With or without SSL, you designate the protected resources with
the url-pattern subelement of web-resource-collection. None of your
servlets or JSP pages need to be modified or moved to different locations when you
enable or disable SSL. That??™s the beauty of declarative security.
The user-data-constraint subelement of security-constraint can
mandate that certain resources be accessed only with SSL. So, for example, attempts
to access https://host/webAppPrefix/specialURL are handled normally, whereas
attempts to access http://host/webAppPrefix/specialURL are redirected to the https
URL. This behavior does not mean that you cannot supply an explicit https URL for
a hypertext link or the ACTION of a form; it just means that you aren??™t required to.
You can stick with the simpler and more easily maintained relative URLs and still be
assured that certain URLs will only be accessed with SSL.
The user-data-constraint element, if used, must contain a transportguarantee
subelement (with legal values NONE, INTEGRAL, or CONFIDENTIAL) and
can optionally contain a description element. A value of NONE for transportguarantee
puts no restrictions on the communication protocol used. Because
NONE is the default, there is little point in using user-data-constraint or
transport-guarantee if you specify NONE. A value of INTEGRAL means that the
communication must be of a variety that prevents data from being changed in transit
without detection.
Pages:
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173