Servlet 3.1 - Security Limitations - No web.xml
The Java Servlet 3.0 and 3.1 specifications allow developers to accomplish many of the common tasks based on configuration in Java code rather than through the traditional web.xml file delivery mechanism.
I have it all for my application, but looking at a solution to the application security problem, I could not find any reference on how and if possible also with application security restrictions to configure through code.
Basically, I'm looking for a programmatic way to do the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>my-secure-webapp</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SSORole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>SSORole</role-name>
</security-role>
Does anyone know how to do this?
thank
source to share
You will find information in the section provided by Mark, but for a short hand, you can add something like this to your servlet:
@ServletSecurity((httpMethodConstraints = {
@HttpMethodConstraint(value = "GET", rolesAllowed = "SSORole"),
@HttpMethodConstraint(value = "POST", rolesAllowed = "SSORole",
transportGuarantee = TransportGuarantee.CONFIDENTIAL)
})
However, there are still some disadvantages of using annotation in web module security:
- yours
url-pattern
will directly match your servlet mappings - cannot define/*
for the whole application, for example viaweb.xml
- Unfortunately, there is still no annotation for
login-config
So I suggest sticking web.xml
for security definitions a little longer.
source to share