Java Servlet 3.0 support for security
This release of WebSphere Application Server supports all security updates as defined in the Java Servlet 3.0 specification.
This release of WAS supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315), including the new servlet security annotations, use of new programmatic security APIs and the dynamic updating of the servlet security configuration.
A significant enhancement is the new annotation support for servlets. A developer can declare the security constraints using annotations as an alternative to declaring them as part of the web.xml file, which is used prior to Java Servlet 3.0. The web.xml file continues to function and overrides any conflicts defined as annotations.
The list of supported Java Servlet 3.0 updates for security includes the following:
- Support for the @ServletSecurity annotation
- Support for the dynamic updating of the @RunAs, @declareRoles, and @ServletSecurity servlet security annotations
- Support for the authenticate, login and logout servlet security methods
- The new com.ibm.websphere.security.displayRealm property specifies whether the HTTP basic authentication login window displays the realm name that is not defined in the application web.xml file.
The following discusses the Java Servlet 3.0 updates for security in more detail:
Support for the @ServletSecurity annotation:
When an application deploys, the ServletSecurity MergeAction implementation finds all servlets with the ServletSecurity annotation. For each annotated servlet, it finds the servlet associated with the given class base on the WebServlet annotation. If RolesAllowed in the ServletSecurity annotation is not found in the deployment descriptor, it then creates a role-name attribute for the role in the deployment descriptor.
When an application starts, the WebContainer inspects all servlets with the RunAs, declareRoles, and ServletSecurity annotations, and sets those annotations on the setServletSecurity() method of the ServletRegistration annotation. The WebContainer notifies the security component to inspect all ServletRegistration annotations that have URL patterns and security constraints. The security component then determines if a URL pattern is defined in the deployment descriptor. If one is not defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern are created and then used. If an exact match is already defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern of the deployment descriptor are used instead of the annotation data.
Read the Security annotations topic for more information.
Support for the dynamic updating of the @RunAs, @declareRoles, and @ServletSecurity servlet security annotations:
When an application starts, the web container inspects all servlets with the RunAs, declareRoles, and ServletSecurity annotations, and sets those annotations on the setServletSecurity() method of the ServletRegistration annotation. The web container notifies the security component to inspect all ServletRegistration annotations that have URL patterns and security constraints. The security component then determines if a URL pattern is defined in the deployment descriptor. If an exact match is already defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern of the deployment descriptor are used instead of the dynamic data.
Read the Servlet security dynamic annotations topic for more information.
WAS supports both a default authorization provider and an authorization provider based on the Java Authorization Contract for Containers (JACC) specification. The JACC-based authorization provider (for example, the Security Access Manager), enables third-party security providers to handle the Java EE authorization. The RunAs, declareRoles, and ServletSecurity annotations are supported for both native authorization and for JACC.
Support for the authenticate, login and logout servlet security methods:
The authenticate method authenticates a user using the WAS container login mechanism configured for the servlet context.
The login method authenticates a user to the WebSphere Application Server with a user ID and password. If authentication is successful, it creates a user subject on the thread and LTPA cookies (if single sign-on (SSO) is enabled).
The logout method logs the user out of the WAS and invalidates the HTTP session.
Read the Servlet security methods topic for more information.
The new com.ibm.websphere.security.displayRealm property specifies whether the HTTP basic authentication login window displays the realm name defined in the application web.xml file:
If the realm name is not defined in the web.xml file, one of the following occurs:
- If the property is set to false (the default), the WebSphere realm name display is Default Realm.
- If the property is set to true, the WebSphere realm name display is the user registry realm name for the LTPA authentication mechanism or the Kerberos realm name for the Kerberos authentication mechanism.
Read the Security custom properties topic for more information.
Related:
Security annotations Servlet security dynamic annotations Security constraints in web applications Authorization providers Servlet security methods Security custom properties JACC policy propagation Java Platform, Enterprise Edition 6 API Specification annotations ServletSecurity HttpConstraint HttpMethodConstraint declareRoles JSR 315: Java Servlet 3.0 Specification Interface ServletRegistration.Dynamic setRunAsRole setServletSecurity