Java Web Auth

The article covers authentication and authorization.

Java EE Auth

Context

Getting the context of the current call can be achieved with the @Context annotation.

@Context
private HttpContext context;

Basic Auth

In Basic Auth a Http Header is added to the HTTP request.

Authorization: Basic <user>:<pass>

The credentials need to be Base64 encrypted.

Web XML Descriptor

In the web.xml file the authentication type must be set.

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>jdbcrealm</realm-name>
</login-config>

Security Constraints

Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests. Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) and User Data Constraints (whether the web request needs to be received over a protected transport such as TLS).

Understanding Web Security Using web.xml Via Use Cases

Auth-Constraints

If no auth-constraints are placed in the web.xml then no authentication will be made, means any normal user and anonymous users can use the service.

Using <role-name>*</role-name> accepts any authenticated user but denies access for anonymous users.

Declare Roles

Roles used in the application must be declared either by annotations (@DeclareRoles) or per web.xml entries (secuity-role).

<web-page>
        ...
        
	<security-role>
	    <role-name>admin</role-name>
	</security-role>
	<security-role>
	    <role-name>superuser</role-name>
	</security-role>
	<security-role>
	    <role-name>user</role-name>
	</security-role>

	...
</web-app>

See Java EE 6 Tutorial - Declaring Security Roles.

If no security roles are declared either via annotations or via web.xml entries then the call to isUserInRole(role) will always return false.
The entries in the web.xml are only used in auth for servlet based resource, like plain servlet or REST web services which are based on servlets. Auth for EJBs should put the entries in ejb-jar.xml or use that annotation @DeclareRoles.

Check Role

Java EE does not specify a single component/way to check if a the authenticated user is in a specified role.

<dtable>

Component API used to check role
EJB javax.ejb.EJBContext.isCallerInRole(role)
Servlet javax.servlet.http.HttpServletRequest.isUserInRole(role)
Web Service javax.xml.ws.WebServiceContext.isUserInRole(role)

</dtable>

From: IBM Information Center Using annotations to secure Java EE applications

Mapping Roles

Roles can be mapped from roles names used in the application to roles names used in the realm (f. e. database).

Theses mappings are container dependend. Glassfish stores these mappings in WEB-INF/glassfish-web.xml.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
    <class-loader delegate="true"/>
    <jsp-config>
        <property name="keepgenerated" value="true">
            <description>Keep a copy of the generated servlet class' java code.</description>
        </property>
    </jsp-config>
  
    <security-role-mapping>
        <role-name>admin</role-name>
        <group-name>admin</group-name>
    </security-role-mapping>
    
    <security-role-mapping>
        <role-name>superuser</role-name>
        <group-name>superuser</group-name>
    </security-role-mapping>
    
    <security-role-mapping>
        <role-name>user</role-name>
        <group-name>user</group-name>
    </security-role-mapping>

</glassfish-web-app>

Glassfish needs explicitly a mapping for each used role name. Other application servers may behave differently and may assume that the names are identical if not stated otherwise.