•  15-07-2023
  •  | 
  •  

문제

I am developing a simple Java EE application, using plain jsp serlvets as well as with POJO classes and DAO support.What is the best strategy to implement access control here.

I initially thought of using a filter but I am not quite sure about its usage, so is there any simple programmatic way I can implement the same?I mean through the use of properties file or other approach?

Also I would like to keep my application light weight. So please suggest the solutions for the same? Thanks in advance!

도움이 되었습니까?

해결책

Basically ACL is implemented in Java EE by using @DeclareRoles and @RolesAllowed annotation on session bean class or its methods for programmatic security. You can also use element in your deployment descriptor (web.xml) describing your roles and authorisation for decalrative security.

Here is exampple from Java EE tutorial for programmatic security

package converter.ejb;

    import java.math.BigDecimal;
    import javax.ejb.Stateless;
    import java.security.Principal;
    import javax.annotation.Resource;
    import javax.ejb.SessionContext;
    import javax.annotation.security.DeclareRoles;
    import javax.annotation.security.RolesAllowed;

        @Stateless()
        @DeclareRoles("TutorialUser")
        public class ConverterBean{ 

               @Resource SessionContext ctx;
                private BigDecimal yenRate = new BigDecimal("89.5094");
                private BigDecimal euroRate = new BigDecimal("0.0081");

                @RolesAllowed("TutorialUser")
                 public BigDecimal dollarToYen(BigDecimal dollars) {
                    BigDecimal result = new BigDecimal("0.0");
                    Principal callerPrincipal = ctx.getCallerPrincipal();
                    if (ctx.isCallerInRole("TutorialUser")) {
                        result = dollars.multiply(yenRate);
                        return result.setScale(2, BigDecimal.ROUND_UP);
                    } else {
                        return result.setScale(2, BigDecimal.ROUND_UP);
                    }
                }

                @RolesAllowed("TutorialUser")
                public BigDecimal yenToEuro(BigDecimal yen) {
                    BigDecimal result = new BigDecimal("0.0");
                    Principal callerPrincipal = ctx.getCallerPrincipal();
                    if (ctx.isCallerInRole("TutorialUser")) {
                         result = yen.multiply(euroRate);
                         return result.setScale(2, BigDecimal.ROUND_UP);
                    } else {
                         return result.setScale(2, BigDecimal.ROUND_UP);
                    }
                }
            }

You can also do it in your servlets by using HttpServletRequest' login, logout and authenticate methods for authentication and then use getUserPrincipal and isUserInRole for ACL. Then you will need to add to your servlet's description in web.xml to reference roles declared in elements in web.xml. Here is example from Java EE turorial for ACL part.

package enterprise.programmatic_login;

import java.io.*;
import java.net.*;
import javax.annotation.security.DeclareRoles;
import javax.servlet.*;
import javax.servlet.http.*;

@DeclareRoles("javaee6user")
public class LoginServlet extends HttpServlet {

    /** 
     * Processes requests for both HTTP GET and POST methods.
     * @param request servlet request
     * @param response servlet response
     */
    protected void processRequest(HttpServletRequest request, 
                 HttpServletResponse response)
            throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        PrintWriter out = response.getWriter();
        try {
            String userName = request.getParameter("txtUserName");
            String password = request.getParameter("txtPassword");

            out.println("Before Login" + "<br><br>");
            out.println("IsUserInRole?.." 
                        + request.isUserInRole("javaee6user")+"<br>");
            out.println("getRemoteUser?.." + request.getRemoteUser()+"<br>");
            out.println("getUserPrincipal?.." 
                        + request.getUserPrincipal()+"<br>");
            out.println("getAuthType?.." + request.getAuthType()+"<br><br>");

            try {
                request.login(userName, password); 
            } catch(ServletException ex) {
                out.println("Login Failed with a ServletException.." 
                    + ex.getMessage());
                return;
            }
            out.println("After Login..."+"<br><br>");
            out.println("IsUserInRole?.." 
                        + request.isUserInRole("javaee6user")+"<br>");
            out.println("getRemoteUser?.." + request.getRemoteUser()+"<br>");
            out.println("getUserPrincipal?.." 
                        + request.getUserPrincipal()+"<br>");
            out.println("getAuthType?.." + request.getAuthType()+"<br><br>");

            request.logout();
            out.println("After Logout..."+"<br><br>");
            out.println("IsUserInRole?.." 
                        + request.isUserInRole("javaee6user")+"<br>");
            out.println("getRemoteUser?.." + request.getRemoteUser()+"<br>");
            out.println("getUserPrincipal?.."
                        + request.getUserPrincipal()+"<br>");
            out.println("getAuthType?.." + request.getAuthType()+"<br>");
        } finally {
            out.close();
        }
    }

}

See provided links of Java EE tutorial for more complete examples and explanations.

다른 팁

If you aren't going to use some API (like spring security or apache shiro) web filters are what you are going to need.

In your filter implementation, if you want to grant access, simply call 

chain.doFilter(request, response);

which will process the request normally, otherwise, redirecting the user to another page using 

response.sendRedirect(Url);

is a good option

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top