Differences
This shows you the differences between two versions of the page.
— |
java_web_authentication [2021/04/05 11:23] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Java Web Auth ====== | ||
+ | The article covers authentication and authorization. | ||
+ | ===== Java EE Auth ===== | ||
+ | See also [[http:// | ||
+ | |||
+ | ==== Context ==== | ||
+ | Getting the context of the current call can be achieved with the '' | ||
+ | |||
+ | @Context | ||
+ | private HttpContext context; | ||
+ | |||
+ | ==== Basic Auth ==== | ||
+ | In Basic Auth a Http Header is added to the HTTP request. | ||
+ | |||
+ | Authorization: | ||
+ | | ||
+ | The credentials need to be Base64 encrypted. | ||
+ | |||
+ | ==== Web XML Descriptor ==== | ||
+ | In the web.xml file the authentication type must be set. | ||
+ | |||
+ | <sxh xml> | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | === Security Constraints === | ||
+ | < | ||
+ | Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, | ||
+ | |||
+ | < | ||
+ | </ | ||
+ | |||
+ | === Auth-Constraints === | ||
+ | If no auth-constraints are placed in the web.xml then no authentication will be made, means any normal user and anonymous users can use the service. | ||
+ | |||
+ | Using ''< | ||
+ | |||
+ | ==== Declare Roles ==== | ||
+ | Roles used in the application must be declared either by annotations (@DeclareRoles) or per web.xml entries (secuity-role). | ||
+ | |||
+ | <sxh xml; title: Example> | ||
+ | < | ||
+ | ... | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | ... | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | See [[http:// | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | ==== Check Role ==== | ||
+ | Java EE does not specify a single component/ | ||
+ | |||
+ | < | ||
+ | ^Component ^API used to check role ^ | ||
+ | | EJB | '' | ||
+ | | Servlet | '' | ||
+ | | Web Service | '' | ||
+ | </ | ||
+ | |||
+ | From: IBM Information Center [[http:// | ||
+ | |||
+ | ==== Mapping Roles ==== | ||
+ | Roles can be mapped from roles names used in the application to roles names used in the realm (f. e. database). | ||
+ | |||
+ | Theses mappings are container dependend. Glassfish stores these mappings in // | ||
+ | |||
+ | <sxh xml; title: Example Role Mapping in Glassfish> | ||
+ | <?xml version=" | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | | ||
+ | < | ||
+ | < | ||
+ | < | ||
+ | </ | ||
+ | |||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Glassfish needs explicitly a mapping **for each** used role name. Other application servers may behave differently and may assume that the names are identical if not stated otherwise. | ||
+ | |||
+ | ===== Links ===== | ||
+ | * [[https:// |