Edit the web.xml file to add security settings

There are three types Web login (authentication) mechanisms that can be configured on a Web application: basic authentication, form-based authentication, and client certificate-based authentication. Web resources in a Web application can be protected by assigning security roles to those resources. So, you need to know in advance which Web resources need protecting and how to protect them.

Perform these steps to secure your Web application with WebSphere Development Studio Client:

  1. Open the web.xml file.

    1. Open the project that contains your Web application.
    2. In the Navigator window, expand the WEB-INF directory. Double-click the web.xml file. The web.xml file is the deployment descriptor for your Web application. The deployment descriptor contains runtime security settings.

  2. Create security roles.

    1. Click the Security tab.
    2. Next to the Security Roles table, click Add.
    3. Type the role name and a description of the role.
    4. Repeat steps b and c to add all required security roles.

  3. Create security constraints.
    Security constraints are a mapping of one or more Web resources to a set of roles. To create security constraints, follow these steps:

    1. Under the Security Constraints window, click Add. A new security constraint is added to the window, and a new Web resource collection is added to the Web resource collection window.
    2. Select (New Web Resource Collection), and click Edit.
    3. In the Web Resource Collections dialog, enter a name and description for the Web resource collection.
    4. Select the appropriate HTTP methods.
    5. Next to URL Patterns, click Add. Type the URL pattern (for example: /*, *.jsp, /hello). Consult the Servlet 2.3 Specification for more information about mapping URL patterns to servlets. The security run time uses the first exact match to map the incoming URL with URL patterns. If the exact match is not present, the security run time uses the longest match. The wild card URL pattern (such as *.* or *.jsp) is used last. Click OK.
    6. Next to the Authorized roles window, click Edit. Type a description, and select the required Role Names. Note that if you do not select any role names, no user can have access to the Web resources that are specified under these security constraints. Click OK.
    7. Select the appropriate user data constraint from the drop-down list. A user data constraint of None indicates that the communication between the Web client (browser) and the server (Web server) is transported over HTTP. A user data constraint of Confidential or Integral guarantees that the communication between the Web client and the Web server is secured and is transported over HTTPS.
    8. Repeat the previous steps to create multiple security constraints.

  4. Map security-role-ref and role-name to the role-link.
    During development of the Web application, you can create the security-role-ref element using development tools such as WebSphere Development Studio Client. The security-role-ref element contains only the role-name field at this stage. The role-name field contains the name of the role that is referenced in the servlet or JSP code to determine if the caller is in a specified role (if the isUserInRole() method returns true). Because security roles are created during the assembly stage, the developer uses a logical role name in the role-name field and provides enough description in the description field for the assembler to map the role actual (role-link). The Security-role-ref element is at the servlet level. A servlet or JSP file can have zero or more security-role-ref elements.

    To map the elements to role-link, perform these steps:

    1. Click the Source tab.
    2. In the Outline window, expand the servlet to which you want to update the security-role-ref element.
    3. Double-click the security-role-ref element.
    4. In the source editor, type the appropriate values for the role-link element.
    5. Repeat these steps until all servlets have the required role-link element defined.

  5. Configure the login mechanism.
    The configured login mechanism applies to all the servlets, JSP files, and HTML resources in the Web module.

    Click the Pages tab, and in the Login section, specify these settings:

  6. Save the web.xml file.