Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authorizing access to resources > Authorization technology > Authorization providers


Java Servlet 3.0 support for security

This release of WAS supports all security updates as defined in the Java Servlet 3.0 specification.

New feature: This release of WAS supports all security updates as defined in the Java Servlet 3.0 specification (JSR-315), including the new servlet security annotations, use of new programmatic security APIs and the dynamic updating of the servlet security configuration.

A significant enhancement is the new annotation support for servlets. A developer can declare the security constraints using annotations as an alternative to declaring them as part of the web.xml file, which is used prior to Java Servlet 3.0. The web.xml file continues to function and overrides any conflicts defined as annotations.

The list of supported Java Servlet 3.0 updates for security includes the following:

New feature:

The following discusses the Java Servlet 3.0 updates for security in more detail:

Support for the @ServletSecurity annotation:

When an application deploys, the ServletSecurity MergeAction implementation finds all servlets with the ServletSecurity annotation. For each annotated servlet, it finds the servlet associated with the given class base on the WebServlet annotation. If RolesAllowed in the ServletSecurity annotation is not found in the deployment descriptor, it then creates a role-name attribute for the role in the deployment descriptor.

When an application starts, the WebContainer inspects all servlets with the RunAs, declareRoles, and ServletSecurity annotations, and sets those annotations on the setServletSecurity() method of the ServletRegistration annotation. The WebContainer notifies the security component to inspect all ServletRegistration annotations that have URL patterns and security constraints. The security component then determines if a URL pattern is defined in the deployment descriptor. If one is not defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern are created and then used. If an exact match is already defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern of the deployment descriptor are used instead of the annotation data.

Read the Security annotations topic for more information.

Support for the dynamic updating of the @RunAs, @declareRoles, and @ServletSecurity servlet security annotations:

When an application starts, the web container inspects all servlets with the RunAs, declareRoles, and ServletSecurity annotations, and sets those annotations on the setServletSecurity() method of the ServletRegistration annotation. The web container notifies the security component to inspect all ServletRegistration annotations that have URL patterns and security constraints. The security component then determines if a URL pattern is defined in the deployment descriptor. If an exact match is already defined in the deployment descriptor, the security constraints and RunAs role in the URL pattern of the deployment descriptor are used instead of the dynamic data.

Read the Servlet security dynamic annotations topic for more information.

WAS supports both a default authorization provider and an authorization provider that is based on the JACC specification. The JACC-based authorization provider (for example, the Tivoli Access Manager), enables third-party security providers to handle the Java EE authorization. The RunAs, declareRoles, and ServletSecurity annotations are supported for both native authorization and for JACC.

Support for the authenticate, login and logout servlet security methods:

The authenticate method authenticates a user by using the WAS container login mechanism configured for the servlet context.

The login method authenticates a user to the WebSphere Application Server with a user ID and password. If authentication is successful, it creates a user subject on the thread and Lightweight Third Party Authentication (LTPA) cookies (if single sign-on (SSO) is enabled).

The logout method logs the user out of the WAS and invalidates the HTTP session.

Read the Servlet security methods topic for more information.

The new com.ibm.websphere.security.displayRealm property specifies whether the HTTP basic authentication login window displays the realm name that is defined in the application web.xml file:

If the realm name is not defined in the web.xml file, one of the following occurs:

Read the Security custom properties topic for more information.
Security annotations
Servlet security dynamic annotations
Security constraints in web applications
Authorization providers


Related


Servlet security methods
Security custom properties
JACC policy propagation
Java Platform, Enterprise Edition 6 API Specification annotations
ServletSecurity
HttpConstraint
HttpMethodConstraint
Interface ServletRegistration.Dynamic
setRunAsRole
declareRoles
setServletSecurity
JSR 315: Java Servlet 3.0 Specification

+

Search Tips   |   Advanced Search