Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added Servlet security

  • Loading branch information...
commit 8fb04780ae847ee4d1be117bbd637eac013f55d9 1 parent 8dd4a28
Sherif Makary authored
View
72 servlet-security/README.md
@@ -0,0 +1,72 @@
+servlet-security: Using JEE Declarative Security to Control Access to Servlet 3
+====================
+Author: Sherif F. Makary
+
+This example demonstrates the use of JEE declarative security to control access to Servlets and Security in JBoss AS7 and JBoss Enterprise Application Platform 6.
+
+The example can be deployed using Maven from the command line or from Eclipse using JBoss Tools.
+
+The following are the steps required to implement Servlet security:
+
+1. The application will use a security domain that is defined in the application server standalone.xml that is called "other"
+2. Add a user called "UserA" with password = "password" and belongs to a role called "gooduser" and realm "ApplicationRealm", for more information regarding how to add a user using the "add-user" utility, please refer to the quick starts root readme.md file
+3. A security-domain reference for the "other" security domain is added to /webapp/WEB-INF/jboss-web.xml
+4. A security-constraints is added to the /webapp/WEB-INF/web.xml
+5. Security annotations are added to the Servlet declaration
+Please note the allowed user role "gooduser" in the annotation -`@RolesAllowed`- is the same as the user role defined in step 2
+
+For more information, refer to the <a href="https://docs.jboss.org/author/display/AS71/Getting+Started+Developing+Applications+Guide" title="Getting Started Developing Applications Guide">Getting Started Developing Applications Guide</a> and find Security --> Servlet Security.
+
+
+## Deploying the Quickstart
+
+First you need to start JBoss AS 7 (or JBoss Enterprise Application Platform 6). To do this, run
+
+ $JBOSS_HOME/bin/standalone.sh
+
+or if you are using Windows
+
+ $JBOSS_HOME/bin/standalone.bat
+
+To deploy the application, you first need to produce the archive:
+
+ mvn clean package
+
+
+You can now deploy the artifact to JBoss AS by executing the following command:
+
+ mvn jboss-as:deploy
+
+This will deploy `target/jboss-as-servlet-security` to the running instance of JBoss AS.
+
+## Testing the Quickstart
+
+The application will be running at the following URL <http://localhost:8080/jboss-as-servlet-security/>.
+
+When you access the application, you should get a browser login challenge.
+
+After a successful login using UserA/password, the browser will display the following security info:
+
+ Successfully called Secured Servlet
+
+ Principal : UserA
+ Remote User : password
+ Authentication Type : BASIC
+
+Change the role in the quickstart /src/main/webapp/WEB-INF/classes/roles.properties files to 'gooduser1'.
+Rebuild the application using by typing the following command:
+
+ mvn clean package
+
+Re-deploy the application by typing:
+
+ mvn jboss-as:deploy
+
+Refresh the browser, clear the active login, and you should get a security exception similar to the following:
+
+ HTTP Status 403 - Access to the requested resource has been denied
+
+ type Status report
+ message Access to the requested resource has been denied
+ description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
+
View
101 servlet-security/pom.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>org.jboss.as.quickstarts</groupId>
+ <artifactId>jboss-as-servlet-security</artifactId>
+ <version>7.1.1-SNAPSHOT</version>
+ <packaging>war</packaging>
+ <name>JBoss AS Quickstarts: servlet-security</name>
+ <description>JBoss AS Quickstarts: servlet-security</description>
+
+ <url>http://jboss.org/jbossas</url>
+ <licenses>
+ <license>
+ <name>Apache License, Version 2.0</name>
+ <distribution>repo</distribution>
+ <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+ </license>
+ </licenses>
+
+ <properties>
+ <!-- Explicitly declaring the source encoding eliminates the following
+ message: -->
+ <!-- [WARNING] Using platform encoding (UTF-8 actually) to copy filtered
+ resources, i.e. build is platform dependent! -->
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ </properties>
+
+ <dependencyManagement>
+ <dependencies>
+ <!-- Define the version of JBoss' Java EE 6 APIs we want to use -->
+ <!-- JBoss distributes a complete set of Java EE 6 APIs including
+ a Bill of Materials (BOM). A BOM specifies the versions of a "stack" (or
+ a collection) of artifacts. We use this here so that we always get the correct
+ versions of artifacts. Here we use the jboss-javaee-6.0 stack (you can
+ read this as the JBoss stack of the Java EE 6 APIs). You can actually
+ use this stack with any version of JBoss AS that implements Java EE 6, not
+ just JBoss AS 7! -->
+ <dependency>
+ <groupId>org.jboss.spec</groupId>
+ <artifactId>jboss-javaee-6.0</artifactId>
+ <version>3.0.0.Beta1</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
+ <dependencies>
+
+ <!-- Import the CDI API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>javax.enterprise</groupId>
+ <artifactId>cdi-api</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Common Annotations API (JSR-250), we use provided scope
+ as the API is included in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.annotation</groupId>
+ <artifactId>jboss-annotations-api_1.1_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ <!-- Import the Servlet API, we use provided scope as the API is included
+ in JBoss AS 7 -->
+ <dependency>
+ <groupId>org.jboss.spec.javax.servlet</groupId>
+ <artifactId>jboss-servlet-api_3.0_spec</artifactId>
+ <scope>provided</scope>
+ </dependency>
+
+ </dependencies>
+
+ <build>
+ <!-- Set the name of the war, used as the context root when the app
+ is deployed -->
+ <finalName>jboss-as-servlet-security</finalName>
+ <plugins>
+ <!-- JBoss AS plugin to deploy war -->
+ <plugin>
+ <groupId>org.jboss.as.plugins</groupId>
+ <artifactId>jboss-as-maven-plugin</artifactId>
+ <version>7.1.0.Final</version>
+ </plugin>
+ <!-- Compiler plugin enforces Java 1.6 compatibility and activates
+ annotation processors -->
+ <plugin>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.1</version>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
View
83 servlet-security/src/main/java/org/jboss/as/quickstarts/servlet_security/SecuredServlet.java
@@ -0,0 +1,83 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2011, Red Hat, Inc. and/or its affiliates,
+ * and individual contributors as indicated by the @author tags.
