Example of Java Web security authentication mechanism

Security-constraint

The security-constraint element in the deployment descriptor allows you to restrict access to a resource without programming.

<! ELEMENT security-constraint (display-name ?, Web-resource-collection +, auth-constraint ?, User-data-constraint?)>
<! ELEMENT display-name (# PCDATA)>
<! ELEMENT web-resource-collection (web-resource-name, description ?, Url-pattern *, http-method *)>
<! ELEMENT auth-constraint (description ?, Role-name *)>
<! ELEMENT user-data-constraint (description ?, Transport-guarantee)>

(1) web-resource-collection elements

The web-resource-collection element identifies the subset of resources to be restricted. You can define the URL mode and HTTP method in the web-resource-collection element. If no HTTP method exists, the security constraint is applied to all methods.

<! ELEMENT web-resource-collection (web-resource-name, description ?, Url-pattern *, http-method *)>
<! ELEMENT web-resource-name (# PCDATA)>
<! ELEMENT description (# PCDATA)>
<! ELEMENT url-pattern (# PCDATA)>
<! ELEMENT http-method (# PCDATA)>
Web-resource-name is the name associated with Protected Resources. The http-method element can be assigned an HTTP method, such as GET and POST.

(2) auth-constraint element

The auth-constraint element is used to specify the user role that can access the resource set. If no auth-constraint element is specified, the security constraint is applied to all roles.

<! ELEMENT auth-constraint (description ?, Role-name *)>
<! ELEMENT description (# PCDATA)>
<! ELEMENT role-name (# PCDATA)>
(3) user-data-constraint element

The user-data-constraint element is used to show how to protect data transmitted between the client and the Web container.

<! ELEMENT user-data-constraint (description ?, Transport-guarantee)>
<! ELEMENT description (# PCDATA)>
<! ELEMENT transport-guarantee (# PCDATA)>
The transport-guarantee element must have the following values:

NONE, which means that the application does not need transmission guarantee.
INTEGRAL means that the data between the server and the client must be sent in some way and cannot be changed during transmission.
CONFIDENTIAL, which means that the transmitted data must be encrypted.
In most cases, Secure Socket Layer (SSL) is used for INTEGRAL or CONFIDENTIAL

Security-role

The security-role element specifies the declaration of the security role used in security constraints.

<! ELEMENT security-role (description ?, Role-name)>
<! ELEMENT description (# PCDATA)>
<! ELEMENT role-name (# PCDATA)>
Note: the role-name and security-role in security-constraint are irrelevant.

In tomcat, it does not matter whether security-role is set.

Security-role is usually set on other commercial application servers, such as Weblogic and Jboss, to introduce these security-role in security-constraint.

Login-config

The login-config element specifies the features required by the verification method, domain name, and form verification mechanism used.

<! ELEMENT login-config (auth-method ?, Realm-name ?, Form-login-config?)>
<! ELEMENT auth-method (# PCDATA)>
<! ELEMENT realm-name (# PCDATA)>
<! ELEMENT form-login-config (form-login-page, form-error-page)>

The sub-element of login-config is described as follows:

(1) auth-method specifies the authentication method. It has the following values: BASIC, DIGEST, FORM, or CLIENT-CERT.

BASIC, HTTP specification, Base64, this method is considered to be the least secure authentication, because it does not provide strong encryption measures

<Web-app>
......
<Login-config>
<Auth-method> BASIC </auth-method>
</Login-config>
......
</Web-app>

DIGEST: HTTP standard, MD5, which is a secure authentication. It authenticates request data through MD5 encryption during authentication.

<Web-app>
......
<Login-config>
<Auth-method> DIGEST </auth-method>
</Login-config>
......
</Web-app>

CLIENT-CERT: J2EE specification, public key (PKC), which is a CLIENT certificate-based authentication method and is relatively secure. However, the defect is that it cannot be used on clients without security certificates.

<Web-app>
......
<Login-config>
<Auth-method> CLIENT-CERT </auth-method>
</Login-config>
......
</Web-app>

FORM: J2EE specification, with weak data integrity and no encryption. A custom logon interface is allowed.

<Web-app>
......
<Login-config>
<Auth-method> FORM </auth-method>
<Form-login-config>
<Form-login-page>/login.html </form-login-page>
<Form-error-page>/error. jsp </form-error-page>
</Form-login-config>
</Login-config>
......
</Web-app>

(2) realm-name specifies the domain name used in HTTP Basic verification.

(3) form-login-config specifies the logon page and error page that should be used in form-based logon. These elements are ignored if form-based verification is not used. This element is defined as follows. form-login-page is used to specify the resource path for displaying the logon page, and form-error-page is used to specify the resource path of the error page displayed when the user fails to log on. The two page paths must start with a/and correspond to the application directory.

<! ELEMENT form-login-config (form-login-page, form-error-page)>
<! ELEMENT form-login-page (# PCDATA)>
<! ELEMENT form-error-page (# PCDATA)>

It is worth noting that the attributes of some elements in FORM must be fixed, such:

Form action = "j_security_check", form submission method = "post", user name input box name = "j_username", password input box name = "j_password"

<Form action = "j_security_check" method = "post">
<Input name = "j_username" type = "text">
<Input name = "j_password" type = "password">
<Input type = "submit" value = "login">
</Form>

Case:

<Security-constraint>
<Display-name> Login Page </display-name>
<Web-resource-collection>
<Web-resource-name> Login Page </web-resource-name>
<Url-pattern>/login. jsp </url-pattern>
<Http-method> GET <Http-method> PUT <Http-method> POST <Http-method> DELETE </Web-resource-collection>
<Auth-constraint>
<Description> Everyone </description>
<Role-name> everyone </role-name>
</Auth-constraint>
<User-data-constraint>
<Transport-guarantee> NONE </transport-guarantee>
</User-data-constraint>
</Security-constraint>

<Security-role>
<Description> Everyone </description>
<Role-name> everyone </role-name>
</Security-role>

<Login-config>
<Auth-method> FORM </auth-method>
<Form-login-config>
<Form-login-page>/login. jsp </form-login-page>
<Form-error-page>/error.html </form-error-page>
</Form-login-config>
</Login-config>