ABSTRACT

A security constraint that does not specify a user data constraint cannot guarantee that restricted resources will be protected at the transport layer.

EXPLANATION


web.xml security constraints are typically used for role based access control, but the optional user-data-constraint element specifies a transport guarantee that prevents content from being transmitted insecurely.

Within the <user-data-constraint> tag, the <transport-guarantee> tag defines how communication should be handled. There are three levels of transport guarantee:

1) NONE means that the application does not require any transport guarantees.
2) INTEGRAL means that the application requires that data sent between the client and server be sent in such a way that it cannot be changed in transit.
3) CONFIDENTIAL means that the application requires that data be transmitted in a fashion that prevents other entities from observing the contents of the transmission.



In most circumstances, the use of INTEGRAL or CONFIDENTIAL means that SSL/TLS is required. If the <user-data-constraint> and <transport-guarantee> tags are omitted, the transport guarantee defaults to NONE.

Example 1: The following security constraint does not specify a transport guarantee.


<security-constraint>
<web-resource-collection>
<web-resource-name>Storefront</web-resource-name>
<description>Allow Customers and Employees access to online store front</description>
<url-pattern>/store/shop/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>Anyone</description>
<role-name>anyone</role-name>
</auth-constraint>
</security-constraint>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A10 Insecure Configuration Management

[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A9 Insecure Communications

[3] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A9 Insufficient Transport Layer Protection

[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[5] Standards Mapping - FIPS200 - (FISMA) CM, SC

[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 5

[7] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) Information Leakage

[8] Sun Microsystems, Inc. Java EE 5 Tutorial: Establishing a Secure Connection Using SSL

[9] Sun Microsystems, Inc. Java Servlet Specification Version 2.3

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 4.1, Requirement 6.5.10

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 4.1, Requirement 6.5.4