Develop with programmatic security APIs for Web apps

Develop with programmatic security APIs for Web apps

+
Search Tips | Advanced Search

Programmatic security consists of the following methods of the HttpServletRequest interface:

getRemoteUser Returns the user name that the client used for authentication. Returns null if no user is authenticated.
isUserInRole (String role name): Returns true if the remote user is granted the specified security role. If the remote user is not granted the specified role, or if no user is authenticated, it returns false.
getUserPrincipal Returns the java.security.Principal object that contains the remote user name. If no user is authenticated, it returns null.

We can specify whether challenges the Web client for basic authentication information if the certificate authentication for the HTTPS client fails.
When the isUserInRole method is used, declare a security-role-ref element in the deployment descriptor with a role-name subelement containing the role name that is passed to this method, or with the @DeclareRoles annotation.
Because actual roles are created during the assembly stage of the application, we can use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to the actual role. During assembly, the assembler creates a role-link subelement to link the role name to the actual role.
Creation of a security-role-ref element is possible if an assembly tool such as RAD is used. We also can create the security-role-ref element during assembly stage using an assembly tool.

Add the required security methods in the servlet code.
Create a security-role-ref element with the role-name field.
If a security-role-ref element is not created during development, make sure it is created during the assembly stage.

Results

A programmatically secured servlet application.

Example

This step is required to secure an application programmatically. This action is particularly useful when a Web app needs to access external resources and wants to control the access to external resources using its own authorization table, external-resource to remote-user mapping.
In this case, use the getUserPrincipal or the getRemoteUser methods to get the remote user and then it can consult its own authorization table to perform authorization. The remote user information also can help retrieve the corresponding user information from an external source such as a database or from an enterprise bean.
Use the isUserInRole method in a similar way.After development, a security-role-ref element can be created:
<security-role-ref> <description>Provide hints to assembler for linking this role name to an actual role here</description> <role-name>Mgr<\role-name> </security-role-ref>

<security-role-ref> <description>Hints provided by developer to map the role name to the role-link</description> <role-name>Mgr</role-name> <role-link>Manager</role-link> </security-role-ref>

We can add programmatic servlet security methods inside any servlet doGet, doPost, doPut, and doDelete service methods.
The following example depicts using a programmatic security API:
public void doGet(HttpServletRequest request, HttpServletResponse response) { .... java.security.Principal principal = request.getUserPrincipal(); String remoteUser = principal.getName(); remoteUser = request.getRemoteUser(); boolean isMgr = request.isUserInRole("Mgr"); .... }

When developing Servlet 2.5 modules, the value of the rolename argument in isCallerInRole method can be defined using Java annotations instead of declaring a security-role-ref elements in the deployment descriptor.
@javax.annotation.security.DeclareRoles("Mgr") public void doGet(HttpServletRequest request, HttpServletResponse response) { .... java.security.Principal principal = request.getUserPrincipal(); String remoteUser = principal.getName(); remoteUser = request.getRemoteUser(); boolean isMgr = request.isUserInRole("Mgr"); // Use the above information in any way as needed by the application .... }

What to do next

After developing an application, use an assembly tool to create roles and to link the actual roles to role names in the security-role-ref elements.

Related concepts
Role-based authorization
getRemoteUser and getAuthType methods
Example: Using a programmatic security model for a Web app
Web authentication settings

Related tasks
Set servlet filters for form login processing
Secure Web apps using an assembly tool
Select an authentication mechanism

getRemoteUser	Returns the user name that the client used for authentication. Returns null if no user is authenticated.
isUserInRole	(String role name): Returns true if the remote user is granted the specified security role. If the remote user is not granted the specified role, or if no user is authenticated, it returns false.
getUserPrincipal	Returns the java.security.Principal object that contains the remote user name. If no user is authenticated, it returns null.