A value of CONFIDENTIAL means that the data must
be transmitted in a way that prevents anyone who intercepts it from reading it.
Although in principle (and in future HTTP versions) there may be a distinction
between INTEGRAL and CONFIDENTIAL, in current practice they both simply
mandate the use of SSL. For example, the following instructs the server to only
permit HTTPS connections to the associated resource:
CONFIDENTIAL
display-name
This rarely used subelement of security-constraint gives a name to the
security constraint entry that might be used by a GUI tool.
2.11 Controlling Session Timeouts 83
Assigning Role Names
Up to this point, the discussion has focused on security that was completely managed
by the container (server). Servlets and JSP pages, however, can also manage their
own security. For details, see Chapter 4 (Programmatic Security).
For example, the container might let users from either the bigwig or
bigcheese role access a page showing executive perks, but permit only the bigwig
users to modify the page??™s parameters. One common way to accomplish this more
fine-grained control is to call the isUserInRole("someRoleName") method of
HttpServletRequest and modify access accordingly (for an example, see Section
4.1). The someRoleName role used in the isUserInRole method usually
refers to one of the role names declared inside the security-role element.
Pages:
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124