Featured White Papers

• Why choose an Open Source BPM?
• 10 FAQs on Business Process Management
• Best Practices for Getting Started with BPM
• Free Your Devs From The Pain Of Java Redeploys
• Increase Velocity 40% by Using JRebel
• What Developers Want: The End of Application Redeploys
• Developer Productivity Report: Java Tools, Tech, Devs, and Data
• Coding with JRebel: Java Forever Changed
• Utilizing Fast Testing to Transform Java Development
• Do You Really Get Classloaders?
• Pragmatic Continuous Delivery with Jenkins, Nexus, and LiveRebel
• Your Next Java Web App: Less XML, No Long Restarts, Fewer Hassles
• Coding with JRebel, Java Forever Changed
• 2012 Developer Productivity Report: Java Tools, Tech, Devs, and Data

Sponsored Links

• APIs for Java Programmers: Manage & Convert DOC, XLS, PPT, PDF & More

• Instantly Preview Java Code Changes: JRebel.com

Sponsored Links

Optimize with a SATA RAID Storage Solution
Range of capacities as low as $1250 per TB. Ideal if you currently rely on servers/disks/JBODs

Secure a Web application, Java-style

Use Java's multiple-layer security implementation to protect your Web

By Michael Cymerman, JavaWorld.com, 04/28/00

Page 5 of 6

This example builds off of the framework detailed in the prior example of servlet-based user authentication. The service method of the BaseServlet should now be expanded to include the following:

public void service(HttpServletRequest request, HttpServletResponse response)
      throws IOException, ServletException
   {
      // check to see if a session has already been created for this user
      // don't create a new session yet.
      HttpSession session = request.getSession( false);
      String sRequestedFeature = request.getParameter(Constants.FEATURE);
      if ( session != null)
      {
         // retrieve the User object from the session
         User currentUser = (User) session.getValue(Constants.USER);
         Feature featureRequested = null;
         try {
            // get the page from the security manager
            featureRequested = WebSecurityManager.getFeature(
sRequestedFeature);
         } catch ( WebSecurityManagerException smE)
         {
            smE.printStackTrace();
         }
         if ( WebSecurityManager.isUserAuthenticated( currentUser,
featureRequested) )
         {
            // get page from feature
            String sRequestedPage = featureRequested.getFeaturePath();
            // redirect to the requested page
            response.sendRedirect( Constants.LOGIN2 + sRequestedPage);
         } else {
            // redirect to the error page
            response.sendRedirect( Constants.ERROR + sRequestedFeature);
         }
      } else {
         // redirect to the login servlet (passing parameter)
         response.sendRedirect( Constants.LOGIN2 + sRequestedFeature);
      }
   }

In this code snippet from the BaseServlet2 class, the user is authenticated against the access control list using the requested feature name. The user object is retrieved from the session. The feature object corresponding to the request parameter is retrieved from the SecurityManager object. The SecurityManager then checks the feature against the access control list that was created on the user login through the implementation of the access control list interface.

The SecurityManager functionality is dependent on the underlying database structures and the method by which the data is retrieved from the data source and packed into live objects in the JVM.

In this example, the SecurityManager is implemented as a simple class residing within the JVM. In another full-blown system, this may be implemented as a series of entity beans. For now, the SecurityManager will load all the features in the database on initialization into a Hashtable.

Upon login, the username/password combination is compared to the data stored in the database. If successful, the User object will be created and stored to the session. The features related to the user in the database are created and added to an access control list entry for the user. This entry is then added to the master access control list for the application. From then on, the application can delegate the responsibility of securing the application to the Java Access Control Model classes.

Here's a code snippet showing how the features are added to the access control list for a given user.

   private static void addAclEntry(User user, Hashtable hFeatures)
      throws WebSecurityManagerException
   {
      // create a new ACL entry for this user
      AclEntry newAclEntry = new AclEntryImpl(  user);
      // initialize some temporary variables
      String sFeatureCode = null;
      Feature feature = null;
      Enumeration enumKeys = hFeatures.keys();
      String keyName = null;
      while ( enumKeys.hasMoreElements() )
      {
         // Get the key name from the enumeration
         keyName = (String) enumKeys.nextElement();
         // retrieve the feature from the hashtable
         feature = (Feature) hFeatures.get(keyName);
         // add the permission to the aclEntry
         newAclEntry.addPermission( feature );
      }
      try {
         // add the aclEntry to the ACL for the _securityOwner
         _aclExample.addEntry(_securityOwner, newAclEntry);
      } catch (NotOwnerException noE)
      {
         throw new WebSecurityManagerException("In addAclEntry", noE);
      }
   }

The addAclEntry method is passed a User object and an array of Feature objects. Using these objects, it creates an AclEntry and then adds it to the Acl used by the application. It is precisely this Acl that is used by the BaseServlet2 to authenticate the user to the system.