Oracle Server E10293-02 Benutzerhandbuch
Configuring Application Security
3-4 Oracle Communication and Mobility Server Developer’s Guide
Configuring Application Security
The deployment descriptor file enables application security through its
<security-constraint>
<security-constraint>
element. Security is declared per servlet by adding a
<security-constraint>
element to servlets that require authentication and
authorization.
The <proxy-authentication/> element defines servlet authentication. If a servlet
requires authentication, then it can request either 401 Response (Unauthorized), which
is the default, or a 407 Response (Proxy Authentication Required).
requires authentication, then it can request either 401 Response (Unauthorized), which
is the default, or a 407 Response (Proxy Authentication Required).
A security constraint can hold one or more resource collections,
<resourcecollection>
<resourcecollection>
, each indicating that the servlet requires authentication
and the SIP methods that require authentication.
Users can have a single role, several roles, or no role at all. Each security constraint can
set zero or one authorization constraints, <auth-constraint>, containing zero or
more role names, <role-name>, that the authenticated user is authorized against.
Authorization can, beside from inside the deployment descriptor, also be checked
programmatically from inside a servlet. For example, the isUserInRole method on
the SipServletRequest or the SipServletResponse object.
set zero or one authorization constraints, <auth-constraint>, containing zero or
more role names, <role-name>, that the authenticated user is authorized against.
Authorization can, beside from inside the deployment descriptor, also be checked
programmatically from inside a servlet. For example, the isUserInRole method on
the SipServletRequest or the SipServletResponse object.
illustrates a security constraint that requires authentication for
MyServlet
when the request is either an INVITE or a MESSAGE. There are no
authorization constraints to any roles. An unauthenticated user receives 407 Response
(Proxy Authentication Required) on its request if <proxy-authentication/> is set.
(Proxy Authentication Required) on its request if <proxy-authentication/> is set.
Example 3–3 Configuring Application Security
<security-constraint>
<display-name>MyServlet Security Constraint</display-name>
<resource-collection>
<resource-name>MyServletResource</resource-name>
<description>Securing MyServlet</description>
<servlet-name>MyServlet</servlet-name>
<sip-method>MESSAGE</sip-method>
<sip-method>INVITE</sip-method>
</resource-collection>
<proxy-authentication/>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>