Verifying User Identity Programmatically
When you need to access security info from code lines, a good technique is to use the HttpServletRequest interface, which provides methods that offer security info about the component's caller. These methods help you to provide access to protected resources with a programmatic approach. The following table describes these methods.
|String getRemoteUser()||Returns the username with which the client authenticated, or null.|
|boolean isUserInRole(String role)||Returns a Boolean value indicating whether the remote user is in a specific security role.|
|String getAuthType()||Returns the name of the authentication scheme used to protect the servlet.|
|Principal getUserPrincipal()||Returns a java.security.Principal object containing the name of the current authenticated user.|
|String getScheme()||Returns the name of the scheme used to make this request; for example, http, https, or ftp.|
All these methods are exemplified in the start.jsp page and in the SecureServlet servlet. You probably will call these methods from a servlet filter, which may be responsible for handling authorization (a filter may act as a gateway to your protected resources). Using a servlet filter provides at least two advantages: You don't need to include security "chunks" in your servlets, and you can add/remove a filter without modifying the rest of the application.