Servlet declarative security

Question

For Servlet security, I read that in web.xml we can declare

<auth-constraints> and <user-data-constraint> 

for turning on the SSL and for authentication purposes. But so far I personally haven't seen any of these declarations in real life web.xml's (apps running on Tomcat, Glassfish)

So I wonder what are the substitute ways of achieving these goals? and which way is preferred?

Answer 1

First you declare the roles, can do it with annotation or in web.xml:

@DeclareRoles("userRole")
public class SomeServlet extends HttpServlet {
...
}

Then you add <security-constraint> to your web.xml:

  <security-constraint>
        <display-name>SecurityConstraint</display-name>
        <web-resource-collection>
             <web-resource-name>SomeServlet</web-resource-name>
            <url-pattern>/some_servlet</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>userRole</role-name>
        </auth-constraint>
        <user-data-constraint>
             <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>file</realm-name>
    </login-config>

The <url-pattern> is the pattern to protect.

For SSL you put CONFIDENTIAL in <transport-guarantee>

Answer 2

Depends strongly on the used application server, but in general there is no way to make application server to expose the application using SSL without enabling it on the level of the AS (not the deployment descriptor).

For instance for Tomcat, the SSL connector (default port 8443) has to be enabled in server.xml. You may then use Apache (httpd) as a reverse proxy using mod_proxy or mod_jk.

In the code you may use ServletFilter to intercept all the requests and if the communication is not on top of SSL, you may redirect the user to some login page.