Servlet declarative security

For Servlet security, I read that in web.xml we can declare

<auth-constraints> and <user-data-constraint> 

for turning on the SSL and for authentication purposes. But so far I personally haven't seen any of these declarations in real life web.xml's (apps running on Tomcat, Glassfish)

So I wonder what are the substitute ways of achieving these goals? and which way is preferred?

Answers


Depends strongly on the used application server, but in general there is no way to make application server to expose the application using SSL without enabling it on the level of the AS (not the deployment descriptor).

For instance for Tomcat, the SSL connector (default port 8443) has to be enabled in server.xml. You may then use Apache (httpd) as a reverse proxy using mod_proxy or mod_jk.

In the code you may use ServletFilter to intercept all the requests and if the communication is not on top of SSL, you may redirect the user to some login page.


Need Your Help

Windows Explorer - Delete entry in Context Menu

windows registry contextmenu

I'm attempting a somewhat complex operation on Windows Explorer context menu.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.