Introduction to Authorization in Java EE Applications

Submitted by heartin on Sat, 04/18/2015 - 00:53

Authorization is the process of checking if a user is allowed to access a particular resource on the server. To identify the user, we need to first do authentication and hence authentication is the first step towards authorization.

Authorization may be done in different ways, including:

  1. Programmatically controlling access to resources based on individual user’s credentials.

  2. Assigning users into different groups called roles and assigning permissions based on the roles

 

Steps for role based authorization can be summarized as:

  1. Define roles, users and create mapping between them

  2. Define resource collections to which security should be applied

  3. Map roles with security constraints

 

Declaring roles in web.xml

We can specify the roles we want to use in the application in the <role-name> element inside the <security-role> element, which is inside the <web-app> element.

You may have only one <role-name> element inside the <security-role> element, but you may have any number of <security-role> elements.

 

Example configuration for specifying roles in web.xml

<security-role>

  <role-name>admin</role-name>

</security-role>

<security-role>

  <role-name>manager</role-name>

</security-role>

 

Declaring roles using annotations

We can also declare roles using annotations over any component that implement the Servlet interface. We can use the @DeclareRoles annotation that may take one or more user roles.

Example syntax for specifying multiple roles:

@DeclareRoles({“admin”, “manager”})

Example syntax for specifying a single role:

@DeclareRoles({“admin”})

Or

@DeclareRoles(“admin”)

 

Assigning users to roles

Assigning users to roles are specific to Java EE servers. It may be done in many different ways, including:

  1. Using a dedicated file stored in the Java EE server environment

  2. Using a local or remote database to store a list of user credentials and roles

  3. Querying a directory service such a LDAP

  4. Using the user credentials and user groups native to the operating system on which the Java EE server is running

Glassfish server, for example, allow using keyfile realm (usernames and hashed (digest) passwords stored on files), retrieval using LDAP, JDBC realm (looking credentials from a database) and certificate realm (authenticates clients using their SSL certificates).

Apache Tomcat server, by default, support XML configuration files to store user and role mappings and also JDBC realm (looking credentials from a database).

 

Defining resource collections and allowed HTTP methods

After defining users and roles, we need to define what web resources you need to restrict access to.

Authorization and confidentiality requirements for a specified collection of web resources can be specified using the <security-constraint> sub element of the <web-app> element. If different security requirements are required for different set of web resources, separate <security-constraint> elements need to be configured for each of those sets.

<web-app>

<security-constraint>

  <display-name> Security Constraint 1</display-name>

</security-constraint>

</web-app>

 

Web resource elements can be specified using the <web-resource-collection> sub element of <security-constraint> element.

Sub elements of <web-resource-collection> include:

  • <web-resource-name>

    • Specifies the logical name given to this collection

    • One per collection

  • <url-pattern>

    • Pattern to which every incoming request will be matched for applying this security constraint.

    • One or more (one per pattern)

  • <http-method>

    • Specify each HTTP method which should fall under this security constraint.

    • Optional (one per HTTP method)

      • If not specified, it will match all HTTP methods that match the url pattern.

 

Same resource may be declared in more than one <security-constraint> element, and container will combine all those together for accessing that resource.   

 

Authorization Constraints to map security constraints with user roles

We have defined users and roles, and also defined security constraints. We can map security constraints with user roles using the <auth-constraint> sub element of <security-constraint> element. We can use the <role-name> sub element of <auth-constraint> element for every role you want to apply this constraint.

<auth-constraint>

<role-name>admin</role-name>

<role-name>manager</role-name>

</auth-constraint>

 

Important Note! 

  • A declaration of the form <role-name>*</role-name> denote all authenticated users belonging to all roles in the application. Any additional <role-name> declarations will be thus redundant.

  • Omitting all <role-name> elements will grant access to all users irrespective of whether they are authenticated or not.

  • Same resource may be declared in more than one <security-constraint> element, and container will combine all those together (including allowed roles) for accessing that resource.   

Tags: 
security

Quick Notes Finder Tags

Activities (1) advanced java (1) agile (3) App Servers (6) archived notes (2) Arrays (1) Best Practices (12) Best Practices (Design) (3) Best Practices (Java) (7) Best Practices (Java EE) (1) BigData (3) Chars & Encodings (6) coding problems (2) Collections (15) contests (3) Core Java (All) (55) course plan (2) Database (12) Design patterns (8) dev tools (3) downloads (2) eclipse (9) Essentials (1) examples (14) Exception (1) Exceptions (4) Exercise (1) exercises (6) Getting Started (18) Groovy (2) hadoop (4) hibernate (77) hibernate interview questions (6) History (1) Hot book (5) http monitoring (2) Inheritance (4) intellij (1) java 8 notes (4) Java 9 (1) Java Concepts (7) Java Core (9) java ee exercises (1) java ee interview questions (2) Java Elements (16) Java Environment (1) Java Features (4) java interview points (4) java interview questions (4) javajee initiatives (1) javajee thoughts (3) Java Performance (6) Java Programmer 1 (11) Java Programmer 2 (7) Javascript Frameworks (1) Java SE Professional (1) JPA 1 - Module (6) JPA 1 - Modules (1) JSP (1) Legacy Java (1) linked list (3) maven (1) Multithreading (16) NFR (1) No SQL (1) Object Oriented (9) OCPJP (4) OCPWCD (1) OOAD (3) Operators (4) Overloading (2) Overriding (2) Overviews (1) policies (1) programming (1) Quartz Scheduler (1) Quizzes (17) RabbitMQ (1) references (2) restful web service (3) Searching (1) security (10) Servlets (8) Servlets and JSP (31) Site Usage Guidelines (1) Sorting (1) source code management (1) spring (4) spring boot (3) Spring Examples (1) Spring Features (1) spring jpa (1) Stack (1) Streams & IO (3) Strings (11) SW Developer Tools (2) testing (1) troubleshooting (1) user interface (1) vxml (8) web services (1) Web Technologies (1) Web Technology Books (1) youtube (1)