+ * See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ * This copyrighted material is made available to anyone wishing to use,
+ * modify, copy, or redistribute it subject to the terms and conditions
+ * of the GNU Lesser General Public License, v. 2.1.
+ * This program is distributed in the hope that it will be useful, but WITHOUT A
+ * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ * PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
+ * You should have received a copy of the GNU Lesser General Public License,
+ * v.2.1 along with this distribution; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ *
+ * (C) 2012,
+ * @author Sherif Makary */
+
+package org.jboss.as.quickstarts.servlet_security;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.io.PrintWriter;
+
+import javax.annotation.security.DeclareRoles;
+import javax.inject.Inject;
+import javax.servlet.ServletException;
+import javax.servlet.annotation.HttpConstraint;
+import javax.servlet.annotation.ServletSecurity;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * <p>
+ * Simple secured servlet using declarative security
+ * using Servlet 3 security annotations
+ * Upon successful authentication and authorization the servlet
+ * will display security principal name
+ * </p>
+ *
+ *
+ *
+ * @author Sherif Makary
+ *
+ */
+@SuppressWarnings("serial")
+@WebServlet("/SecuredServlet")
+@ServletSecurity(@HttpConstraint(rolesAllowed = { "gooduser" }))
+
+public class SecuredServlet extends HttpServlet {
+
+ static String PAGE_HEADER = "<html><head /><body>";
+
+ static String PAGE_FOOTER = "</body></html>";
+
+ @Override
+ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
+ PrintWriter writer = resp.getWriter();
+ Principal principal = null;
+ String authType = null;
+ String remoteUser=null;
+
+ //Get security principal
+ principal = req.getUserPrincipal();
+ //Get user name from login principal
+ remoteUser = req.getRemoteUser();
+ //Get authentication type
+ authType = req.getAuthType();
+
+ writer.println(PAGE_HEADER);
+ writer.println("<h1>" + "Successfully called Secured Servlet " + "</h1>");
+ writer.println("<p>" + "Principal : " + principal.getName() + "</p>");
+ writer.println("<p>" + "Remote User : " + remoteUser +"</p>");
+ writer.println("<p>" + "Authentication Type : " + authType + "</p>");
+ writer.println(PAGE_FOOTER);
+ writer.close();
+ }
+
+}
View
7 servlet-security/src/main/webapp/WEB-INF/beans.xml
@@ -0,0 +1,7 @@
+<!-- Marker file indicating CDI should be enabled -->
+<beans xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="
+ http://java.sun.com/xml/ns/javaee
+ http://java.sun.com/xml/ns/javaee/beans_1_0.xsd">
+</beans>
View
6 servlet-security/src/main/webapp/WEB-INF/jboss-web.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<jboss-web>
+ <security-domain>other</security-domain>
+ <disable-audit>true</disable-audit>
+</jboss-web>
View
24 servlet-security/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ version="3.0">
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>*</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>gooduser</role-name>
+ </auth-constraint>
+ </security-constraint>
+ <security-role>
+ <role-name>gooduser</role-name>
+ </security-role>
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>RealmUsersRoles</realm-name>
+ </login-config>
+</web-app>
+
View
7 servlet-security/src/main/webapp/index.html
@@ -0,0 +1,7 @@
+<!-- Plain HTML page that kicks us into the app -->
+
+<html>
+<head>
+<meta http-equiv="Refresh" content="0; URL=SecuredServlet">
+</head>
+</html>
Please sign in to comment.
Something went wrong with that request. Please try again.