Develop with programmatic security APIs for Web applications

 

+

Search Tips   |   Advanced Search

 

 

Before you begin

Programmatic security is used by security-aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of the following methods of the HttpServletRequest interface:

getRemoteUser()

Returns the user name the client used for authentication. Returns null if no user is authenticated.

isUserInRole

(String role name): Returns true if the remote user is granted the specified security role. If the remote user is not granted the specified role, or if no user is authenticated, it returns false.

getUserPrincipal()

Returns the java.security.Principal object containing the remote user name. If no user is authenticated, it returns null.

When the isUserInRole() method is used, declare a security-role-ref element in the deployment descriptor with a role-name subelement containing the role name passed to this method. Since actual roles are created during the assembly stage of the application, use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to the actual role. During assembly, the assembler creates a role-link subelement to link the role name to the actual role. Creation of a security-role-ref element is possible if development tools such as Rational Web Developer is used. You also can create the security-role-ref element during assembly stage using an assembly tool.

 

Procedure

  1. Add the required security methods in the servlet code.

  2. Create a security-role-ref element with the role-name field. If a security-role-ref element is not created during development, make sure it is created during the assembly stage.

 

Result

A programmatically secured servlet application.

 

ExamplegetUserPrincipal()getRemoteUser()

After development, a security-role-ref element can be created:

<security-role-ref>

    <description>Provide hints to assembler for linking this role 
    name to an actual role here<\description>

    <role-name>Mgr<\role-name>

</security-role-ref>

During assembly, the assembler creates a role-link element:

<security-role-ref>

    <description>Hints provided by developer to map the role 
    name to the role-link</description>

    <role-name>Mgr</role-name>
    <role-link>Manager</role-link>

</security-role-ref>

You can add programmatic servlet security methods inside any servlet doGet(), doPost(), doPut(), doDelete() service methods. The following example depicts using a programmatic security API:

public void doGet(HttpServletRequest request, 

HttpServletResponse response) {

   ....

   // Get remote user using getUserPrincipal()
   java.security.Principal principal = request.getUserPrincipal();
   String remoteUser = principal.getName();

   // Get remote user using getRemoteUser()
   remoteUser = request.getRemoteUser();


   // Check if remote user is granted Mgr role
   boolean isMgr = request.isUserInRole("Mgr");

   // Use the above information in any way as needed by 
   // the application 

   ....
}

 

What to do next

After developing an application, use an assembly tool to create roles and to link the actual roles to role names in the security-role-ref elements.

 

See also


Example: Web applications code
Developing servlet filters for form login processing
Configuring servlet filters

 

See Also


Role-based authorization

 

Related Tasks


Securing Web applications using an assembly tool

 



 

 

Rational is a trademark of the IBM Corporation in the United States, other countries, or both.