Section 3.7. Security


3.7. Security

Servlets don't have to handle their own security arrangements. Instead, they can rely on the capabilities of the web server to limit access where required. The security capabilities of most web servers are limited to basic on-or-off access to specific resources, controlled by username and password (or digital certificate), with possible encryption using SSL. Most servers are limited to basic authentication, which transmits passwords more or less in the clear, while some support the more advanced digest authentication protocol, which works by transmitting a hash of the user's password and a server-generated value rather than the password itself. Both of these approaches look the same to the user; the familiar "Enter Username and Password" window pops up in the web browser.

Recent versions of the Servlet API take a much less hands-off approach to security. The web.xml file can define which servlets and resources are protected and which users have access. The user access model is the J2EE User-Role model, in which users can be assigned one or more roles. Users with a particular role are granted access to protected resources. A user named Admin might have both the Administrator role and the User role while users Bob and Ted might have only the User role. (See Chapter 10 for more details about J2EE security.)

In addition to basic, digest, and SSL authentication, the web application framework allows for HTML form-based logins. This approach allows the developer to specify an HTML or JSP page containing a form like the following:

 <form method="post" action="j_security_check"> <input type="text" name="j_username"> <input type=password" name="j_password"> <input type="submit" value="Log In"> </form>

Note that form-based authentication is insecure and works only if the client session is being tracked via cookies or SSL signatures.

The HttpServletRequest interface includes a pair of basic methods for retrieving standard HTTP user authentication information from the web server. If your web server is equipped to limit access, a servlet can retrieve the username with getremoteUser( ) and the authentication method (basic, digest, or SSL) with getAuthType( ). Version 2.2 of the Servlet API added the isUserInRole( ) and getUserPrincipal( ) methods to HttpServletRequest. isUserInRole( ) allows the program to query whether the current user has a particular role (useful for dynamic content decisions that cannot be made at the container level). The getUserPrincipal( ) method returns a java.security.Principal object identifying the current user.



Java Enterprise in a Nutshell
Java Enterprise in a Nutshell (In a Nutshell (OReilly))
ISBN: 0596101422
EAN: 2147483647
Year: 2004
Pages: 269

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net