This tag allows you to force an area of your site to be restricted to authenticated users and/or to use SSL.
Restricting areas to Authenticated Users
A security constraint can be set up to allow access only to Authenticated Users, using the Security Realms feature of the servlet specification.
For example, an administrative area listed at /private can be password-protected using this tag.
Key Point 1: Upon entering the restricted area, the user will be asked to authenticate.
Key Point 2: Use of jsp:forward and jsp:include to request pages from the restricted area, are not subjected to security constraints. eg: Page A can jsp:include protected Page B, with no authentication required.
Constraints contain a <web-resource-collection> element, defining the URL Pattern which will be restricted (eg: /private/*), and an <auth-constraint> area listing the roles that are allowed access.
Two other sections in web.xml are also required:
- <security-roles> to list all roles used by the application
- <login-config> to specify the Authentication method, which may be Form Based or use HTTP (Basic) Authentication.
Forcing the use of SSL
A security constraint can be set up to force certain areas of your site (or your entire site) into SSL mode.
This is useful if those areas will be used for confidential information, such as login details or the entry of credit card details.
Constraints contain a <web-resource-collection> element, defining the URL Pattern which will be restricted (eg: /private/*), and a <user-data-constraint> area listing the transport guarantee level.
For a simple tutorial, see the article Forcing SSL for sections of your website.
Full example forcing authentication as well as SSL
<!-- Define roles -->
<!-- Define a constraint to restrict access to /private/* -->
<!-- Only CMS editors can access this area -->
<!-- All access to this area will be SSL protected -->
<!-- This application uses BASIC authentication -->