Differences

This shows you the differences between two versions of the page.

Link to this comparison view

java_web_authentication [2013/11/22 14:03]
java_web_authentication [2021/04/05 11:23] (current)
Line 1: Line 1:
 +====== Java Web Auth ======
 +The article covers authentication and authorization.
  
 +===== Java EE Auth =====
 +See also [[http://docs.oracle.com/javaee/6/tutorial/doc/index.html | Java EE 6 Tutorial]]
 +
 +==== Context ====
 +Getting the context of the current call can be achieved with the ''@Context'' annotation.
 +
 +  @Context
 +  private HttpContext context;
 +
 +==== Basic Auth ====
 +In Basic Auth a Http Header is added to the HTTP request.
 +
 +  Authorization: Basic <user>:<pass>
 +  
 +The credentials need to be Base64 encrypted.
 +
 +==== Web XML Descriptor ====
 +In the web.xml file the authentication type must be set.
 +
 +<sxh xml>
 +<login-config>
 +  <auth-method>BASIC</auth-method>
 +  <realm-name>jdbcrealm</realm-name>
 +</login-config>
 +</sxh>
 +
 +=== Security Constraints ===
 +<blockquote>
 +Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests. Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) and User Data Constraints (whether the web request needs to be received over a protected transport such as TLS).
 +
 +<cite>[[http://java.dzone.com/articles/understanding-web-security | Understanding Web Security Using web.xml Via Use Cases]]</cite>
 +</blockquote>
 +
 +=== Auth-Constraints ===
 +If no auth-constraints are placed in the web.xml then no authentication will be made, means any normal user and anonymous users can use the service.
 +
 +Using ''<role-name>*</role-name>'' accepts any authenticated user but denies access for anonymous users.
 +
 +==== Declare Roles ====
 +Roles used in the application must be declared either by annotations (@DeclareRoles) or per web.xml entries (secuity-role).
 +
 +<sxh xml; title: Example>
 +<web-page>
 +        ...
 +        
 + <security-role>
 +     <role-name>admin</role-name>
 + </security-role>
 + <security-role>
 +     <role-name>superuser</role-name>
 + </security-role>
 + <security-role>
 +     <role-name>user</role-name>
 + </security-role>
 +
 + ...
 +</web-app>
 +</sxh>
 +
 +See [[http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html#bncav | Java EE 6 Tutorial]] - Declaring Security Roles.
 +
 +<note important>If no security roles are declared either via annotations or via web.xml entries then the call to ''isUserInRole(role)'' will always return ''false''.</note>
 +
 +<note important>The entries in the //web.xml// are only used in auth for servlet based resource, like plain servlet or REST web services which are based on servlets. Auth for EJBs should put the entries in ejb-jar.xml or use that annotation //@DeclareRoles//.</note>
 +
 +==== Check Role ====
 +Java EE does not specify a single component/way to check if a the authenticated user is in a specified role.
 +
 +<dtable>
 +^Component ^API used to check role ^
 +| EJB | ''javax.ejb.EJBContext.isCallerInRole(role)'' |
 +| Servlet | ''javax.servlet.http.HttpServletRequest.isUserInRole(role)'' |
 +| Web Service | ''javax.xml.ws.WebServiceContext.isUserInRole(role)'' |
 +</dtable>
 +
 +From: IBM Information Center [[http://pic.dhe.ibm.com/infocenter/radhelp/v8r5/index.jsp?topic=%2Fcom.ibm.javaee.doc%2Ftopics%2Ftsecuringejee.html | Using annotations to secure Java EE applications]]
 +
 +==== Mapping Roles ====
 +Roles can be mapped from roles names used in the application to roles names used in the realm (f. e. database).
 +
 +Theses mappings are container dependend. Glassfish stores these mappings in //WEB-INF/glassfish-web.xml//.
 +
 +<sxh xml; title: Example Role Mapping in Glassfish>
 +<?xml version="1.0" encoding="UTF-8"?>
 +<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
 +<glassfish-web-app error-url="">
 +    <class-loader delegate="true"/>
 +    <jsp-config>
 +        <property name="keepgenerated" value="true">
 +            <description>Keep a copy of the generated servlet class' java code.</description>
 +        </property>
 +    </jsp-config>
 +  
 +    <security-role-mapping>
 +        <role-name>admin</role-name>
 +        <group-name>admin</group-name>
 +    </security-role-mapping>
 +    
 +    <security-role-mapping>
 +        <role-name>superuser</role-name>
 +        <group-name>superuser</group-name>
 +    </security-role-mapping>
 +    
 +    <security-role-mapping>
 +        <role-name>user</role-name>
 +        <group-name>user</group-name>
 +    </security-role-mapping>
 +
 +</glassfish-web-app>
 +</sxh>
 +
 +Glassfish needs explicitly a mapping **for each** used role name. Other application servers may behave differently and may assume that the names are identical if not stated otherwise.
 +
 +===== Links =====
 +  * [[https://java.net/jira/browse/JAVAEE_SPEC-20 | Standardize group to role mapping]]