Security constraints determine how web content is to be
protected.
These properties associate security constraints with one or more
web resource collections. A constraint consists of a web resource
collection, an authorization constraint and a user data constraint.
- A web resource collection is a set of resources (URL patterns)
and HTTP methods on those resources. All requests that contain a request
path that matches the URL pattern described in the web resource collection
are subject to the constraint. If no HTTP methods are specified, then
the security constraint applies to all HTTP methods.
- An authorization constraint is a set of roles that users must
be granted in order to access the resources described by the web resource
collection. If a user who requests access to a specified Uniform Resource
Identifier (URI) is not granted at least one of the roles specified
in the authorization constraint, the user is denied access to that
resource.
- A user data constraint indicates that the transport layer of the
client or server communications process must satisfy the requirement
of either guaranteeing content integrity (preventing tampering in
transit) or guaranteeing confidentiality (preventing reading while
in transit).
Note: This release of WebSphere® Application
Server supports security constraints that are defined in the Java Servlet 3.0 specification (JSR-315).
However,
if you use the HTTP custom method, see the information in the Security
custom properties topic regarding the security.allowCustomHTTPMethods
custom property, which differs slightly from its usage in the Java Servlet 3.0 specification.