Portlet Factory, Version 6.1.2
Example WEB.XML security components
The following configuration information represents the security portions of the WEB-INF/web.xml J2EE Web Application Deployment Descriptor that ships with IBM® WebSphere Portlet Factory 5. This example includes comments as to what the various items are. Typically, you would manage this information with an application server's administration and application management tools. This information is provided here to give you a better understanding of what you are managing and what management can do for you.
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd"> <web-app> <display-name>Factory Automation Engine 5.0</display-name> <description>IBM Automation Engine 5.0</description> <servlet> <!-- The Primary WebApp Engine Servlet that model/WebApp requests go through --> <servlet-name>WebEngineServlet</servlet-name> <servlet-class>com.bowstreet.webapp.engine.WebAppServlet</servlet-class> <init-param> <param-name>bowstreet.URLMapper</param-name> <param-value>com.bowstreet.webapp.util.WebAppURLMapper</param-value> </init-param> <!-- If you change this load-on-startup order number, make sure it comes AFTER J2EEDeployment servlet's load-on-startup value defined below. --> <load-on-startup>2</load-on-startup> <security-role-ref id="SecurityRoleRef_1"> <!-- This links the name used for programmatic role checks, as is the case with J2EE Role based profile selection and OPTIONAL J2EE Role based WebApp authorization checks, if roles are optionally added to model properties (in addition to the recommended use of security constraints shown below). For some current servers, you MUST have this reference from programmatic name to definition name (WebSphere). For others you could leave this out if you only ever run on that brand AppServer. In the next release of the J2EE Servlet Spec (2.3), the spec is more clear that you should be able to leave this out and the name mapping should be implicit. For simplicity and to prevent mistakes, we recommend that you use the same value for role-name and role-link --> <role-name>FactoryAdministrators</role-name> <role-link>FactoryAdministrators</role-link> </security-role-ref> <security-role-ref id="SecurityRoleRef_2"> <role-name>SOAPUsers</role-name> <role-link>SOAPUsers</role-link> </security-role-ref> </servlet> <servlet> <!-- For internal use only - no URL mapping defined --> <servlet-name>J2EEDeploymentHandler</servlet-name> <servlet-class>com.bowstreet.servlet.J2EEDeploymentHandler</servlet-class> <init-param> <param-name>bowstreet.rootDirectory</param-name> <param-value>extractedfactory4</param-value> </init-param> <init-param> <param-name>bowstreet.archiveVersion</param-name> <param-value>1</param-value> </init-param> <init-param> <param-name>bowstreet.extractionDirectory.1</param-name> <param-value>WEB-INF</param-value> </init-param> <init-param> <param-name>bowstreet.extractionDirectory.2</param-name> <param-value>[html]</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <!-- Mapping from URL path to the WebEngine Servlet defined above. NOTE: If you change this, ensure you update security constraints associated with this URL path. --> <servlet-name>WebEngineServlet</servlet-name> <url-pattern>/webengine/*</url-pattern> </servlet-mapping> ... <security-constraint id="SecurityConstraint_1"> <!-- Nobody should really need to directly hit auto-generated WebApp genjsp JSP pages --> <web-resource-collection id="WebResourceCollection_1"> <web-resource-name>Generated JSP pages</web-resource-name> <url-pattern>/webengine/genjsp/*</url-pattern> </web-resource-collection> <auth-constraint id="AuthConstraint_1"> <description>Roles allowed to execute generated pages under genjsp directory.</description> <role-name>FactoryAdministrators</role-name> </auth-constraint> </security-constraint> <security-constraint id="SecurityConstraint_100"> <web-resource-collection id="WebResourceCollection_100"> <web-resource-name>SOAPRequests</web-resource-name> <url-pattern>/AxisServlet/*</url-pattern> </web-resource-collection> <auth-constraint id="AuthConstraint_100"> <description>Roles allowed to execute SOAP based incoming service requests</description> <role-name>SOAPUsers</role-name> </auth-constraint> </security-constraint> --> <login-config id="LoginConfig_1"> <!-- Login configuration to use if security constraint forces requestor to login before proceeding to a protected URL. To change to HTTP Basic Auth, for example, for use with SOAP services, change FORM to BASIC in the <auth-method> element below. --> <auth-method>FORM</auth-method> <realm-name>WebAppAuthentication</realm-name> <form-login-config id="FormLoginConfig_1"> <form-login-page>/factory/login/login.jsp</form-login-page> <form-error-page>/factory/login/error.jsp</form-error-page> </form-login-config> </login-config> <security-role id="SecurityRole_1"> <!-- Out of the box role for Factory Admins, used for admin models above. Map this to users/groups via your AppServer's administration tools. --> <description>Factory Administrators</description> <role-name>FactoryAdministrators</role-name> </security-role> <security-role id="SecurityRole_2"> <description>Example SOAP Users Role</description> <role-name>SOAPUsers</role-name> </security-role> </web-app>Parent topic: Overview: security methodologies
Library | Support |