Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

Using Programmatic Security in the Web Tier

Programmatic security is used by security-aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of the following methods of the HttpServletRequest interface:

These APIs allow servlets to make business logic decisions based on the logical role of the remote user. They also allow the servlet to determine the principal name of the current user.

Declaring and Linking Role References

A security role reference allows a Web component to reference an existing security role. A security role is an application-specific logical grouping of users, classified by common traits such as customer profile or job title. When an application is deployed, roles are mapped to security identities, such as principals (identities assigned to users as a result of authentication) or groups, in the operational environment. Based on this, a user with a certain security role has associated access rights to a Web application. The link is the actual name of the security role that is being referenced.

During application assembly, the assembler creates security roles for the application and associates these roles with available security mechanisms. The assembler then resolves the security role references in individual servlets and JSPs by linking them to roles defined for the application.

The security role reference defines a mapping between the name of a role that is called from a Web component using isUserInRole(String name) (see Using Programmatic Security in the Web Tier) and the name of a security role that has been defined for the application.

For example, the mapping of the security role reference cust to the security role with role name bankCustomer, is shown in the <security-role-ref> element of the deployment descriptor, as shown. When you use the isUserInRole(String role) method, the String role is mapped to the role name defined in the <role-name> element nested within the <security-role-ref> element of a <servlet> declaration of the web.xml deployment descriptor. The <role-link> element must match a <role-name> defined in the <security-role> element of the web.xml deployment descriptor, as shown here:

<servlet>
   ...
  <security-role-ref>
    <role-name>cust</role-name>
    <role-link>bankCustomer</role-link>
  </security-role-ref>
   ...
</servlet>

<security-role>
   <role-name>bankCustomer</role-name>
</security-role> 

In this example, isUserInRole("bankCustomer") and isUserInRole("cust") will both return true.

Because a coded name is linked to a role name, you can change the role name at a later time without having to change the coded name. For example, if you were to change the role name from bankCustomer to something else, you wouldn't need to change the cust name in the code. You would, however, need to relink the cust coded name to the new role name.

As discussed in Setting up Security Roles, there also must be a corresponding entry in the Web server users file, which is <JWSDP_HOME>/conf/tomcat-users.xml for Tomcat. The role of admin is defined by default in the file, as shown below:

<?xml version='1.0'?>
<tomcat-users>
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="your_name" password="your_password"
    roles="admin,manager"/>
</tomcat-users> 
Divider
Download
FAQ
History
HomeHomeNext API
Search
Feedback
Divider

All of the material in The Java(TM) Web Services Tutorial is copyright-protected and may not be published in other works without express written permission from Sun Microsystems.