Securing servlet URL without using username password authentication

Question

I have an enterprise application with an EJB module and a web application module(a servlet). I am accessing the servlet URL from EJB using URLConnection but want to protect the URL with some security. I do not want to use username and password to authenticate because I can not use any single sign-on solution so I want to if there is a way to restrict the URL to be accessed only from its enterprise application. Please help.

Answer 1

There is a lot of information you've left out:

• Is the servlet used only by your EJB module, or is it also used by other clients?
• Are the servlet and EJB module running in the same container? The same physical machine?
• What web server/servlet container/J2EE container are you using?

If the servlet is used only by the EJB module, and they are both on the same machine, then you can just configure your web container to only accept connections from localhost and change the URL your EJB module uses to point at localhost instead of a public domain name or IP address.

If they are on different machines, or if your servlet is used by other clients, then you will need to authenticate the EJB module somehow. You can use SSL client certificates (see this question) or configure your servlet container to allow connections from the EJB module's IP address.

EDIT

Using a servlet filter to control access is fairly straightforward. In your case, you want to verify that the request is coming from the localhost. If not, send an unauthorized message back to the client.

Here is a very simple doFilter method implementation that should do that:

public void doFilter(ServletRequest request,
                     ServletResponse response,
                     FilterChain chain)
   throws ServletException, IOException
{
    if (!request.getRemoteAddr().equals("127.0.0.1")) {
        HttpServletResponse rsp = (HttpServletResponse) response;
        rsp.sendError(HttpServletResponse.SC_FORBIDDEN, "You are not authorized to access this resource.");
    }

    chain.doFilter(request, response);
}

Add the filter to your web.xml with something like the following:

<filter>
    <filter-name>AuthorizationFilter</filter-name>
    <filter-class>com.foo.bar.AuthorizationFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>AuthorizationFilter</filter-name>
    <servlet-name>RestrictedServlet</servlet-name>
</filter-mapping>

Filters are executed in the order they appear in web.xml, so make sure the authorization filter is the first one listed.

Having said all this, I am in agreement with BalusC here. If at all possible, you should refactor your code so that the EJB module executes the code directly rather than making a servlet call.

Answer 2

You can create user credentials in the Application Server you use to deploy your servlet application and protect the application using that user (using for instance BASIC auth):

<security-constraint>
  <web-resource-collection>
    <web-resource-name>
      Entire Application
    </web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
      <role-name>member</role-name>
  </auth-constraint>
</security-constraint>

You can then use authenticate from your EJB.

Answer 3

If they runs at the same machine, the normal practice is to refactor the business job the servlet is doing into another Java class which can then be imported/used by both the EJB and the servlet.