Data integrity is the process of verifying if data is transmitted without corruption or modification, thus making sure that the data received at the receiver end is in fact the same message sent by the sender. Confidentiality is the process of maintaining data privacy wherein we secure the communications channel, to make sure the data is not accessed in its original form by a third party by eavesdropping.
Confidentiality and data integrity are related to securing the communications channel.
Similar to authorization requirements, confidentiality and data integrity constraints are also defined using the <security-constraint> sub element of the <web-app> element. Confidentiality and data integrity are configured using <transport-guarantee> sub element of <user-data-constraint> element, which is a sub element of the <security-constraint> element.
Possible values for the <transport-guarantee> are:
No security required on the channel
Specifies that data integrity needs to be taken care on the channel
Done by creating a digest for each message sent between the client and server.
Digest is normally appended to the message being transmitted as supplementary information
Specifies that complete encryption is required on the channel
Usually implemented using HTTPS (Secure HTTP), which in turn uses SSL (Secure Socket Layer) encryption.
Encryption systems such as SSL includes message digests to ensure that the encrypted transmitted data is not modified during transmission.
CONFIDENTIAL implies INTEGRAL as well.
It is legal to declare only one <transport-guarantee> element.
If you specify transport guarantee as INTEGRAL or CONFIDENTIAL without configuring SSL and certificates, and request to a non-secure url, you will get a redirect url to corresponding https url, as you can see from tcpmon capture below:
However browser will not be able to connect to this new url if SSL is not configured.
We will see about configuring SSL and certificates and the usage of INTEGRAL and CONFIDENTIAL in another demo.