Saturday, March 27, 2010

More on Security of Web Applications

You can apply BASIC Authentication (the browser will request username and password).

In the web.xml, declare a security-constraint which defines a web-resource-collection and a auth-constraint with a role-name.
You shall also define which security realm will authenticate the user.
Specify a login-config/auth-method=BASIC.

In weblogic.xml, you create  a security-role-assignment where you map a role-name to a principal-name.

At the end of the story, your  principal-name is authorized to access a web-resource-collection.

To have a FORM based authentication, you define a login-config/auth-method=FORM, and you provide a form-login-config to tell which jsp page to use for login.

You can have CLIENT-CERT based authentication using 2 way SSL. (TODO find more about this)
It seems that this is supported only with JNDI login, and not with the JAAS login.

The user-data-constraint-transport-guarantee clause determines the level of encryption/signature of the data.

SAML is a remote, or perimeter, login method.

No comments: