It's easy to write JSP and servlet, but we usually face a lot of security problems. Of course, we'll add a lot of security code to the program to solve the problem, but adding such a secure hard code will make the program inflexible and difficult to maintain. Therefore, in this article, we will give a method to achieve security without modifying the code, and provide an example to illustrate.
The example in this article protects the application's war file with a user name and password, as well as a transport layer of SSL. The user name and password are transmitted in clear text across the network. This does not require editing Java code and JSP pages in the application. And to make the servlet and JSP pages secure, all we have to do is configure the Web.xml file.
First, set up XML file
The first step in configuring a Web.xml file is to define a security constraint, which is a <security-constraint> tag. This tab protects the URL of the response so that a specific user can access it. Note that we have to define one or more HTTP methods using the
After you finish the above settings, you need to set up SSL next. We can use the <user-data-constraint> tag and one of the label's Child tags <transport-guarantee> to set it. The <transport-guarantee> value is set to confidential.
In the final step, we need to set up a validation method. This requires setting <login-config> label and child label <auth-method>. Here we set the <auth-method> to basic. The following is part of the Web.xml file:
<security-constraint>
< web-resource-collection>
<web-resource-name>Servlet Application
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ttrole</role-name>
</auth-constraint>
<user-data-constraint>
<transport- guarantee>CONFIDENTIAL
</transport-guarantee>
</user-data- constraint>
</security-constraint>
<login-config>
<auth- method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>ttrole</role- name>
</security-role>
In the above example, only the user "Ttrole" can access the servlet and JSP pages.
These user validations are used in the Java EE environment, but are associated with users and groups in many operating system environments. As a result, Security-role-mapping provides a bridge between the user's head groups. In the Java EE 5 application Server, we can security-role-mapping tags in sun-application.xml files in the following way:
<sun-application>
<security-role-mapping>
<role- name>myrole</role-name>
<principal-name>myuser</principal- name>
</security-role-mapping>
<security-role-mapping>
<role-name>ttrole</role-name>
<group-name>ttgroup</group- name>
</security-role-mapping>
<security-role-mapping>
<role-name>arole</role-name>
<principal-name>ttuser</principal- name>
</security-role-mapping>
</sun-application>
Second, run the instance code
In this section, let's talk about how to run the above program. The integrated development environment we use here is NetBeans IDE 5.5 and the NetBeans Enterprise Development Kit. After we install NetBeans, we need to do the following steps to run this program.
1. First we need to download this program, download the link for: example code. And then unzip it.
2. Start NetBeans.
3. Open the Webann project (NetBeans project in the zip file), and if a "Resolve Missing server Problem" message appears, the application server has not been added to the list of NetBeans servers. We can select Tools > Server Manager, and then add the appropriate server to the list.
4. Start the Java System application Server that is embedded in NetBeans in Sun. We can also start the server by entering the following command in the command:
<appserv_install_dir>/bin/asadmin Start-domain domain1
The <appserv_install_dir> above is the installation directory for the application server.