Security constraints in Web apps

Overview

Security constraints consist of...

• Web resource collections
• authorization constraints
• user data constraint

Web resource collection

Web resource collections consist of...

• Set of URL patterns
• HTTP methods on those patterns

Request paths that match the URL pattern described in the Web resource collection are subject to the constraint. If no HTTP methods are specified, then the security constraint applies to all HTTP methods.

Authorization constraint

Set of roles that users must be granted to access URL patterns described by the Web resource collection. If a user who requests access to a specified URI is not granted at least one of the roles specified in the authorization constraint, the user is denied access to the resource.

The http-methodType schema includes...

<xsd:simpleType name="http-methodType">
    <xsd:annotation>
        <xsd:documentation> A HTTP method type as defined in HTTP 1.1 section 2.2. </xsd:documentation>
    </xsd:annotation>
    <xsd:restriction base="xsd:token">
        <xsd:pattern value="[\p{L}-[\p{Cc}\p{Z}]]+"/>
    </xsd:restriction>
</xsd:simpleType>

...and requires elements to be a token. Tokens can contain any character except for control characters and separators.

User data constraint

Indicates that the transport layer of the client or server communications process must satisfy the requirement of either guaranteeing content integrity (preventing tampering in transit) or guaranteeing confidentiality (preventing reading while in transit).