Using Programmatic Security with Web Applications

Start course
2h 6m

This course takes an in-depth look at security in Java Enterprise Edition. We'll cover a wide range of topics as listed below. Finally, we'll round off the course by taking a look at some example exam questions similar to those you can expect to find on the Oracle Certified Java EE exams.

Learning Objectives

  • Understand the fundamentals of security in Java EE
  • Learn the following concepts and features:
    • Securing GlassFish server
    • Working with users, groups, and roles
    • SSL
    • Securing your web applications
    • Securing enterprise beans
    • Digital certificates
    • Security architecture
    • Security threats
    • And much more...

Intended Audience

This course is intended for anyone who already has basic knowledge of Java and now wants to learn about Java Enterprise Edition.


Basic knowledge of Java programming


Hello there. In this lesson, we'll take a look at using programmatic security with Web applications. So, let's start. Programmatic security is used by security aware applications. When declared of security alone is not sufficient to express the security model of the application. Some methods of the http servlet request interface enable you to authenticate users for a web application programmatically. Authenticate, which allows an application to instigate authentication of the request caller by the container from within an unconstrained request context. A login dialog box displays and collects the user name and password for authentication purposes. 

Login, which allows an application to collect user name and password information as an alternative to specifying form based authentication in an application deployment descriptor. Logout, which allows an application to reset the caller identity of a request. Here's the code to see how to use login and logout methods. Request login. I hope it's clear. In general, security management should be enforced by the container in a manner that is transparent to the Web component. Servlet 3.0 specifies the following methods that enable you to access security information about the components caller. getRemoteUser, which determines the username with which the client authenticated.

The getRemoteUser method returns the name of the remote user, the caller associated by the container with the request. If no user has been authenticated, this method returns null. IsUserInRole, which determines whether a remote user is in a specific security role. If no user has been authenticated, this method returns false. This method expects a string user role name parameter. The security role ref element should be declared in the deployment descriptor with a role named sub element containing the role name to be passed to the method. Using security role references is discussed in declaring and linking role references. GetUserPrincipal, which determines the principal name of the current user and returns a object. If no user has been authenticated, this method returns null. 

Calling the get name method on the principal returned by getUserPrincipal returns the name of the remote user. Your application can make business logic decisions based on the information obtained using these APIs. Here's the code to see the use of programmatic security for the purposes of programmatic login. This servlet does, it displays information about the current user. It prompts the user to log in. It prints out the information again to demonstrate the effect of the login method. It logs the user out. It prints the information again to demonstrate the effect of the log out method. I hope it's clear.

Declaring and Linking Role References. A security role reference is a mapping between the name of a role that is called from a web component using isUserInRole string role and the name of a security role that has been defined for the application. If no security role ref element is declared in a deployment descriptor and the UserInRole method is called the container defaults to checking the provided role name against the list of all security roles to find for the Web application. Using the default method instead of using the security role Ref element limits your flexibility to change role names in an application without also recompiling the servlet making the call. The security role ref element is used when an application uses the httpServletRequest.isUserInRole string role. The value passed to the isUserRole method is a string representing the role name of the user. The value of the role name element must be the string used as a parameter to the httpServletRequest.isUserInRole string role. The role link must contain the name of one of the security roles defined in the security role elements. The container uses the mapping of the security role ref to security role when determining the return value of the call.

For example, to map the security role reference cast to the security role with the role name, bank customer, the syntax would be, if the servlet method is called by a user in the bank customer security role, isUserInRole cast returns True. The role link element in the security role ref element must match a role name defined in the security role element of the same web.xml deployment descriptor as shown here. A security role reference, including the name defined by the reference is scoped to the component whose deployment descriptor contains the security role ref deployment descriptor element. So, that's it. Hope to see you in our next lesson. Have a nice day.


About the Author
Learning Paths

OAK Academy is made up of tech experts who have been in the sector for years and years and are deeply rooted in the tech world. They specialize in critical areas like cybersecurity, coding, IT, game development, app monetization, and mobile development.

Covered Topics