NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop J-Series

371

372

373

374

375

376

377

378

379

380

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-29

Authorizing a User

surrounding Engine element), but not inside a Context element for one of the

involved web applications.



If users access only unprotected resources in any of the web applications on this

virtual host, they will not be challenged to authenticate themselves.



If users access a protected resource in any web application associated with this

virtual host, users will be challenged to authenticate, using the login method

defined for the web application currently being accessed.



After authentication, the roles associated with this user will be utilized for access

control decisions for all the associated web applications, without challenging the

user to authenticate themselves to each application individually.



When the user logs out of one web application (for example, by invalidating the

corresponding session, if form-based authentication is used), the user's sessions in

all web applications will be invalidated. Any subsequent attempt to access a

protected resource in any application will require the user to authenticate again.



The single sign-on feature utilizes HTTP cookies to transmit a token that

associates each request with the saved user identity, so it can only be utilized in

client environments that support cookies.

To configure single sign-on for the applications within a host, configure the

SingleSignOn valve as a child of the Host element where the single sign-on feature

should be implemented:

<Host>

...

<Valve

className="org.apache.catalina.authenticator.SingleSignOn"

...

</Host>

Authorizing a User

While the authentication process establishes the identity of the user, the authorization

process determines if the user is allowed to access a secured resource. You can

authorize a user to access specific resources by using the security-constraint

element in an application-specific deployment descriptor, which is an XML document

named .../WEB-INF/web.xml.

Security constraints are a declarative method of defining the protection for web

content. A security constraint associates authorization or user data constraints, or both,

with HTTP operations on web resources. Therefore, you can configure a web

application to secure an associated set of web resources, which may include HTTP

operations and URL patterns either by authorizing a user or by checking the transport

layer connection used to access the resources or both.