Creating a Security Constraint

Context

Security constraints specify which set of resources are to be protected by the security role you created for your application. In addition, you can specify the level of transport layer security that is required when accessing this set of resources.

When specifying the security constraints, you need to consider the following:

You need to determine the set of resources that are to be protected. For this purpose, you specify a URL pattern.
You can also specify which HTTP methods are to be restricted. For example, you can specify that the HTTP POST method underlies the security constraint.
You then specify an authorization constraint, which specifies the security role that a user must be assigned to in order to access this set of resources.

Procedure

Open the web.xml file.

Specify the constraints in the tag <security-constraint> as shown in the example bellow:

                  <security-constraint>
                  <!-- Specify the name of the constraint -->
                  <display-name>MySecurityConstraint</display-name>
                  <web-resource-collection>
                  <web-resource-name>WebResource</web-resource-name>
                  <!-- Specify the URL pattern. To specify that all resources under the
application's URL underlie this security constraint, use an asterisk (*) -->
                  <url-pattern>*</url-pattern>
                  <http-method>POST</http-method>
                  </web-resource-collection>
                  <!-- Specify the role that all users must have to access the application -->
                  <auth-constraint>
                  <role-name>MyApplicationRole</role-name>
                  </auth-constraint>
                  <user-data-constraint>
                  <transport-guarantee>NONE</transport-guarantee>
                  </user-data-constraint>
                  </security-constraint>

Save the file.