encryption (which apparently is not mandatory in SSL), when it's on, encryption is also on - can someone confirm that ?
* is it possible in SSL to have only encryption without cert-based server authentication ? so server's identity is not confirmed by the browser ?
* how can I specify both INTEGRAL and CONFIDENTIAL - user-data-constraint is limited to allow only one transport-guarantee - should I specify 2 user-data-constraint ?





Sujoy Choudhury
Ranch Hand

Joined: Sep 17, 2008
Posts: 136

I don't know the answer but the Servlet specification says:

A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
element:
■ transport guarantee (transport-guarantee in deployment descriptor)

If no authorization constraint applies to a request, the container must accept the
request without requiring user authentication. If no user data constraint applies to
a request, the container must accept the request when received over any
connection including an unprotected one.


I am also trying to understand this.
If you get to know the answer please update this thread accordingly.

Thanks and Regards,
~Sujoy
Marcin Cinik
Greenhorn

Joined: Jan 25, 2012
Posts: 5
Unfortunately up to now I wasn't able to find answers - I'm too busy at the moment to investigate further. Maybe someone else already knows answers ?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41108
    
  45
In practice, both mean the same - SSL is required. That may be more important than what may have been intended when the spec was written :-)


Ping & DNS - my free Android networking tools app
Baachi Basu
Greenhorn

Joined: Aug 25, 2013
Posts: 1
From the spec
'A user data constraint establishes a requirement that the constrained requests be
received over a protected transport layer connection. The strength of the required
protection is defined by the value of the transport guarantee. A transport
guarantee of INTEGRAL is used to establish a requirement for content integrity
and a transport guarantee of CONFIDENTIAL is used to establish a requirement
for confidentiality. The transport guarantee of “NONE” indicates that the
container must accept the constrained requests when received on any connection
including an unprotected one. A user data constraint consists of the following
element:
■ transport guarantee (transport-guarantee in deployment descriptor) '

which means - INTEGRAL : guarantees integrity, which means all data on wire is encrypted & signed by server, which is possible with one-way-ssl.
CONFIDENTIAL : guarantees confidentiality, which means all data on wire is encrypted & signed by server & client, which is possible with two-way-ssl.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: INTEGRAL vs CONFIDENTIAL
 
Similar Threads
How to use https for login only?
BASIC - FORM - DIGEST - CLIENT CERT In Deployment Descriptor
transport-guarantee
Only [auth-method] FORM use session tracking ?
transport-guarantee Confidential