We can implement web security by using the following 3 tags.

<security-constraint>
It defines the resources which have to be protected,which roles are allowed to access,for which http methods security constraint is applicable etc.

<login-config>
We can use this tag to specify the type of authentication what we are using.

<security-role>
It can be used to define security roles.

All these 3 tags are direct child tags of and hence we can place any where within

<security-constraint>

This tag defines the following 3 child tags.

<web-resource-collection>
Defines the resources which are to be protected.
<auth-constraint>
It represents the roles which are allowed to access the protected resource.
<user-data-constraint>
It specifies what type of protection is required when transporting the resource across the network.

<web-resource-collection>

It contains the following 4 child tags.
<web-resource-name>
<description>
<url-pattern>
<http-method>(It specifies the http method to which security constraint is applicable.)

If we are not specifying this tag then the security constraint is applicable for all HTTP methods.

<auth-constraint>

It specifies which roles are allowed to access the protected resource.It contains following 2 child tags.

<description>
<role-name>

If the security constraint is applicable for every role then we have to specify as follows.
<role-name>*</role-name>

<user-data-constraint>

The tag contains the following 2 child tags.

<description>
<transport-guarantee>
This tag specifies what type of guarantee we are providing while transporting the resource across the network.

The allowed values are.

NONE:It means data will be transported in plain text form.It is a default value.
INTEGRAL:It means the data should not be changed in transmission.
CONFIDENTIAL:It means the data should be transported in encryption form.

The required priority order is.
CONFIDENTIAL
INTEGRAL
NONE

<login-config>

This tag specify the type of authentication what we are using.This tag defines the following 3 child tags.

<auth-method>
It specify authentication method.The allowed values are
BASIC
DIGEST
FORM
CLIENT-CERT
<realm-name>
It specifies the location where we are storing authentication information.
It is required only for basic authentication.
<form-login-config>
This tag can be used to specify login page url and error page url in the case of form-based-authentication.This tag contains the following 2 child tags.
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.html</form-error-page>

<security-role>

It is used to define security roles.This tag contains the following 2 child tags.

<description>
<role-name>


Example

<web-app>
<security-constraint>
		<web-resource-collection>
			<web-resource-name></web-resource-name>
			<description></description>
			<url-pattern></url-pattern>
			<http-method></http-method>
		</web-resource-collection>

		<auth-constraint>
			<description></description>
			<role-name></role-name>
		</auth-constraint>
		<user-data-constraint>
			<description></description>
			<transport-guarantee></transport-guarantee><!-- NONE/INTEGRAL/CONFIDENTIAL -->
		</user-data-constraint>
</security-constraint>
<login-config>
		<auth-method></auth-method><!--BASIC/DIGEST/FORM/CLIENT-CERT -->
		<realm-name></realm-name>
		<form-login-config>
			<form-login-page></form-login-page>
			<form-error-page></form-error-page>
		</form-login-config>
	</login-config>

	<security-role>

		<description></description>
		<role-name></role-name>
	</security-role>
</web-app>