Declarative Access Control in Java

Revision as of 15:34, 29 August 2006 by Owaspdavef (Talk | contribs)

Jump to: navigation, search

A Java-based application can be configured to restrict access to resources via the deployment descriptor (web.xml). This is called declarative access control or declarative security. No extra programming on your part is required. The process is 100 percent managed by the container within which your web application is deployed.

For example, the web.xml snippet below uses BASIC authentication and will cause a popup box to appear and the user must enter his username and password when trying to access either a PDF file or anything under the "restrictedfiles" directory within the web app context. The user credentials entered must be recognized as being part of the "admin" group in this case.

    <web-resource-name>Restricted Resources</web-resource-name>
  <realm-name>Restricted Files</realm-name>

In the snippet below, the <login-config> section is changed to use FORM authentication. In this example, the container will cause the gatekeeper.jsp page to appear where the user must enter his username and password in an HTML form. If the credentials entered by the user are invalid, the tryagain.jsp page will be shown.

  <realm-name>Restricted Files</realm-name>

If you decide to use FORM authentication, you must create pages for <form-login-page> and <form-error-page>. The login page (gatekeeper.jsp in the example above) has some additional constraints if you want everything to actually work. You need to define a form where the action attribute is "j_security_check" and this form must have two input parameters, one called "j_username" and the other called "j_password". So gatekeeper.jsp in the example here needs a form like this:

<form name="AuthForm" action="j_security_check" method="post">
<input type="text" name="j_username">
<input type="password" name="j_password">
<input type="submit" value="Submit">

The error page (tryagain.jsp in the example above) might simply have a message that the credentials entered are invalid and provide a link back to the login page.

Unless SSL is used, both BASIC and FORM authentication methods send credentials as unencrypted. For BASIC method, the credentials are put into the format "username password", then Base64 encoded and included in the HTTP request header. An example http header would look like this:

Authorization: Basic YWRtaW46ZmlzaG5ldA==

Other possible values for <auth-method> are DIGEST and CLIENT-CERT. It is also possible to have vendor-specific values for different containers. Note that the value of <transport-guarantee> essentially defines whether SSL is required or not. If the value is INTEGRAL or CONFIDENTIAL, then you can assume that an https request is required to access the resource.