17.4. Security
There is a lot of meaning packed into the apparently simple word "security." For the purposes of what follows it will be taken to mean the following three things: Ensuring that protected content can only be seen by authorized persons. Ensuring that the server is the one the user believes he or she is connected to. Ensuring that no third party between the server and client can eavesdrop on the conversation.
However, there is a great deal more involved in making a site secure than can be covered here, and administrators in charge of large sites need to consider many other aspects. Tomcat's security is based in a few fundamental concepts. There are one or more security roles, each of which is designated by a name. Some typical names would be admin for administrators of a site, manager for a manager within a company, customer for someone who has paid for premium content, and so on. There is no restriction on the names, and new ones can be created as needed. Web applications are protected by role, so one section of a site may be restricted to users in the customer role and another section restricted to users in the premium_customer role. Users marked as managers may have access to special
|