Instead, both of the major
security aspects are handled by the server. To prevent unauthorized access, you use
the Web application deployment descriptor (web.xml) to declare that certain URLs
need protection, and which categories of users should have access to them. You also
designate the authentication method that the server should use to identify users. At
request time, the server automatically prompts users for usernames and passwords
when they try to access restricted resources, automatically checks the results against
a predefined set of usernames and passwords, and automatically keeps track of
which users have previously been authenticated. This process is completely transparent
to the servlets and JSP pages. To safeguard network data, you use the deployment
descriptor to stipulate that certain URLs should only be accessible with SSL.
If users try to use a regular HTTP connection to access one of these URLs, the
server automatically redirects them to the HTTPS (SSL) equivalent.
Declarative security is all well and good. In fact, it is by far the most common
approach to Web application security. But what if you want your servlets to be completely
independent of any server-specific settings such as password files? Or, what if
you want to let users in various roles access a particular resource but customize the
data depending on the role that they are in? Or, what if you want to authenticate
users other than by requiring an exact match from a fixed set of usernames and passwords?
That??™s where programmatic security comes in.
Pages:
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226