Declarative Access Control in Java

From OWASP
Revision as of 16:51, 24 August 2006 by Owaspdavef (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

A java-based application can be configured to restrict access to resources via the deployment descriptor (web.xml). This is called declarative access control or declarative security. No extra programming on your part is required. The process is 100 percent managed by the container within which your web application is deployed.

For example, the web.xml snippet below uses BASIC authentication and will cause a popup box to appear and the user must enter his username and password when trying to access either a PDF file or anything under the "restrictedfiles" directory within the web app context. The user credentials entered must be recognized as being part of the "admin" group in this case.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restricted Resources</web-resource-name>
    <url-pattern>*.pdf</url-pattern>
    <url-pattern>/restrictedfiles/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Restricted Files</realm-name>
</login-config>
<security-role>
  <role-name>admin</role-name>
</security-role>

Unless SSL is used, both BASIC and FORM authentication methods send credentials as unencrypted. For BASIC method, the credentials are put into the format "username password", then Base64 encoded and included in the HTTP request header. An example http header would look like this:

Authorization: Basic YWRtaW46ZmlzaG5ldA==

Other possible values for auth-method are DIGEST and CLIENT-CERT. It is also possible to have vendor-specific values for different containers. Note that the value of <transport-guarantee> essentially defines whether SSL is required or not. If the value is INTEGRAL or CONFIDENTIAL, then you can assume that an https request is required to access the resource.