1. Paul Statham Avatar Paul Statham
  2. Untitled project
  3. Oracle JSF Expert 1Z0-896

Wiki

Clone wiki

Oracle JSF Expert 1Z0-896 / Configure security for JSF application using authorization and authentication techniques

View History

Authentication types

  • Basic asks for user details with dialogue box, sends user names and passwords over the Internet as Base64-encoded text
  • Form user specified login form, sends this data as plain text.
  • Digest authentication does not send user passwords over the network. Instead, the client sends a one-way cryptographic hash of the password and additional data
  • Client with client authentication, the web server authenticates the client by using the client’s public key certificate

Configuring authentication in the deployment descriptor

Basic 

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

Form 

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.xhtml</form-login-page>
        <form-error-page>/error.xhtml</form-error-page>
    </form-login-config>
</login-config>

Digest 

<login-config>
    <auth-method>DIGEST</auth-method>
</login-config>

Client 

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

Configuring authorization in the deployment descriptor

Restrict content in the admin section to users in the admin role 

<security-role>
    <role-name>admin</role-name>
</security-role>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restricted content</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>

Allow all user access to resources with the listed url-patterns 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unrestricted content</web-resource-name>
        <url-pattern>/resources/images/*</url-pattern>
    </web-resource-collection>
</security-constraint>

Configuring transport mechanisms in the deployment descriptor

  • NONE accept the constrained requests on any connection, including an unprotected one.
  • INTEGRAL the application requires that the data be sent between client and server in such a way that it cannot be changed in transit. Guarantees HTTPS
  • CONFIDENTIAL when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission. Guarantees HTTPS

Allow all user access to resources with the listed url-patterns using the CONFIDENTIAL transport guarantee 

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unrestricted content</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Updated