O'Reilly logo

Java Enterprise in a Nutshell, Third Edition by William Crawford, Jim Farley

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Security

Servlets don’t have to handle their own security arrangements. Instead, they can rely on the capabilities of the web server to limit access where required. The security capabilities of most web servers are limited to basic on-or-off access to specific resources, controlled by username and password (or digital certificate), with possible encryption using SSL. Most servers are limited to basic authentication, which transmits passwords more or less in the clear, while some support the more advanced digest authentication protocol, which works by transmitting a hash of the user’s password and a server-generated value rather than the password itself. Both of these approaches look the same to the user; the familiar “Enter Username and Password” window pops up in the web browser.

Recent versions of the Servlet API take a much less hands-off approach to security. The web.xml file can define which servlets and resources are protected and which users have access. The user access model is the J2EE User-Role model, in which users can be assigned one or more roles. Users with a particular role are granted access to protected resources. A user named Admin might have both the Administrator role and the User role while users Bob and Ted might have only the User role. (See Chapter 10 for more details about J2EE security.)

In addition to basic, digest, and SSL authentication, the web application framework allows for HTML form-based logins. This approach allows the developer to specify an HTML ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required