Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

GlassFish security novice. Help.

  • 14-03-2013 11:24AM
    #1
    razor2013
    Registered Users, Registered Users 2 Posts: 40


    Hello to all,

    I am reading the Java EE tutorial and I am trying to get my head around authentication. I am confused about client authentication which is described on pg 764.

    I (hope I) understand that to ensure that data is sent over a secure connection I have to add something like this to the deployment descriptor.
    <security-constraint>     
        <display-name>Checkout</display-name>  
   
             <web-resource-collection>         
               <web-resource-name>Checkout</web-resource-name>                  
               <url-pattern>/checkout</url-pattern>         

               <http-method>GET</http-method>    
             </web-resource-collection>    
  
            <user-data-constraint>         
              <description/>         
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
            </user-data-constraint> 

</security-constraint>
    I have been reading on pg 764 that client authentication uses HTTP over SSL. For instance, to declare client authentication in the deployment descriptor you would write:
    <login config>
       <auth-method>CLIENT CERT</auth-method>
</login config>

    Are these pieces of code trying to do the same thing? If not, would I need both of these pieces of code in a deployment descriptor to secure my enterprise application.


Advertisement