Security constraints
Security constraints declare how Web content is to be protected.
Security constraints declare how to protect Web content. These properties
associate security constraints with one or more Web resource collections.
A constraint consists of a Web resource collection, an authorization constraint
and a user data constraint.
- A Web resource collection is a set of resources (URL patterns) and HTTP
methods on those resources. All requests that contain a request path that
matches the URL pattern described in the Web resource collection is subject
to the constraint. If no HTTP methods are specified, then the security constraint
applies to all HTTP methods.
- An authorization constraint is a set of roles that users must be granted
in order to access the resources described by the Web resource collection.
If a user who requests access to a specified URI is not granted at least one
of the roles specified in the authorization constraint, the user is denied
access to that resource.
- A user data constraint indicates that the transport layer of the client
or server communications process must satisfy the requirement
of either guaranteeing content integrity (preventing tampering in transit)
or guaranteeing confidentiality (preventing reading while in transit).