Like this article? We recommend
What Will We Secure?
For the examples, we'll secure a JSP page (start.jsp) and a servlet (SecureServlet.java). Notice that these resources are not "Hello World" examples. They can be really useful in realizing some programmatic security goals:
- Getting the remote user, user principal, and authentication type
- Checking the user role
- Displaying information about SSL attributes, client-side certificates, and some client request info (headers and attributes)
Listing 1 shows the start.jsp file.
Listing 1 start.jsp.
<html> <head> <title>SecureJSP</title> </head>
<body>
<b>Remote User:</b><%= request.getRemoteUser() %><br /> <b>User Principal:</b><%= request.getUserPrincipal().getName() %><br /> <b>Authentication Type</b><%= request.getAuthType() %><br />
<% if (request.isUserInRole("JSP-ROLE")) { %> <b>Is user in JSP-ROLE role ?</b> Yes, it is. <% } else { %> <b>Is user in role ?</b> No, user is not in JSP-ROLE role! <% } %>
</body> </html>
Listing 2 shows the SecureServlet.java source code.
Listing 2 SecureServlet.jsp.
package secure.servlet;
import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse;
import java.io.PrintWriter; import java.io.IOException;
import java.util.Enumeration;
import java.security.cert.X509Certificate;
public class SecureServlet extends HttpServlet {
//Handle the HTTP-POST request public void doPost( HttpServletRequest request, HttpServletResponse response ) throws ServletException, IOException { doGet(request, response); }
//Handle the HTTP-GET request public void doGet( HttpServletRequest request, HttpServletResponse response ) throws ServletException, IOException { response.setContentType("text/html");
StringBuffer html = new StringBuffer(); html.append("<html><head><title>SecureServlet</title></head><body>" );
getSecurityInfo(request,html); getSSLAttributes(request,html); getReqHeaders(request,html); getReqAttribs(request,html);
html.append( "</body></html>" );
PrintWriter out = response.getWriter(); response.setContentLength(html.length()); out.println(html.toString()); }
//getSecurityInfo method private void getSecurityInfo(HttpServletRequest request, StringBuffer html) { try { html.append("<br /><b><font color='#cc0000'>Security Info:</font></b><br /><br />"); html.append("<b>Remote User:</b>" + request.getRemoteUser() + "<br />"); html.append("<b>User Principal:</b>" + request.getUserPrincipal().getName() + "<br />"); html.append("<b>Authentication Type:</b>" + request.getAuthType() + "<br />"); if (request.isUserInRole("SERVLET-ROLE")) { html.append("<b>Is user in SERVLET-ROLE role ? </b> Yes, it is. <br />"); } else { html.append("<b> Is user in SERVLET-ROLE role ? </b> No, it is not. <br />"); }
} catch (Exception e) { html.append("<br />Error:" + e.getMessage()); } }
//getSSLAttributes method private void getSSLAttributes(HttpServletRequest request, StringBuffer html) { try { html.append("<b><font color='#cc0000'>SSL Attributes:</font></b><br /><br />"); //javax.servlet.request.cipher_suite: A String representing the cipher suite used by HTTPS, if any String cypher_suite = (String)request.getAttribute("javax.servlet.request.cipher_suite"); html.append("<b>javax.servlet.request.cipher_suite is: </b>"+cypher_suite+"<br />");
//javax.servlet.request.key_size: An Integer representing the bit size of the algorithm, if any String key_size = String.valueOf(request.getAttribute("javax.servlet.request.key_size")); html.append("<b>javax.servlet.request.key_size is: </b>"+key_size+"<br />");
//javax.net.ssl.cipher_suite: The string name of the SSL cipher suite in use, if the request was made using SSL String ssl_cipher_suite = (String)request.getAttribute("javax.net.ssl.cipher_suite"); html.append("<b>javax.net.ssl.cipher_suite is: </b>"+ssl_cipher_suite+"<br />");
//javax.net.ssl.peer_certificates: The chain of X.509 certificates which authenticates the client. //This is only available when SSL is used with client authentication. html.append("<br /><b>Client Certificates 2.1</b><br />"); X509Certificate[] X509Certs = (X509Certificate[])request.getAttribute("javax.net.ssl.peer_certificates"); if ((X509Certs != null) && (X509Certs.length > 0)) { for (int i=0; i<X509Certs.length; i++) { X509Certificate X509Cert = X509Certs[i]; html.append("<br /><b>Subject distinguished name:</b>" + X509Cert.getSubjectX500Principal().getName()); } } else { if ("https".equals(request.getScheme())) { html.append("<br /><b><i>HTTPS request without a client certificate!</i></b><br />"); } else { html.append("<br /><b><i>This is not a HTTPS request!</i></b><br />"); } }
//javax.servlet.request.X509Certificate: For requests made using HTTPS, //this attribute can be used to retrieve information on the certificate of the client html.append("<br /><b>Client Certificates 2.2</b><br />"); X509Certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate"); if ((X509Certs != null) && (X509Certs.length > 0)) { for (int i=0; i<X509Certs.length; i++) { X509Certificate X509Cert = X509Certs[i]; html.append("<br /><b>Subject distinguished name:</b>" + X509Cert.getSubjectX500Principal().getName()); } } else { if ("https".equals(request.getScheme())) { html.append("<br /><b><i>HTTPS request without a client certificate!</i></b><br />"); } else { html.append("<br /><b><i>This is not a HTTPS request!</i></b><br />"); } } }catch (Exception e) { html.append("<br />Error:" + e.getMessage()); } }
//getReqHeaders method private void getReqHeaders(HttpServletRequest request, StringBuffer html) { try { html.append("<br /><b><font color='#cc0000'>Headers:</font></b><br /><br />"); for (Enumeration enumeration = request.getHeaderNames(); enumeration.hasMoreElements();) { String item = (String)enumeration.nextElement(); html.append("<b>" + item + ":</b>" + request.getHeader(item) + "<br />"); } } catch (Exception e) { html.append("<br />Error:" + e.getMessage()); } }
//getReqAttribs method private void getReqAttribs(HttpServletRequest request, StringBuffer html) { try { html.append("<br /><b><font color='#cc0000'>Attributes:</font></b><br /><br />"); for (Enumeration enumeration = request.getAttributeNames(); enumeration.hasMoreElements();) { String item = (String)enumeration.nextElement(); html.append("<b>" + item + ":</b>" + request.getAttribute(item) + "<br />"); } } catch (Exception e) { html.append("<br />Error:" + e.getMessage()); } } }