Home > Articles > Programming > Java

  • Print
  • + Share This
Like this article? We recommend

What Will We Secure?

For the examples, we'll secure a JSP page (start.jsp) and a servlet (SecureServlet.java). Notice that these resources are not "Hello World" examples. They can be really useful in realizing some programmatic security goals:

  • Getting the remote user, user principal, and authentication type
  • Checking the user role
  • Displaying information about SSL attributes, client-side certificates, and some client request info (headers and attributes)

Listing 1 shows the start.jsp file.

Listing 1 start.jsp.

<html>
 <head>
 <title>SecureJSP</title>
</head>

<body>

<b>Remote User:</b><%= request.getRemoteUser() %><br />
<b>User Principal:</b><%= request.getUserPrincipal().getName() %><br />
<b>Authentication Type</b><%= request.getAuthType() %><br />

<% if (request.isUserInRole("JSP-ROLE"))
  {
  %>
   <b>Is user in JSP-ROLE role ?</b> Yes, it is.
  <%
  } else {
      %>
      <b>Is user in role ?</b> No, user is not in JSP-ROLE role!
      <%
      }
      %>

</body>
</html>

Listing 2 shows the SecureServlet.java source code.

Listing 2 SecureServlet.jsp.

package secure.servlet;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import java.io.PrintWriter;
import java.io.IOException;

import java.util.Enumeration;

import java.security.cert.X509Certificate;

public class SecureServlet extends HttpServlet
{

  //Handle the HTTP-POST request
  public void doPost( HttpServletRequest request, HttpServletResponse response )
    throws ServletException, IOException
  { doGet(request, response); }

  //Handle the HTTP-GET request
  public void doGet( HttpServletRequest request, HttpServletResponse response )
    throws ServletException, IOException
    {
    response.setContentType("text/html");

    StringBuffer html = new StringBuffer();
       html.append("<html><head><title>SecureServlet</title></head><body>" );

       getSecurityInfo(request,html);
       getSSLAttributes(request,html);
       getReqHeaders(request,html);
       getReqAttribs(request,html);

       html.append( "</body></html>" );

       PrintWriter out = response.getWriter();
       response.setContentLength(html.length());
       out.println(html.toString());
    }

  //getSecurityInfo method
  private void getSecurityInfo(HttpServletRequest request, StringBuffer html)
   {
   try
    {
    html.append("<br /><b><font color='#cc0000'>Security Info:</font></b><br /><br />");
    html.append("<b>Remote User:</b>" + request.getRemoteUser() + "<br />");
    html.append("<b>User Principal:</b>" + request.getUserPrincipal().getName() + "<br />");
    html.append("<b>Authentication Type:</b>" + request.getAuthType() + "<br />");
    if (request.isUserInRole("SERVLET-ROLE"))
       {
       html.append("<b>Is user in SERVLET-ROLE role ? </b> Yes, it is. <br />");
       } else {
           html.append("<b> Is user in SERVLET-ROLE role ? </b> No, it is not. <br />");
           }

     } catch (Exception e)
         { html.append("<br />Error:" + e.getMessage()); }
    }

   //getSSLAttributes method
   private void getSSLAttributes(HttpServletRequest request, StringBuffer html)
    {
    try
     {
    html.append("<b><font color='#cc0000'>SSL Attributes:</font></b><br /><br />");
    //javax.servlet.request.cipher_suite: A String representing the cipher suite used by HTTPS, if any
    String cypher_suite = (String)request.getAttribute("javax.servlet.request.cipher_suite");
    html.append("<b>javax.servlet.request.cipher_suite is: </b>"+cypher_suite+"<br />");

    //javax.servlet.request.key_size: An Integer representing the bit size of the algorithm, if any
    String key_size = String.valueOf(request.getAttribute("javax.servlet.request.key_size"));
    html.append("<b>javax.servlet.request.key_size is: </b>"+key_size+"<br />");

    //javax.net.ssl.cipher_suite: The string name of the SSL cipher suite in use, if the request was made using SSL
    String ssl_cipher_suite = (String)request.getAttribute("javax.net.ssl.cipher_suite");
    html.append("<b>javax.net.ssl.cipher_suite is: </b>"+ssl_cipher_suite+"<br />");

    //javax.net.ssl.peer_certificates: The chain of X.509 certificates which authenticates the client.
    //This is only available when SSL is used with client authentication.
    html.append("<br /><b>Client Certificates 2.1</b><br />");
    X509Certificate[] X509Certs = (X509Certificate[])request.getAttribute("javax.net.ssl.peer_certificates");
    if ((X509Certs != null) && (X509Certs.length > 0))
      {    
      for (int i=0; i<X509Certs.length; i++)
        {
        X509Certificate X509Cert = X509Certs[i];
        html.append("<br /><b>Subject distinguished name:</b>" +
               X509Cert.getSubjectX500Principal().getName());
        }
      } else {
           if ("https".equals(request.getScheme()))
           {
         html.append("<br /><b><i>HTTPS request without a client certificate!</i></b><br />");
              } else {
              html.append("<br /><b><i>This is not a HTTPS request!</i></b><br />");
                 }
           }

     //javax.servlet.request.X509Certificate: For requests made using HTTPS,
     //this attribute can be used to retrieve information on the certificate of the client
    html.append("<br /><b>Client Certificates 2.2</b><br />");
    X509Certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
     if ((X509Certs != null) && (X509Certs.length > 0))
       {
      for (int i=0; i<X509Certs.length; i++)
         {
         X509Certificate X509Cert = X509Certs[i];
         html.append("<br /><b>Subject distinguished name:</b>" +
               X509Cert.getSubjectX500Principal().getName());
          }
       } else {
           if ("https".equals(request.getScheme()))
           {
         html.append("<br /><b><i>HTTPS request without a client certificate!</i></b><br />");
              } else {
              html.append("<br /><b><i>This is not a HTTPS request!</i></b><br />");
                 }
           }
       }catch (Exception e)
         { html.append("<br />Error:" + e.getMessage()); }
    }

   //getReqHeaders method
   private void getReqHeaders(HttpServletRequest request, StringBuffer html)
    {
    try
     {
     html.append("<br /><b><font color='#cc0000'>Headers:</font></b><br /><br />");
     for (Enumeration enumeration = request.getHeaderNames(); enumeration.hasMoreElements();)
       {
       String item = (String)enumeration.nextElement();
       html.append("<b>" + item + ":</b>" + request.getHeader(item) + "<br />");
       }
     } catch (Exception e)
         { html.append("<br />Error:" + e.getMessage()); }
    }

    //getReqAttribs method
    private void getReqAttribs(HttpServletRequest request, StringBuffer html)
    {
    try
     {
      html.append("<br /><b><font color='#cc0000'>Attributes:</font></b><br /><br />");
      for (Enumeration enumeration = request.getAttributeNames(); enumeration.hasMoreElements();)
       {
       String item = (String)enumeration.nextElement();
        html.append("<b>" + item + ":</b>" + request.getAttribute(item) + "<br />");
       }
     } catch (Exception e)
         { html.append("<br />Error:" + e.getMessage()); }
    }
}
  • + Share This
  • 🔖 Save To Your Account