You define a web resource, such as a web application or web service, as a protected resource by placing a security constraint on that resource. Security constraints are specified by <security-constraint> XML elements in the web.xml file in in your project's WEB-INF directory.
Security constraints define web resources in terms of URL patterns. In the following example, the web service HelloWorldSecure.jws is defined as protected because the URL where it resides ("/security/transport/helloWorldSecure/HelloWorldSecure.jws/") is defined as protected.
<security-constraint> <display-name> Security Constraint for HelloWorldSecure.jws </display-name> <web-resource-collection> <web-resource-name>HelloWorldSecure.jws</web-resource-name> <description>A web service secured by SLL.</description> <!-- Defines the scope of the web resource to be protected. Secure all methods calls to the HelloWorldSecure web service. --> <url-pattern>/security/transport/helloWorldSecure/HelloWorldSecure.jws/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> </security-constraint>
<url-pattern>/security/transport/helloWorldSecure/*</url-pattern>
Using the <url-pattern> element you can restrict access to an entire web application, a folder or a particular file within the web application.
For example, suppose that you have written a web project called myWebProject containing a web service called myWebService containing a method called myWebServiceMethod.
The following <url-pattern> element declares the entire project as protected.
<url-pattern>/*</url-pattern>
The following <url-pattern> element declares the webservices folder as protected.
<url-pattern>webservices/*</url-pattern>
The following <url-pattern> element declares that the web service myWebService should be protected.
<url-pattern>webservices/myWebService.jws/*</url-pattern>
Once you have declared a web resource as protected, you can further specify the sort of protection (transport or role-based) to be applied to the resource.
For details on enabling SSL for a web resource see One-way SSL and Two-way SSL.
For details on defining an authentication procedure for a web resource see Username/Password Authentication.
For details on defining an authorization procedure for a web resource see Role-Based Security.
Related Topics
WebLogic Workshop Documentation
WebLogic Server 8.1 Documentation