NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide

Security Considerations

NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006

8-31

Authorization Constraint

...

</security-constraint>

Authorization Constraint

An authorization constraint establishes a requirement for authentication and specifies

the authorization roles permitted to perform constrained requests. A user must be a

member of at least one of the specified roles to be permitted to perform the

constrained requests. The special role name * specifies all the role names defined in

the deployment descriptor.

An authorization constraint that does not specify any roles indicates that access to the

constrained requests is not permitted under any circumstances. An authorization

constraint contains the role-name element.

The following is a sample authorization constraint (<auth-constraint>) element

from a web.xml file:

<security-constraint>

<web-resource-collection>

...

</web-resource-collection>

<auth-constraint>

<description>only let the system user login</description>

<role-name>admin</role-name>

<role-name>manager</role-name>

</auth-constraint>

</security-constraint>

User Data Constraint

A user data constraint establishes a requirement that the constrained requests are

received over a protected transport layer connection. The strength of the required

protection is defined by the value of the transport guarantee. A user-data-

constraint element contains a transport-guarantee element, which specifies

Note. Security roles referenced by a web application are identified by specifying the

security-role element in the web.xml file.