2. Using the Tutorial Examples
3. Getting Started with Web Applications
5. JavaServer Pages Technology
7. JavaServer Pages Standard Tag Library
10. JavaServer Faces Technology
11. Using JavaServer Faces Technology in JSP Pages
12. Developing with JavaServer Faces Technology
13. Creating Custom UI Components
14. Configuring JavaServer Faces Applications
15. Internationalizing and Localizing Web Applications
16. Building Web Services with JAX-WS
17. Binding between XML Schema and Java Classes
19. SOAP with Attachments API for Java
21. Getting Started with Enterprise Beans
23. A Message-Driven Bean Example
24. Introduction to the Java Persistence API
25. Persistence in the Web Tier
26. Persistence in the EJB Tier
27. The Java Persistence Query Language
28. Introduction to Security in the Java EE Platform
29. Securing Java EE Applications
Overview of Web Application Security
Specifying Security Roles Using Annotations
Specifying Security Roles Using Deployment Descriptor Elements
Mapping Security Roles to Application Server Groups
Checking Caller Identity Programmatically
Declaring and Linking Role References
Defining Security Requirements for Web Applications
Declaring Security Requirements Using Annotations
Using the@DeclareRoles Annotation
Declaring Security Requirements in a Deployment Descriptor
Specifying Security Constraints
Specifying a Secure Connection
Specifying an Authentication Mechanism
Examples: Securing Web Applications
Example: Using Form-Based Authentication with a JSP Page
Creating a Web Client for Form-Based Authentication
Creating the Login Form and the Error Page
Specifying a Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Application Server Groups
Building, Packaging, and Deploying the Form-Based Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Form-Based Authentication Example Using Ant
Testing the Form-Based Authentication Web Client
Example: Basic Authentication with a Servlet
Specifying the Security Constraint
Adding Authorized Roles and Users
Mapping Application Roles to Application Server Groups
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using NetBeans IDE
Building, Packaging, and Deploying the Servlet Basic Authentication Example Using Ant
Running the Basic Authentication Servlet
Troubleshooting the Basic Authentication Example
Example: Basic Authentication with JAX-WS
Adding Security Elements to the Deployment Descriptor
Building and Deployinghelloservice with Basic Authentication Using NetBeans IDE
Building and Deployinghelloservice with Basic Authentication Using Ant
Building and Running thehelloservice Client Application with Basic Authentication Using NetBeans IDE
Building and Running thehelloservice Client Application with Basic Authentication Using Ant
31. The Java Message Service API
32. Java EE Examples Using the JMS API
36. The Coffee Break Application
Checking Caller Identity Programmatically
In general, security management should be enforced by the container in a mannerthat is transparent to the web component. The security API described in thissection should be used only in the less frequent situations in which theweb component methods need to access the security context information.
TheHttpServletRequest interface provides the following methods that enable you to access security information about the component’s caller:getRemoteUser: Determines the user name with which the client authenticated. If no user has been authenticated, this method returnsnull.
isUserInRole: Determines whether a remote user is in a specific security role. If no user has been authenticated, this method returnsfalse. This method expects aString userrole-name parameter.
You can use either the@DeclareRoles annotation or the<security-role-ref> element with a<role-name> sub-element in the deployment descriptor to pass the role name to this method. Using security role references is discussed inDeclaring and Linking Role References.
getUserPrincipal: Determines the principal name of the current user and returns ajava.security.Principal object. If no user has been authenticated, this method returnsnull.
Your application can make business logic decisions based on the information obtained usingthese APIs.
The following is a code snippet from anindex.jsp file that uses thesemethods to access security information about the component’s caller.
<%@ taglib prefix="fmt" uri="http://java.sun.com/jstl/fmt" %><fmt:setBundle basename="LocalStrings"/><html><head><title><fmt:message key="index.jsp.title"/>/title></head><body bgcolor="white"><fmt:message key="index.jsp.remoteuser"/> <b><%= request.getRemoteUser() %></b><br><br><% if (request.getUserPrincipal() != null) {%> <fmt:message key="index.jsp.principal"/> <b><%= request.getUserPrincipal().getName() %></b><br><br><% } else {%> <fmt:message key="index.jsp.noprincipal"/><% }%><% String role = request.getParameter("role"); if (role == null) role = ""; if (role.length() > 0) { if (request.isUserInRole(role)) {%> <fmt:message key="index.jsp.granted"/> <b><%= role %></b><br><br><% } else {%> <fmt:message key="index.jsp.notgranted"/> <b><%= role %></b><br><br><% } }%><fmt:message key="index.jsp.tocheck"/><form method="GET"><input type="text" name="role" value="<%= role %>"></form></body></html>Declaring and Linking Role References
A security role is an application-specific logical grouping of users, classified by commontraits such as customer profile or job title. When an application is deployed,these roles are mapped to security identities, such asprincipals (identities assigned tousers as a result of authentication) or groups, in the runtime environment. Basedon this mapping, a user with a certain security role has associated accessrights to a web application.
The value passed to theisUserInRole method is aString representing the role nameof the user. Asecurity role reference defines a mapping between the name of arole that is called from a web component usingisUserInRole(String role) and thename of a security role that has been defined for the application. Ifa<security-role-ref> element is not declared in a deployment descriptor, and theisUserInRolemethod is called, the container defaults to checking the provided role name against thelist of all security roles defined for the web application. Using the defaultmethod instead of using the<security-role-ref> element limits your flexibility to change rolenames in an application without also recompiling the servlet making the call.
For example, during application assembly, the assembler creates security roles for the applicationand associates these roles with available security mechanisms. The assembler then resolves the securityrole references in individual servlets and JSP pages by linking them to rolesdefined for the application. For example, the assembler could map the security rolereferencecust to the security role with the role namebankCustomer using the<security-role-ref> element of the deployment descriptor.
Declaring Roles Using Annotations
The preferred method of declaring roles referenced in an application is to usethe@DeclareRoles annotation. The following code sample provides an example that specifies thatthe roles ofj2ee andguest will be used in the application,and verifies that the user is in the role ofj2ee before printingoutHello World.
import java.io.IOException;import java.io.PrintWriter;import javax.annotation.security.DeclareRoles;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;@DeclareRoles({"j2ee", "guest"})public class Servlet extends HttpServlet { public void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { resp.setContentType("text/html"); PrintWriter out = resp.getWriter(); out.println("<HTML><HEAD><TITLE>Servlet Output</TITLE> </HEAD><BODY>");if (req.isUserInRole("j2ee") && !req.isUserInRole("guest")) { out.println("Hello World"); } else { out.println("Invalid roles"); } out.println("</BODY></HTML>"); }}Declaring Roles Using Deployment Descriptor Elements
An example of declaring roles referenced in an application using deployment descriptor elementsis shown in the followingweb.xml deployment descriptor snippet:
<servlet>... <security-role-ref> <role-name>cust</role-name> <role-link>bankCustomer</role-link> </security-role-ref>...</servlet>
When you use theisUserInRole(String role) method, the Stringrole is mapped to therole name defined in the<role-name> element nested within the<security-role-ref> element.The<role-link> element in theweb.xml deployment descriptor must match a<role-name>defined in the<security-role> element of theweb.xml deployment descriptor, as shown here:
<security-role> <role-name>bankCustomer</role-name></security-role>
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.Legal Notices