servlet initialized when they are called you can change this behaviour like this
when we talk about security we are talking about
4- Data Integrity
NOTE: In security we talk about REALM, simply it means where the authentication information are stored. for example in tomcat you can store the authentication information in tomcat-users.xml, tomcat will load this information to memeory. However it is better to implement this information in the deployment descriptor.
to do it in tomcat-users.xml and in the deployment descriptor like this:
and you should set the Authentication Method in the DD
so as you can see the first thing you do is defining the roles in DD, now to assign these roles to a url we define a security-constraint:
as you can see we set a url-pattern and http-method and auth-contraint
of-course you can define multiple constraint, and if there is a conflict different roles will apply.
it is better to define security in xml, however you can do that in code
3 important functions when we talk about security:
2-getUserPrincipal(): used in JEE
3- getRemoteUser(): is not used alot
we have 4 types:
1- BASIC: uses HTTP specification, weak as there is no encryption we just use base64, and it is an http standard so it is supported by all browsers
2- DIGEST: uses HTTP specificaiton, it is strong but not SSL, it is optional for browsers or the container to support it.
3- CLIENT-CERT: j2ee specification, uses a certificate to encrypt, it is strong
4- FORM: j2ee specification, weak as no encryption.
so in BASIC, DIGEST and CLIENT-CERT, we basically uses the browser to handle the Authentication, in FORM we are using our own form.
when see that the method is weak it means you should use HTTPs with this method.
Integrity and confidentiality
when we talk about integrity it means that the data must not changed along the way
when we talk about confidentiality, it means that the data must not be seen by anybody
you can set this value by
- NONE - no special transport guarantees (this is the default if there is no user-data-constraint defined)
- INTEGRAL - data must be sent in a way that guarantees it cannot be changed during transmission (ie: data is checksummed, SSL achieves this)
- CONFIDENTIAL - data must be sent in a way that guarantees it canot be observed (or changed) during transmission (ie: data is encrypted, SSL achieves this)
so basically what tomcat does, if a request comes and it is not secure, it will send 301 redirect to https address so the browser can do the request again.