Servlet - isUserInRole()

Question

Spec:

Servlet: 3.0
Java: 7
Tomcat: 7.0.54

Intro:

It is possible to check programatically if user has a specific role using method HttpServletRequest.isUserInRole()

For example:

public void doGet(HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException{

    String username = null;
    String password = null;

    //get username and password manually from Authorization header
    //...
    request.login(username, password);

    if (request.isUserInRole("boss")) {
        //do something
    } else {
        //do something else
    }

    request.logout();

}

This works fine, but this solution requires to manually retrieve username and password from Authorization header and then login using these credentials.

Questions:

Is it possible to just do something like that? With no retrieving data from header and manually login()?

public void doGet(HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException{

    if (request.isUserInRole("boss")) {
        //do something
    } else {
        //do something else
    }

}

Trying to answer myself:

From my understanding this code requires proper configuration in web.xml. This example works with this configuration in web.xml file, for example:

<web-app ...>
    ...
    <security-constraint>
        <web-resource-collection>
            <url-pattern>/HelloWorld</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>boss</role-name>
            </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>DefaultRealm</realm-name>
    </login-config>
</web-app>

But this means that programatically checking roles is not required since configuration in web.xml it is all we need to restrict access.

Summary:

• is it possible to programatically checking roles without specifing restrictions (auth-constraint) in web.xml?
• if not, does this mean, that using isCallerInRole() performing only checking for additional roles, becouse main required role is specified in web.xml?

Thanks.

Edit 1:
Since the first answer suggest adding login-config element to my web.xml, I must say I already have it. I added this to code snippet, as I didn't include it when posting question. And example works with this configuration. But when I remove auth-constraint or the whole security-constraint, presence of login-config is not enought. I added info about container: Tomcat 7.0.54.

Answer 1

Question1:

Is it possible to programatically checking roles without specifing restrictions (auth-constraint) in web.xml?

Answer:

Yes, it is possible. There is no need to specify restrictions in web.xml. There is no need to put scurity-contraint in web.xml.

In addition there is no need to manually retrieve credentials from header Authorization and then manually login().

Solution:

Here is a working example:

public void doGet(HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException{

    request.authenticate(response);              //solution

    if (request.isUserInRole("boss")) {
        //do something
    } else {
        //do something else
    }
}

web.xml:

<web-app ...>
    ...
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>DefaultRealm</realm-name>
    </login-config>
</web-app>

And that works.

As you see method HttpServletRequest.authenticate() is used nad does the trick. Documentation says:

Triggers the same authentication process as would be triggered if the request is for a resource that is protected by a security constraint.

That is all we need. I hope it helps someone in the future.

Answer 2

Here is the answer for your issue, if you are using Basic authentication, add this:

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>ourRealm</realm-name>
</login-config>

Answer 3

The basic authorization mechanism provided by servlets in web.xml is basic and mostly 'hard-coded'

If you want to implement a more elaborate way of checking user roles/authorizations, you need to secure your servlets then you have a few possibilities:

• properly implement JAAS. There quite few tutorials around; here is one for Tomcat
• a probably more powerful alternative is to use Shiro