Authenticating Users Programmatically

This section contains detailed description on 'authenticating users programmatically' which was introduced in Servlet 3.0.

Authenticating Users Programmatically

Authenticating Users Programmatically

This section contains detailed description on 'authenticating users programmatically' which was introduced in Servlet 3.0.

Java EE Security

In a multitier enterprise application, several containers are needed to deploy various components of Enterprise tiers. These container also provide security to these components. Two types of security is provided by the container :

  • Declarative security  
    It uses deployment descriptor (web.xml) or annotations , to define security essentials of application's components.

  • Programmatic security
    When declarative security is not enough to hold the application's security model, programmatic security is employed.

 

Programmatic Authentication

Programmatic authentication is the part of programmatic security. Programmatic security is used, when declarative security is not enough to hold the application's security model.

In Servlet 3.0, using following methods of HttpServletRequest provide us ability to authenticate users of  a web application programmatically :

  • authenticate(HttpServletResponse response) : Using authenticate method, application container can do requested caller authentication  by collecting username and password through login dialog box. It is an alternative of form-based login.

  • login(java.lang.String username, java.lang.String password) : Using authenticate method, application container collect username and password using login dialog box. It is an alternative of form-based login.

  • logout() :Using this method an application can reset the caller identity of a request.

The following example code shows how to use the login and logout methods :

MySecurityServlet.java

package roseindia;

import java.io.IOException;
import java.io.PrintWriter;

import javax.annotation.security.DeclareRoles;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

//Annotation for defining the Servlet name and its URL pattern
@WebServlet(name = "MySecurityServlet", urlPatterns = { "/MySecurityServlet" })
// Annotation for declaring roles
@DeclareRoles("manager")
public class MySecurityServlet extends HttpServlet {

protected void processRequest(HttpServletRequest request,
HttpServletResponse response)

throws ServletException, IOException {

response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

try {

String myUsername = request.getParameter("UserName");
String myPassword = request.getParameter("Password");

try {

request.login(myUsername, myPassword);

} catch (ServletException ex) {

out.println("Login Failed" + ex.getMessage());

return;

}

out.println("The authenticated user is in Role: "
+ request.isUserInRole("securityguy"));
out.println("The authenticated remote username: "
+ request.getRemoteUser());
out.println("The authenticated Principal name: "
+ request.getUserPrincipal());
out.println("The authentication type: " + request.getAuthType());

} catch (Exception e) {

throw new ServletException(e);

} finally {

request.logout();

out.close();

}

}

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processRequest(request, response);

}

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

processRequest(request, response);

}
}

The following example code shows how to use the authenticate method:

MyAuthServlet.java

package roseindia;

import java.io.*;
import javax.servlet.*;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.*;

@WebServlet(name="MyAuthServlet", urlPatterns={"/MyAuthServlet"})
public class MyAuthServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request,
HttpServletResponse response)

throws ServletException, IOException {

response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();

try {

// Launch the BASIC authentication dialog
request.authenticate(response);
out.println("Authenticate Successful");

} finally {
out.close();
}
}

public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}

public void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
processRequest(request, response);
}
}

Tutorials

  1. Specifying Security for Basic Authentication using @ServletSecurity
  2. Specifying an Authentication Mechanism in the Deployment Descriptor
  3. Authenticating Users Programmatically
  4. Assembling web.xml from fragments
  5. Ordering of web fragments
  6. Introduction to web fragment
  7. @MultipartConfig
  8. @WebListener
  9. @WebFilter
  10. @WebInitParam
  11. @WebServlet
  12. AsyncListener Example
  13. Class AsyncEvent important methods
  14. AsyncContext complete method example
  15. AsyncContext Interface addListener
  16. AsyncListener Interface important methods
  17. AsyncContext Interface important methods
  18. AsyncContext Example
  19. AsyncContext Interface dispatch method
  20. ServletRequest Interface startAsync method
  21. Servlet 3.0 Tutorial