Web-Tier Security

The following sections address protecting resources and authenticating users in the Web tier.

 

Protecting Web Resources

You can protect Web resources by specifying a security constraint. A security constraint determines who is authorized to access a Web resource collection, which is a list of URL patterns and HTTP methods that describe a set of resources to be protected. Security constraints can be defined using deploytool, as described in Controlling Access to Web Resources.

If you try to access a protected Web resource as an unauthenticated user, the Web container will try to authenticate you. The container will only accept the request after you have proven your identity to the container and have been granted permission to access the resource.

 

Controlling Access to Web Resources

Use the following procedure in deploytool to specify a security constraint to control access to a Web resource.

  1. Select the WAR containing the Web resource.
  2. Select the Security tab.
  3. Click the Add button in the Security Constraints section of the screen.
  4. Click the Edit button adjacent to the Web Resource Collection field to add a Web resource collection to the security constraint. The Web resource collection describes a URL pattern and HTTP method pair that refer to the resources that need to be protected.
  5. Click the Edit button adjacent to the Authorized Roles field to add one or more roles to the security constraint. You are specifying the set of roles that are allowed to access the Web resource collection.

 

Authenticating Users of Web Resources

When you try to access a protected Web resource, the Web container activates the authentication mechanism that has been configured for that resource. You can configure the following authentication mechanisms for a Web resource:

  • HTTP basic authentication
  • Form-based authentication
  • Client-certificate authentication

Basic Authentication

If you specify HTTP basic authentication, the Web server will authenticate a user by using the user name and password obtained from the Web client.

Form-Based Authentication

If you specify form-based authentication, you can customize the login screen and error pages that are presented to the end user by an HTTP browser.

Neither form-based authentication nor HTTP basic authentication is particularly secure. In form-based authentication, the content of the user dialog box is sent as plain text, and the target server is not authenticated. Basic authentication sends user names and passwords over the Internet as text that is uuencoded, but not encrypted. This form of authentication, which uses Base64 encoding, can expose your user names and passwords unless all connections are over SSL. If someone can intercept the transmission, the username and password information can easily be decoded.

Client-Certificate Authentication

Client-certificate authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server and, optionally, the client authenticate each other with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer. If you specify client-certificate authentication, the Web server will authenticate the client using an X.509 certificate, a public key certificate that conforms to a standard that is defined by X.509 Public Key Infrastructure (PKI).

Configuring Web Resources' Authentication Mechanism

To configure the authentication mechanism that the Web resources in a WAR will use:

  1. Select the WAR containing the Web resource.
  2. Select the Security tab.
  3. Choose one of the following authentication mechanisms from the User Authentication Method pull-down menu: None, Basic, Client-Certificate, or Form Based.
    1. If you choose form-based authentication, select Settings and fill in the Realm Name, Login Page, and Error Page fields in the Settings dialog box. The error page is displayed when the user cannot be logged in.
    2. If you choose basic authentication, select Settings and enter Default in the Realm Name field in the Settings dialog box.

Using SSL to Enhance the Confidentiality of HTTP Basic and Form-Based Authentication

Passwords are not protected for confidentiality with HTTP basic or form-based authentication. To overcome this limitation, you can run these authentication protocols over an SSL-protected session and ensure that all message content is protected for confidentiality.

To configure HTTP basic or form-based authentication over SSL:

  1. Select the Web component. The Web Component inspector will be displayed.
  2. From the Security tab, make sure that Basic or Form Based has been selected in the User Authentication Method pull-down menu.
  3. Click on the Add button in the Security Constraint section.
  4. Click on the security constraint that was added.
  5. Select CONFIDENTIAL in the Network Security Requirement pull-down menu.

 

Using Programmatic Security in the Web Tier

Programmatic security is used by security-aware apps when declarative security alone is not sufficient to express the security model of the app. Programmatic security consists of the following methods of the HttpServletRequest interface:

  • getRemoteUser
  • isUserInRole
  • getUserPrincipal

You can use the getRemoteUser method to determine the user name with which the client authenticated. The isUserInRole method is used to determine if a user is in a specific security role. The getUserPrincipal method returns a java.security.Principal object.

These APIs allow servlets to make business logic decisions based on the logical role of the remote user. They also allow the servlet to determine the principal name of the current user.

 

Unprotected Web Resources

Many apps feature unprotected Web content, which any caller can access without authentication. In the Web tier, unrestricted access is provided simply by not configuring an authentication mechanism.