Protecting Java Web Applications

To protect a Java application, you must deny access to users, who do not have the required authorizations. To do this, you must first require the users to authenticate themselves. After the user is authenticated, the system can check if the user has the required authorizations to work with the application.

Prerequisites

You have determined the authentication mechanism to use.
More information about authentication mechanisms: Authentication for Web Based Access.
You have determined your authorization strategy.
In your application, decide what you want to protect, how to group your permissions, and what to call them.

More information: Approaches to Protecting Applications.

Procedure

Specify the authentication method that your application uses.
More information: Specifying Authentication for the Java Application.
Specify the authentication mechanism and the policy domain for your application.
More information: Specifying Authentication Mechanisms for Java Applications.
Create an application security role to protect access to the application.
More information: Creating Application Roles for Web Access.
Create a security constraint.
More information: Creating a Security Constraint.