Declarative Access Control in Java

From OWASP
Revision as of 08:57, 25 August 2006 by Owaspdavef (Talk | contribs)

Jump to: navigation, search

A Java-based application can be configured to restrict access to resources via the deployment descriptor (web.xml). This is called declarative access control or declarative security. No extra programming on your part is required. The process is 100 percent managed by the container within which your web application is deployed.

For example, the web.xml snippet below uses BASIC authentication and will cause a popup box to appear and the user must enter his username and password when trying to access either a PDF file or anything under the "restrictedfiles" directory within the web app context. The user credentials entered must be recognized as being part of the "admin" group in this case.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>Restricted Resources</web-resource-name>
    <url-pattern>*.pdf</url-pattern>
    <url-pattern>/restrictedfiles/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
  </auth-constraint>
  <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Restricted Files</realm-name>
</login-config>
<security-role>
  <role-name>admin</role-name>
</security-role>

In the snippet below, the <login-config> section is changed to use FORM authentication. In this example, the container will cause the gatekeeper.jsp page to appear where the user must enter his username and password in an HTML form. If the credentials entered by the user are invalid, the tryagain.jsp page will be shown.

<login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Restricted Files</realm-name>
  <form-login-config>
    <form-login-page>/gatekeeper.jsp</form-login-page>
    <form-error-page>/tryagain.jsp</form-error-page>
  </form-login-config>
</login-config>

Unless SSL is used, both BASIC and FORM authentication methods send credentials as unencrypted. For BASIC method, the credentials are put into the format "username password", then Base64 encoded and included in the HTTP request header. An example http header would look like this:

Authorization: Basic YWRtaW46ZmlzaG5ldA==

Other possible values for <auth-method> are DIGEST and CLIENT-CERT. It is also possible to have vendor-specific values for different containers. Note that the value of <transport-guarantee> essentially defines whether SSL is required or not. If the value is INTEGRAL or CONFIDENTIAL, then you can assume that an https request is required to access the resource.