Security constraints in web applications

Security constraints determine how web content is to be protected.

These properties associate security constraints with one or more web resource collections. A constraint consists of a web resource collection, an authorization constraint and a user data constraint.

• A web resource collection is a set of resources (URL patterns) and HTTP methods on those resources. All requests that contain a request path that matches the URL pattern described in the web resource collection are subject to the constraint. If no HTTP methods are specified, then the security constraint applies to all HTTP methods.

• An authorization constraint is a set of roles that users must be granted in order to access the resources described by the web resource collection. If a user who requests access to a specified Uniform Resource Identifier (URI) is not granted at least one of the roles specified in the authorization constraint, the user is denied access to that resource.

• A user data constraint indicates that the transport layer of the client or server communications process must satisfy the requirement of either guaranteeing content integrity (preventing tampering in transit) or guaranteeing confidentiality (preventing reading while in transit).

This release of WebSphere Application Server supports security constraints defined in the Java Servlet 3.0 specification (JSR-315).

However, if we use the HTTP custom method, see the information in the Security custom properties topic regarding the security.allowCustomHTTPMethods custom property, which differs slightly from its usage in the Java Servlet 3.0 specification.