Secure a Web application, Java-style

Use Java's multiple-layer security implementation to protect your Web

By Michael Cymerman, JavaWorld.com, 04/28/00

Page 2 of 6

Use forms to authenticate clients

A common way for servlet-based systems to perform authentication is to use the session to store information indicating that a user has logged into the system. In this scheme, the authentication logic uses the HttpSession object maintained by the servlet engine in the Web server.

A base servlet with knowledge of authentication is helpful in this case. Using the service method of the BaseServlet, the extending servlets can reuse the security check functionality. All code used in this example can be found in Resources.

The service method is shown in the following code snippet:

   public void service(HttpServletRequest request, HttpServletResponse
response)
      throws IOException, ServletException
   {
      // check to see if a session has already been created for this user
      //   don't create a new session yet.
      HttpSession session = request.getSession( false);
      String requestedPage = request.getParameter(Constants.REQUEST);
      if ( session != null)
      {
         // retrieve authentication parameter from the session
         Boolean isAuthenticated = (Boolean)
session.getValue(Constants.AUTHENTICATION);
         // if the user is not authenticated
         if ( !isAuthenticated.booleanValue() )
         {
            // process the unauthenticated request
            unauthenticatedUser(response, requestedPage);
         }
      }
      else // the session does not exist
      {
         // therefore the user is not authenticated
         // process the unauthenticated request
         unauthenticatedUser(response, requestedPage);
        }
   }

Notice that you can expand this method to perform other generic functions as well. In this example, I developed only the security aspects of this class.

The BaseServlet attempts to retrieve the session from the servlet engine. On retrieval, the servlet verifies that the user has been granted access to the system. Should either of these checks fail, the servlet redirects the browser to the login screen.

On the login screen, the user is prompted for a username and password. Note that the data passed from the browser to the Web server is unencrypted unless you use Secure Socket Layer (SSL).

The LoginServlet uses the username/password combination to query the database to ensure that this user does indeed have access to the system. If the check fails to return a record for that user, the login screen is redisplayed. If the check is successful, the following code stores the user authentication information inside a session variable.

   // create a session
   session = request.getSession( true);
   // convert the boolean to a Boolean
   Boolean booleanIsAuthenticated = new Boolean( isAuthenticated);
   // store the boolean value to the session
   session.putValue(
      Constants.AUTHENTICATION,
      booleanIsAuthenticated);

In this example, it's assumed that any user who successfully authenticates to the system has access to the pages displayed prior to login. However, there are cases in which the application development team may require a more refined security approach to satisfy its requirements.

Authorization

Authorization verifies that the security policies protect against more sophisticated hackers by preventing unauthorized code from connecting to back-office systems, such as Enterprise JavaBeans (EJB). There are two types of authorization: code authorization and caller authorization.