- Types of Authentication
- Using Security Annotations
- Verifying User Identity Programmatically
- Common Attacks on JSP Pages
- Conclusion
Verifying User Identity Programmatically
When you need to access security info from code lines, a good technique is to use the HttpServletRequest interface, which provides methods that offer security info about the component's caller. These methods help you to provide access to protected resources with a programmatic approach. The following table describes these methods.
Method |
Description |
String getRemoteUser() | Returns the username with which the client authenticated, or null. |
boolean isUserInRole(String role) | Returns a Boolean value indicating whether the remote user is in a specific security role. |
String getAuthType() | Returns the name of the authentication scheme used to protect the servlet. |
Principal getUserPrincipal() | Returns a java.security.Principal object containing the name of the current authenticated user. |
String getScheme() | Returns the name of the scheme used to make this request; for example, http, https, or ftp. |
All these methods are exemplified in the start.jsp page and in the SecureServlet servlet. You probably will call these methods from a servlet filter, which may be responsible for handling authorization (a filter may act as a gateway to your protected resources). Using a servlet filter provides at least two advantages: You don't need to include security "chunks" in your servlets, and you can add/remove a filter without modifying the rest of the application.