NOTE: These slides have not been updated since 2003. They have been superseded by the book An Introduction to XML and Web Technologies Addison-Wesley, and the accompanying online material. Please see http://www.brics.dk/ixwt/ for more information. Anders Møller and Michael Schwartzbach, February 2006

INTERACTIVE WEB SERVICES WITH JAVA

Security

• declaratively - using the deployment descriptor (web.xml)
• operationally - by explicit service code
• or a combination

1. make file with usernames, passwords, and roles
2. design login and login-failure pages
3. specify URLs that require authentication (and optionally, also SSL)

Authentication:

• form-based
• HTTP Basic

SSL:

• requires the JSSE package
• requires a public-key server certificate (details are server specific)

HttpServletRequest contains useful security methods:

• String getRemoteUser() - who has logged in?
• boolean isUserInRole(String role) - what is the user's abstract role?
• boolean isSecure() - does the connection use SSL?

COPYRIGHT © 2002-2003 ANDERS MØLLER & MICHAEL I. SCHWARTZBACH