ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatz_5.4.0.1/51/sec/secdweb.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Develop secure Web applications</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h3><a name="secdweb"></a>Develop secure Web applications</h3>

<p>Programmatic security is used by security aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of these steps:</p>

<ol>
<li>Add the required security methods in the servlet or JSP code.</li>
<li>Create security-role-ref element with role-name field. This element is not strictly required because the security API isUserInRole() method can use the actual role name as a parameter. However, it is good practice to use role references so the software component is reusable.</li>
</ol>

<p>For a full code example, see <a href="secdwebx.htm">Example: Secure Web application code</a>.</p>

<p><strong>Add required security methods in the servlet code</strong></p>

<p>Programmatic security consists of these methods of the HttpServletRequest interface:</p>
<ul>
<li><p><strong>getRemoteUser()</strong>
<br>This method returns user name the client used for authentication. returns null if no user has been authenticated.</p></li>

<li><p><strong>isUserInRole (String rolename)</strong>
<br>This method returns true if the remote user is granted the specified security role. If remote user is not granted the specified role or if no user is authenticated, it returns false.</p></li>

<li><p><strong>getUserPrincipal()</strong>
<br>This method returns java.security.Principal object containing the remote user name. If no user is authenticated, it returns null.</p></li>
</ul>

<p>Programmatic servlet security methods can be added inside any of the servlet's doGet(), doPost(), doPut(), doDelete() service methods. Here is an example of usage of programmatic security APIs:</p>

<pre>  public void doGet(HttpServletRequest request, HttpServletResponse response) {
    ...
    // to get remote user using getUserPrincipal()
    java.security.Principal principal = request.getUserPrincipal();     
    String remoteUser = principal.getName();
 
    // to get remote user using getRemoteUser()
    remoteUser = request.getRemoteUser();

    // to check if remote user is granted Mgr role
    boolean isMgr = request.isUserInRole(&quot;Mgr&quot;);

    // use the above information in any way as needed by the application 
    ...
  }</pre>

<p><strong>Create security-role-ref element with role-name field</strong></p>

<p>This step is required to programmatically secure an application. If security-role-ref is not created during development, make sure it is created during assembly stage.</p>

<p>When the isUserInRole() method is used, a security-role-ref element should be declared in the deployment descriptor with a role-name element that contains the role name that is passed to this method. Because actual roles are created during the assembly stage of the application, a developer can use the logical role as role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to the actual role. During assembly, the assembler creates a role-link sub element to link the role-name to the actual role.</p>

<p>You can create the security-role-ref element during development with the WebSphere Development Studio Client:</p>

<ol>
<li>Open the web.xml file for your application. It is located in the WEB-INF directory.</li>
<li>Click the <strong>Security</strong> tab.</li>
<li>Next to the Security roles window, click <strong>Add</strong>. Type a name and a decription for the security role. Repeat this step until you have added all the necessary roles.</li>
<li>Click the <strong>Servlets</strong> tab.</li>
<li>In the Servlets window, select the servlet for which you want to define the security-role-ref element.</li>
<li>Next to the Authorized roles window, click <strong>Edit</strong>.</li>
<li>Select the appropriate roles. Click <strong>OK</strong>.</li>
<li>Save the web.xml file.</li>
</ol>

<p>An example where it is useful to define logical roles is when you want a Web application to access external resources and to control the access to external resources by using its own authorization table (external-resource to remote-user mapping). In this case, the getUserPrincipal() or getRemoteUser() method can be used to get the remote user, and then the application can consult its own Authorization Table to check authorization. The remote user information can also be used to retrieve the corresponding users information from an external source such as database. isUserInRole() can also be used similarly.</p>

<p>Here is an example:</p>

<pre>  &lt;security-role-ref&gt;
    &lt;description&gt;Provide hints to assembler for linking
     this role-name to actual role here&lt;/description&gt;
    &lt;role-name&gt;Mgr&lt;/role-name&gt;
  &lt;/security-role-ref&gt;</pre>

<p>During assembly, the assembler creates role-link as shown below:</p>

<pre>  &lt;security-role-ref&gt;
    &lt;description&gt;Hints provided by developer to
     map role-name to role-link&lt;/description&gt;
    &lt;role-name&gt;Mgr&lt;/role-name&gt;
    &lt;role-link&gt;Manager&lt;/role-link&gt;
  &lt;/security-role-ref&gt;</pre>

</body>
</html>