Download Safari Books Online apps: Apple iOS | Android

Entire Site

Safari Books Online

    Free Trial

    Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


    Head First Servlets and JSP™
    Dedication
    A Note Regarding Supplemental Files
    Praise for Head First Servlets and JSP™
    Praise for the Head First approach
    Perpetrators of the Head First series (and this book)
    How to Use this Book: Intro
    1. Intro and Overview: Why use Servlets & JSPs?
    2. High-Level Overview: Web App Architecture
    3. Hands-on MVC: Mini MVC Tutorial
    4. Request and Response: Being a Servlet
    5. Attributes and Listeners: Being a Web App
    6. Session Management: Conversational state
    7. Using JSP: Being a JSP
    8. Scriptless JSP: Script-free pages
    9. Using JSTL: Custom tags are powerful
    10. Custom Tag Development: When even JSTL is not enough...
    11. Web App Deployment: Deploying your web app
    12. Web App Security: Keep it secret, keep it safe
    The Bad Guys are everywhere
    And it’s not just the SERVER that gets hurt...
    The Big 4 in servlet security
    A little security story
    How to Authenticate in HTTP World: the beginning of a secure transaction
    A slightly closer look at how the Container does Authentication and Authorization
    How did the Container do that ?
    Keep security out of the code!
    Who implements security in a web app?
    The Big Jobs in servlet security
    Just enough Authentication to discuss Authorization
    Authorization Step 1: defining roles
    Authorization Step 2: defining resource/method constraints
    The <security-constraint> rules for <web-resource-collection> elements
    Picky <security-constraint> rules for <auth-constraint> sub-elements
    The way <auth-constraint> works
    How multiple <security-constraint> elements interact
    Dueling <auth-constraint> elements
    Alice’s recipe servlet, a story about programmatic security...
    Customizing methods: isUserInRole()
    The declarative side of programmatic security
    Authentication revisited
    Implementing Authentication
    Form-Based Authentication
    Summary of Authentication types
    She doesn’t know about J2EE’s “protected transport layer connection”
    Securing data in transit: HTTPS to the rescue
    How to implement data confidentiality and integrity sparingly and declaratively
    Protecting the request data
    Coffee Cram: Mock Exam Chapter 12
    Coffee Cram: Chapter 12 Answers
    13. Filters and Wrappers: The Power of Filters
    14. Patterns and Struts: Enterprise Design Patterns
    A. Final Mock Exam: Coffee Cram
    B.
    C.
    Index
    About the Authors
    Copyright
    • Create BookmarkCreate Bookmark
    • Create Note or TagCreate Note or Tag
    • PrintPrint
    Share this Page URL
    Help

    12. Web App Security: Keep it secret, ke... > The way <auth-constraint> works

    The way <auth-constraint> works

    image with no caption

    Note

    NO <auth-constraint> is the opposite of an EMPTY <auth-constraint/>!

    Remember this: if you don’t say which roles are constrained, then NO roles are constrained. But once you DO put in an <auth-constraint>, then ONLY the roles explicitly stated are allowed access (unless you use the wildcard “*” for the <role-name>). If you don’t want ANY role to have access, you MUST put in the <auth-constraint/>, but just leave it empty. This tells the Container, “I am explicitly stating the roles allowed and, by the way, there aren’t any!”


      

    You are currently reading a PREVIEW of this book.

                                                                                            

    Get instant access to over
    $1 million worth of books and videos.

      

    Start a Free Trial