- Types of Authentication
- Using Security Annotations
- Verifying User Identity Programmatically
- Common Attacks on JSP Pages
- Conclusion
Using Security Annotations
The main goal of the security annotations (or metadata in Java) is to declare dependencies on external resources and configuration tasks. In servlets, you can use two annotations to replace definitions from the web.xml deployment descriptor: @DeclareRoles and @RunAs.
@DeclareRoles defines roles for security checking. For example, if we modify the SecureServlet to use this annotation, the result looks like this:
import javax.annotation.security.DeclareRoles; ... @DeclareRoles("SERVLET-ROLE") public class SecureServlet extends HttpServlet { ...
In principle, this annotation replaces the <security-role> element. Specifying @DeclareRoles("SERVLET-ROLE") allows us to remove the following boldfaced parts from web.xml:
<servlet-name>SecureServlet</servlet-name> <servlet-class>secure.servlet.SecureServlet</servlet-class> <security-role-ref> <role-name>SERVLET-ROLE-ALIAS</role-name> <role-link>SERVLET-ROLE</role-link> </security-role-ref> </servlet> <security-role> <role-name>SERVLET-ROLE</role-name> </security-role>
Multiple roles are declared this way:
@DeclareRoles({"role_1", "role_2", "role_3"})
@RunAs specifies the run-as role for the given components, which allows developers to execute an application under a particular role that was mapped to the user/group in the SJSAS realm. The @RunAs annotation is equivalent to the <run-as> element in the deployment descriptor (our descriptor doesn't contain a <run-as> element). For example, if we modify the SecureServlet to use this annotation, the result looks like this:
import javax.annotation.security.RunAs; ... @RunAs("SERVLET-ROLE") public class SecureServlet extends HttpServlet { ...