BLOGs
Web Development
Published February 09th, 2017 by

Security in Java EE Applications – Learn from the Experts

Technology: Java based application servers provides various ways to provide security to our applications. In Java EE world each web application provides dynamic extensions to web/application server. Now a days many framework supports security in an applications using annotation style or using xml configurations. Some of the most used frameworks for Java based applications are spring security, Apache shiro etc…

From Java EE 6 onwards the deployment descriptor has a lot xml tags to specify the security constraints for an applications, specifying the information in annotations and deployment descriptor helps the web/application server to setup appropriate security policy for our applications.

Secure Java EE
Java EE web applications security can be implemented in following ways.

  • Declarative Security: The security can be implemented using either annotation or deployment descriptor.
    1. The deployment descriptor for web application is web.xml
    2. The deployment descriptor for enterprise java beans may use ejb deployment descriptor i.e. ejb-jar.xml file.
  • Programmatic Security: Application implementation need to implement security principals and it need to take security decisions. some complex scenario`s only declarative security will not possible to implement each security principal, in those cases we need to implement security in application implementation also. Java EE provides authenticate, login and logout method on HTTPServletRequest object.
  • Message Security: It is majorly implemented when other applications want to contact using web services, RMI etc…. we can implement this using security tokens, or authentication header etc…

Declarative Security: If we are implementing servlets in our application then we can use Java EE annotations to specify the security principals.

@ServletSecurity is the root annotation to specify the security, it is the annotation used in servlet implementation class to specify the security constraints on HTTP messages. The servlet will use constraints on url-patterns mapped to this servlet.

public @interface ServletSecurity {

 HttpConstraint value() default @HttpConstraint;

  HttpMethodConstraint[] httpMethodConstraints() default {};

 }

@HttpConstraint: This annotation is used within the ServletSecurity annotation to represent the security constraints to be applied to all HTTP protocol methods for which a corresponding HttpMethodConstraint element doesn`t occur within the ServletSecurity annotation.

public @interface HttpConstraint {

    EmptyRoleSemantic value() default EmptyRoleSemantic.PERMIT; //if the rolesAllowed is not specified then it will be considered.

    TransportGuarantee transportGuarantee() default TransportGuarantee.NONE;// the data protection either it will serve for HTTP or HTTPS connections

    String[] rolesAllowed() default {}; //array of allowed roles.

}

@HttpMethodConstraint: this annotation is used in ServletSecurity annotation to specify the what are the different HTTP methods can access servlet, and also we can specify the roles through which we can access servlet.

public @interface HttpMethodConstraint {

      String value();

      EmptyRoleSemantic emptyRoleSemantic() default EmptyRoleSemantic.PERMIT;

      TransportGuarantee transportGuarantee() default TransportGuarantee.NONE;

      String[] rolesAllowed() default {};

}

If we are not using custom servlet then we can use deployment descriptor to specify the constraints, we can use security-constraint element for the same. The authentication type can not specify using annotations, we need to depend on descriptor file, by default the authentication type is BASIC, if we are using different authentication type then we can specify in descriptor file.

The child element for security-constraint:

  • Web resource collection (web-resource-collection): it contains list of url patterns relative to application and HTTP operations to describe a set of resources to be protected.
  • Authorization constraint (auth-constraint): specify the whether we need authenticate to access the resource, and different roles needed to authorize the user.
  • User data constraint (user-data-constraint): It specifies how the data need to transfer from server to client (with HTTP or HTTPS (SSL)). The possible values are listed below
    1. CONFIDENTIAL: when the application requires that data be transmitted so as to prevent other entities from observing the contents of the transmission.
    2. INTEGRAL: when the application requires that the data be sent between client and server in such a way that it cannot be changed in transit.
    3. NONE: to indicate that the container must accept the constrained requests on any connection, including an unprotected one.

Note: Java EE servers treat the CONFIDENTIAL and INTEGRAL transport guarantee values identically.

http-method-omission: This element is used to omit the specified HTTP Method from security constraint.

Example:

<security-constraint>

<display-name>Require authentication for POST</display-name>

<web-resource-collection>

<url-pattern>/admin/*</url-pattern>

<http-method>POST</http-method>

<http-method-omission>GET</http-method-omission>

</web-resource-collection>

<auth-constraint>

<role-name>admin</role-name>

</auth-constraint>

</security-constraint>

Authentication Types:

The user must be authenticated and authorized before accessing the protected resources; Java web development team provides different ways to implement authentications.

  • Basic authentication
  • Form-based authentication
  • Digest authentication
  • Client authentication
  • Mutual authentication

Basic Authentication is used pass username and password in Base64 encoded format.

1

<login-config>

<auth-method>BASIC</auth-method>

</login-config>

Form based authentication is used pass the username, password in plain text, if any one intercept the request they can easily decode the credentials information, these types of authentications are not secured.

2

<login-config>

<auth-method>FORM</auth-method>

<realm-name>file</realm-name>

<form-login-config>

<form-login-page>/login.html</form-login-page>

<form-error-page>/error.html</form-error-page>

</form-login-config>

</login-config>

Digest Authentication is similar to Basic authentication but basic authentication is sending the credentials over network in plain text format, but digest will send cryptographic hash of credentials and additional information over network, authentication server will match the hash of the password of user for authentication.

<login-config>

<auth-method>DIGEST</auth-method>

</login-config>

For other types of authentications like digital certificates, JDBC authentications, we can create realm on server and we can specify the realm in deployment descriptor.

<login-config>

<auth-method>FORM</auth-method>

<realm-name>jdbcRealm</realm-name>

<form-login-config>

<form-login-page>/login.html</form-login-page>

<form-error-page>/login.html?error</form-error-page>

</form-login-config>

</login-config>

Declaring Security Roles:

We can declare the list of the roles used by application using security-role element.

<security-role>

<role-name>admin</role-name>

</security-role>

<security-role>

<role-name>user</role-name>

</security-role>

These roles will be used in security-constraint ->auth-constraint->role-name element.

Programmatic way to authenticate: We can use login, logout, authenticate methods on HTTPServletRequest object.

request.login("user-name", "password");

request.logout();

request.authenticate(response);

Conclusion: The new servlet 3.0 provides declarative way to authenticate, authorize the user, we can protect application end-points by configuring security roles, we can also authenticate the user programmatically using additional methods, but we need to deploy our application on only servlet 3.0 supported container.

So, you now know the importance of Security in Java EE Applications. If you have any question, ask to experts of Java web development company straightforward in comments. Do share your feedback for this post and tell other readers how your experience with this  tutorial was.

Ethan Millar

Technical Writer at Aegis Softtech
Having more than 6+ years of experience to write technical articles especially for Hadoop, Big Data, Java, CRM and Asp.Net at Aegis Softtech.

Our rankings are completely independent, transparent, and community driven; they are based on user reviews and client sentiment. These web development companies had to earn their way up and didn't just pay their way up.

View Rankings of Best Web Development Companies