Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

GlassFish security novice. Help.

  • 14-03-2013 10:24am
    #1
    razor2013
    Registered Users, Registered Users 2 Posts: 40


    Hello to all,

    I am reading the Java EE tutorial and I am trying to get my head around authentication. I am confused about client authentication which is described on pg 764.

    I (hope I) understand that to ensure that data is sent over a secure connection I have to add something like this to the deployment descriptor.
    <security-constraint>     
        <display-name>Checkout</display-name>  
   
             <web-resource-collection>         
               <web-resource-name>Checkout</web-resource-name>                  
               <url-pattern>/checkout</url-pattern>         

               <http-method>GET</http-method>    
             </web-resource-collection>    
  
            <user-data-constraint>         
              <description/>         
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
            </user-data-constraint> 

</security-constraint>
    I have been reading on pg 764 that client authentication uses HTTP over SSL. For instance, to declare client authentication in the deployment descriptor you would write:
    <login config>
       <auth-method>CLIENT CERT</auth-method>
</login config>

    Are these pieces of code trying to do the same thing? If not, would I need both of these pieces of code in a deployment descriptor to secure my enterprise application.


Advertisement