ABSTRACT

Security and authorization constraints will fail without a login configuration.

EXPLANATION

The <login-config> element is used to configure how users authenticate to an application. A missing authentication method means the application does not know how to apply authorization constraints since no one can log in. The authentication method is specified using the <auth-method> tag, which is a child of <login-config>.

There are four authentication methods: BASIC, FORM, DIGEST, and CLIENT_CERT.

BASIC denotes HTTP Basic authentication.
FORM denotes Form-based authentication.
DIGEST is like BASIC authentication; however, in DIGEST the password is encrypted.
CLIENT_CERT requires that clients have Public Key Certificates and use SSL/TLS.



Example 1: The following configuration does not specifiy a login configuration.


<web-app>

<!-- servlet declarations -->
<servlet>...</servlet>

<!-- servlet mappings-->
<servlet-mapping>...</servlet-mapping>

<!-- security-constraints-->
<security-constraint>...</security-constraint>

<!-- login-config goes here -->

<!-- security-roles -->
<security-role>...</security-role>

</web-app>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[2] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[3] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730

[4] Standards Mapping - FIPS200 - (FISMA) IA

[5] Sun Microsystems, Inc. Java Servlet Specification 2.4

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9

[7] Sun Microsystems, Inc. Specifying an Authentication Mechanism