Developing with programmatic security APIs for Web applications

Use this information to programmatically secure APIs for Web applications.

Before you begin

You can configure several options for Web authentication that determine how the Web client interacts with protected and unprotected Uniform Resource Identifiers (URI). Also, you can specify whether WebSphere Application Server challenges the Web client for basic authentication information if the certificate authentication for the HTTPS client fails. For more information, see Authentication mechanisms.

Procedure

  1. Add the required security methods in the servlet code. Programmatic security is used by security-aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of the following methods of the javax.servlet.http. HttpServletRequest interface:
    getAuthType
    The getAuthType method returns the name of the authentication scheme that is used to protect the servlet (for example, BASIC or SSL). If the servlet is not protected, the getAuthType method returns null.
    getRemoteUser
    Returns the user name that the client used for authentication. If the user has been authenticated, the getRemoteUser method returns the login of the user that makes the request. If the user is not authenticated, the getRemoteUser method returns null.
    isUserInRole
    (String role name): Returns true if the remote user is granted the specified security role. If the remote user is not granted the specified role, or if no user is authenticated, it returns false.
    getUserPrincipal
    Returns the java.security.Principal object that contains the remote user name. If no user is authenticated, it returns null.
    For both methods, the data that is returned depends upon whether security is enabled in the application server where the servlet is deployed. The following possibilities exist:
    • If security is not enabled, a servlet is requested and it is configured with Web server protection. The getRemoteUser method returns the login and getAuthType method returns the authentication scheme.
    • If security is enabled and a servlet is requested, both methods return null when WebSphere Application Server protection is not configured for the servlet.
    • If security is enabled, a servlet is requested, and the servlet is configured with WebSphere Application Server protection, then the getRemoteUser method returns the login and the getAuthType method returns the configured authentication scheme.
    You can add programmatic servlet security methods inside any servlet doGet, doPost, doPut, and doDelete service methods. The following example depicts using a programmatic security API:
    public void doGet(HttpServletRequest request, 
    HttpServletResponse response) {
    
       ....
    
       // to get remote user using getUserPrincipal()
       java.security.Principal principal = request.getUserPrincipal();
       String remoteUser = principal.getName();
     
       // to get remote user using getRemoteUser()
       remoteUser = request.getRemoteUser();
    
       // to check if remote user is granted Mgr role
       boolean isMgr = request.isUserInRole("Mgr");
    
       // use the above information in any way as needed by 
       // the application 
       ....
                      
    }
  2. Create a security-role-ref element with the role-name field. If a security-role-ref element is not created during development, make sure it is created during the assembly stage.

    When the isUserInRole method is used, declare a security-role-ref element in the deployment descriptor with a role-name subelement containing the role name that is passed to this method. Because actual roles are created during the assembly stage of the application, you can use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to the actual role. During assembly, the assembler creates a role-link subelement to link the role name to the actual role. Creation of a security-role-ref element is possible if an assembly tool such as Rational Application Developer (RAD) is used. You also can create the security-role-ref element during assembly stage using an assembly tool.

    After development, a security-role-ref element can be created, as this example shows:
    <security-role-ref>
       <description>Provide hints to assembler for linking this role 
                    name to an actual role here<\description>
       <role-name>Mgr<\role-name>
    </security-role-ref>

    The preceding example is required to secure an application programmatically. This action is particularly useful when a Web application needs to access external resources and wants to control the access to external resources using its own authorization table (external-resource to remote-user mapping). In this case, use the getUserPrincipal or the getRemoteUser methods to get the remote user and then it can consult its own authorization table to perform authorization. The remote user information also can help retrieve the corresponding user information from an external source such as a database or from an enterprise bean. You can use the isUserInRole method in a similar way.

    During assembly, the assembler creates a role-link element:
    <security-role-ref>
       <description>Hints provided by developer to map the role 
                    name to the role-link</description>
       <role-name>Mgr</role-name>
       <role-link>Manager</role-link>
    </security-role-ref>

Results

A programmatically secured servlet application.

What to do next

After developing an application, use an assembly tool to create roles and to link the actual roles to role names in the security-role-ref elements. For more information, see Securing Web applications using an assembly tool.



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic Task topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 30, 2013 4:53:43 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-base-dist&topic=tsecweb
File name: tsec_web.html