The Web Container supports the declarative Java EE security model. In declarative security the application's web descriptor specifies the application's security policy (roles, access control etc.) without changing the applications code. The following is an example code snippet from a web descriptor that shows the declarative security syntax. This example secures web application resources with url-pattern=/secure/* -
To configure a web application to use declarative security on the Web Container, the web descriptor must define a list of valid User Admin roles in the <role-name>
tag. This list of roles can include user and group roles. The above example uses the default User Admin role of user.anyone
. This means any valid user can be used to log into this web application. The Web Container assumes that all User Admin users store their passwords as a credential with the key "password". If no valid users are created with User Admin then the Web Container will not let anyone access the web application resources that have been secured.
Developers may also use programmatic security to control access to a web application. For more information on the Web descriptor, declarative and programmatic security models refer to the Servlet 2.3 specification.
Parent topic: Securing Web Application resources: XPD621