Enhanced Servlet and JSP security without modifying code

Compiling Servlet and JSP is easy, but we usually face many security problems. Of course, we will add a lot of security code to the program to solve this problem, but adding such security hard code will make the program inflexible and difficult to maintain. Therefore, this article provides a method to achieve security without modifying the code, and provides an example for instructions.

In this example, a user name, password, and SSL at the transport layer are used to protect the war file of the application. The user name and password are transmitted in plain text over the network. You do not need to edit the Java code and JSP pages in the application. To secure Servlet and JSP pages, we only need to configure the web. xml file.

1. Set the XML file

The first step to configure the web. xml file is to define a security constraint, that is, a <security-constraint> label. This label protects the response URL so that specific users can access it. Note that you must use the
After completing the preceding settings, set SSL next. You can use the <user-data-constraint> label and a sub-label <transport-guarantee> of this label to set the label. But set the value of <transport-guarantee> to CONFIDENTIAL.

In the last step, we need to set the verification method. You need to set the <login-config> tag and sub-tag <auth-method>. Here we set <auth-method> to BASIC. The following is part of the web. xml file:

 
 

  
  
<security-constraint> 
  
  
      < web-resource-collection> 
  
  
         <web-resource-name>Servlet Application  
  
  
         </web-resource-name> 
  
  
         <url-pattern>/*</url-pattern> 
  
  
      </web-resource-collection> 
  
  
      <auth-constraint> 
  
  
         <role-name>ttrole</role-name> 
  
  
      </auth-constraint> 
  
  
      <user-data-constraint> 
  
  
         <transport-guarantee>CONFIDENTIAL  
  
  
         </transport-guarantee> 
  
  
      </user-data-constraint> 
  
  
   </security-constraint> 
  
  
   <login-config> 
  
  
      <auth-method>BASIC</auth-method> 
  
  
      <realm-name>default</realm-name> 
  
  
   </login-config> 
  
  
 
  
  
   <security-role> 
  
  
      <role-name>ttrole</role-name> 
  
  
  </security-role> 
 
 

In the preceding example, only the user "ttrole" can access Servlet and JSP pages.

These user authentication will be used in the Java EE environment, but in many operating system environments, users and groups are associated. Therefore, security-role-mapping provides a bridge between user header groups. In the Java EE 5 App server, we can define the security-role-mapping label in the sun-application.xml file as follows:

 
 

  
  
<sun-application> 
  
  
     <security-role-mapping> 
  
  
       <role-name>myrole</role-name> 
  
  
       <principal-name>myuser</principal-name> 
  
  
     </security-role-mapping> 
  
  
     <security-role-mapping> 
  
  
       <role-name>ttrole</role-name> 
  
  
       <group-name>ttgroup</group-name> 
  
  
     </security-role-mapping> 
  
  
     <security-role-mapping> 
  
  
       <role-name>arole</role-name> 
  
  
       <principal-name>ttuser</principal-name> 
  
  
     </security-role-mapping> 
  
  
   </sun-application> 
 
 

Ii. Run the instance code

In this section, let's talk about how to run the above program. Here, we use the integrated development environment NetBeans IDE 5.5 and NetBeans Enterprise Development Kit. After installing NetBeans, we need to take the following steps to run the program.

1. First, we need to download this program. The download link is the sample code. Decompress the package.

2. Start NetBeans.

3. Open the NetBeans project in the zip file of the webann project.) If a "Resolve missing server problem" prompt is displayed, the application server has not been added to the server list of NetBeans. You can select Tools> Server Manager and add the corresponding servers to the list.

4. Start the Java System Application Server embedded in NetBeans by Sun. You can also run the following command to start the server:
<Appserv_install_dir>/bin/asadmin start-domain domain1
The above <appserv_install_dir> is the installation directory of the application server.

5. Create a user. You can use the console to complete http: // localhost: 4848 by default. follow these steps:
(1) Select Configuration> Security> Realms> file from the Management tree on the left.
(2) Click "Manage Users", and then click "New ".
(3) enter the input information.
User Id: ttuser
Group List: ttgroup
New Password: ttpassword
Confirm New Password: ttpassword
(4) Click "OK" to save the settings.

After creating the first user, use the same method to create the second user ttusers2. The input information is as follows:
User Id: ttuser2
Group List: ttgroup
New Password: ttpassword
Confirm New Password: ttpassword

6. Follow these steps to compile the NetBeans project:
(1) Right-click the webann node in the project window.
(2) Select "Clean and Build Project ".
In this step, create the ear files and put them in the webann/dist directory.

7. Follow these steps to publish the ear file:
(1) Right-click the webann node in the project.
(2) Select "Deploy Project ".

In addition to the above release method, we can also publish through the Management Interface in the following ways:
(1) In the left-side control tree, choose Applications> Enterprise Applications.
(2) Click Deploy ".
(3) Click "Browser" to find the ear File
(4) Click "OK ".

You can also use the following command line to publish the ear file:
Asadmin deploy webann. ear

8. start the browser and enter https: //
The authentication information may vary depending on the browser, but an "unknown authority" usually appears, because self-sign authentication is used in this example. Then, the browser displays an option prompting you whether to continue browsing the application.

If we choose to continue browsing the application, the system will prompt us to enter the user name and password. If we use ttuser to log on, we will see a response similar to the following:
Hello, ttuser
Ejb Message: Hello, World, Sat Jun 30 12:04:46 PDT 2007
DataSource login timeout: 0

If we use ttuser2 to log on, we will see a response similar to the following:
Hello, ttuser2
DataSource login timeout: 0

Their response information is different because they have different roles. ttuser owns "ttrole" and "arole ". Ttuser2 only has "ttrole", but not "arole ". In this application, only users with the role "arole" can call the SlessLocal. hello (String message) method. This method returns a "Hello, World" message.

After running this program, you can uninstall the ear file by following the steps below:
1. Uninstall the ear file on the management interface.
(1) select Applications> Enterprise Applications in the left-side function tree.
(2) Select "webann" and click "Undeploy ".

2. delete a user on the management interface.
(1) choose Configuration> Security> Realmn> file.
(2) Click "Manage Users ".
(3) Select ttuser and ttuser2.
(4) Click "Delete ".

1. How to Improve Servlet and JSP Application Efficiency
2. Pass Chinese parameters between Flex and Jsp
3. Brief Introduction to JSP database links
4. China's IPTV research goals are world-leading
5. 3G and IPTV are the Development Trend