Security and authorization constraints will fail without a login configuration.
The <login-config>
element is used to configure how users authenticate to an application. A missing authentication method means the application does not know how to apply authorization constraints since no one can log in. The authentication method is specified using the <auth-method>
tag, which is a child of <login-config>
.
There are four authentication methods: BASIC
, FORM
, DIGEST
, and CLIENT_CERT
.BASIC
denotes HTTP Basic authentication.FORM
denotes Form-based authentication.DIGEST
is like BASIC authentication; however, in DIGEST the password is encrypted.CLIENT_CERT
requires that clients have Public Key Certificates and use SSL/TLS.
Example 1: The following configuration does not specifiy a login configuration.
<web-app>
<!-- servlet declarations -->
<servlet>...</servlet>
<!-- servlet mappings-->
<servlet-mapping>...</servlet-mapping>
<!-- security-constraints-->
<security-constraint>...</security-constraint>
<!-- login-config goes here -->
<!-- security-roles -->
<security-role>...</security-role>
</web-app>
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service
[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II
[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730
[4] Standards Mapping - FIPS200 - (FISMA) IA
[5] Sun Microsystems, Inc. Java Servlet Specification 2.4
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9
[7] Sun Microsystems, Inc. Specifying an Authentication Mechanism