Container Managed Security for Web APplication

Question

I am completely new to Container managed security and need some help with configuring it in my web application.

I want to restrict access to the jsp's within my web application. This is how i have configured security in my web.xml

<security-constraint>
    <display-name>PrivilegedConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>JSP Files</web-resource-name>
        <description>All the jsp files in the web application</description>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>PrivilegedRole</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description/>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>BasicRealm</realm-name>
</login-config>
<security-role>
    <description>This is a privileged role. Has access to everything in the web app</description>
    <role-name>PrivilegedRole</role-name>
</security-role>

My questions are :

What is the purpose of realm-name in the login-config element? Where do i configure the username, passwords and map the users to the roles?

When i try to access a jsp within my web application, i get asked for a username and password. What do i give there? And how does this security mechanism work?

I am completely new to security, so I will be grateful if someone can point me to a nice article which explains the basics of configuring security and how it actually works?

Answer 1

Q: "What is the purpose of realm-name in the login-config element?"

From the Java EE 6 tutorial:

A realm is a security policy domain defined for a web or application server. A realm contains a collection of users, who may or may not be assigned to a group.

The behaviour as defined thus in the current Servlet 3.0 spec:

HTTP Basic Authentication, which is based on a username and password, is the authentication mechanism defined in the HTTP/1.0 specification. A web server requests a web client to authenticate the user. As part of the request, the web server passes the realm (a string) in which the user is to be authenticated. The web client obtains the username and the password from the user and transmits them to the web server. The web server then authenticates the user in the specified realm.

Q: "Where do i configure the username, passwords and map the users to the roles?"

This is container specific. That is, each server vendor is free to define how users/groups are defined and how this information is configured. There is usually more than one way to do this.

Users and groups are often defined in a directory. The server is then configured to use this directory and the administrator will map the application roles at deployment time.

A developer Tomcat test server might use a flat file; a production WebSphere server might hook into the company Exchange directory via LDAP.

Refer to your server documentation for more.

You could do worse than follow the Oracle Java EE 6 tutorial with Netbeans and Glassfish, but be aware of the steps that are specific to that vendor's products.