3-20 Programming Security for Oracle WebLogic Server Which of these three methods is used is defined by the JACC flags and the security model. Security models are described in Options for Securing EJB and Web Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server. To implement declarative security in Web applications, you can use deployment descriptors web.xml and weblogic.xml to define security requirements. The deployment descriptors map the applications logical security requirements to its runtime definitions. And at runtime, the servlet container uses the security definitions to enforce the requirements. For a discussion of using deployment descriptors, see Section 3.3, Developing Secure Web Applications . For information about how to use deployment descriptors and the externally-defined element to configure security in Web applications declaratively, see Section 3.5.2.1, externally-defined . For information about how to use the Administration Console to configure security in Web applications, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

3.5 Web Application Security-Related Deployment Descriptors

The following topics describe the deployment descriptor elements that are used in the web.xml and weblogic.xml files to define security requirements in Web applications: ■ Section 3.5.1, web.xml Deployment Descriptors ■ Section 3.5.2, weblogic.xml Deployment Descriptors

3.5.1 web.xml Deployment Descriptors

The following web.xml security-related deployment descriptor elements are supported by WebLogic Server: ■ Section 3.5.1.1, auth-constraint ■ Section 3.5.1.2, security-constraint ■ Section 3.5.1.3, security-role ■ Section 3.5.1.4, security-role-ref ■ Section 3.5.1.5, user-data-constraint ■ Section 3.5.1.6, web-resource-collection

3.5.1.1 auth-constraint

The optional auth-constraint element defines which groups or principals have access to the collection of Web resources defined in this security constraint. The following table describes the elements you can define within an auth-constraint element. Table 3–2 auth-constraint Element Element Required Optional Description description Optional A text description of this security constraint. Securing Web Applications 3-21

3.5.1.1.1 Used Within The auth-constraint element is used within the

security-constraint element.

3.5.1.1.2 Example See

Example 3–11 for an example of how to use the auth-constraint element in a web.xml file.

3.5.1.2 security-constraint

The security-constraint element is used in the web.xml file to define the access privileges to a collection of resources defined by the web-resource-collection element. The following table describes the elements you can define within a security-constraint element.

3.5.1.2.1 Example

Example 3–11 shows how to use the security-constraint element to defined security for the SecureOrdersEast resource in a web.xml file. Example 3–11 Security Constraint Example web.xml entries: security-constraint web-resource-collection web-resource-nameSecureOrdersEastweb-resource-name description Security constraint for resources in the orderseast directory description url-patternorderseasturl-pattern http-methodPOSThttp-method http-methodGEThttp-method web-resource-collection role-name Optional Defines which security roles can access resources defined in this security-constraint. Security role names are mapped to principals using the security-role-ref element. See Section 3.5.1.4, security-role-ref . Table 3–3 security-constraint Element Element Required Optional Description web-resource-collec tion Required Defines the components of the Web Application to which this security constraint is applied. For more information, see . Section 3.5.1.6, web-resource-collection auth-constraint Optional Defines which groups or principals have access to the collection of web resources defined in this security constraint.For more information, see Section 3.5.1.1, auth-constraint . user-data-constrain t Optional Defines defines how data communicated between the client and the server should be protected. For more information, see Section 3.5.1.5, user-data-constraint . Table 3–2 Cont. auth-constraint Element Element Required Optional Description 3-22 Programming Security for Oracle WebLogic Server auth-constraint description constraint for east coast sales description role-nameeastrole-name role-namemanagerrole-name auth-constraint user-data-constraint descriptionSSL not requireddescription transport-guaranteeNONEtransport-guarantee user-data-constraint security-constraint ...

3.5.1.3 security-role