Authenticating Users Programmatically

This section contains detailed description on 'authenticating users programmatically' which was introduced in Servlet 3.0.

Authenticating Users Programmatically

Authenticating Users Programmatically

This section contains detailed description on 'authenticating users programmatically' which was introduced in Servlet 3.0.

Java EE Security

In a multitier enterprise application, several containers are needed to deploy various components of Enterprise tiers. These container also provide security to these components. Two types of security is provided by the container :

  • Declarative security  
    It uses deployment descriptor (web.xml) or annotations , to define security essentials of application's components.

  • Programmatic security
    When declarative security is not enough to hold the application's security model, programmatic security is employed.

 

Programmatic Authentication

Programmatic authentication is the part of programmatic security. Programmatic security is used, when declarative security is not enough to hold the application's security model.

In Servlet 3.0, using following methods of HttpServletRequest provide us ability to authenticate users of  a web application programmatically :

  • authenticate(HttpServletResponse response) : Using authenticate method, application container can do requested caller authentication  by collecting username and password through login dialog box. It is an alternative of form-based login.

  • login(java.lang.String username, java.lang.String password) : Using authenticate method, application container collect username and password using login dialog box. It is an alternative of form-based login.

  • logout() :Using this method an application can reset the caller identity of a request.

The following example code shows how to use the login and logout methods :

MySecurityServlet.java

package roseindia;

import java.io.IOException;
import java.io.PrintWriter;

import javax.annotation.security.DeclareRoles;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

//Annotation for defining the Servlet name and its URL pattern
@WebServlet(name = "MySecurityServlet", urlPatterns = { "/MySecurityServlet" })
// Annotation for declaring roles
@DeclareRoles("manager")
public class MySecurityServlet extends HttpServlet {

protected void processRequest(HttpServletRequest request,
HttpServletResponse response)

throws ServletException, IOException {

response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

try {

String myUsername = request.getParameter("UserName");
String myPassword = request.getParameter("Password");

try {

request.login(myUsername, myPassword);

} catch (ServletException ex) {

out.println("Login Failed" + ex.getMessage());

return;

}

out.println("The authenticated user is in Role: "
+ request.isUserInRole("securityguy"));
out.println("The authenticated remote username: "
+ request.getRemoteUser());
out.println("The authenticated Principal name: "
+ request.getUserPrincipal());
out.println("The authentication type: " + request.getAuthType());

} catch (Exception e) {

throw new ServletException(e);

} finally {

request.logout();

out.close();

}

}

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processRequest(request, response);

}

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processRequest(request, response);

}
}

The following example code shows how to use the authenticate method:

MyAuthServlet.java

package roseindia;

import java.io.*;
import javax.servlet.*;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;

@WebServlet(name="MyAuthServlet", urlPatterns={"/MyAuthServlet"})
public class MyAuthServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)

throws ServletException, IOException {

response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

try {

// Launch the BASIC authentication dialog
request.authenticate(response);
out.println("Authenticate Successful");

} finally {
out.close();
}
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}

public void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
}

Tutorials

  1. Servlet 3.0 Tutorial
  2. ServletRequest Interface startAsync method
  3. AsyncContext Interface dispatch method
  4. AsyncContext Example
  5. AsyncContext Interface important methods
  6. AsyncListener Interface important methods
  7. AsyncContext Interface addListener
  8. AsyncContext complete method example
  9. Class AsyncEvent important methods
  10. AsyncListener Example
  11. @WebServlet
  12. @WebInitParam
  13. @WebFilter
  14. @WebListener
  15. @MultipartConfig
  16. Introduction to web fragment
  17. Ordering of web fragments
  18. Assembling web.xml from fragments
  19. Authenticating Users Programmatically
  20. Specifying an Authentication Mechanism in the Deployment Descriptor
  21. Specifying Security for Basic Authentication using @ServletSecurity