Follow up on Servlet 3.0 Security Annotations

In May 2009, I discussed the Servlet 3.0 security annotations in one of my blogs, Servlet 3.0 Security Annotations. At that time, the annotations were defined similar to those in EJB. During the discussion in JSR 315 expert group, two issues were identified as follows:
  1. In JSR 250, type level annotations only apply to methods declared in that class, not those inherited. This is an issue for servlets as they extend javax.servlet.http.HttpServlet.
  2. The doGet method et al may not correspond to http method GET et al as the logic can be overrided in service method of the servlet.

Thanks to Ronald Monzilo for discussions in Servlet 3.0 security. The following is the update on Servlet 3.0 security annotations:

  • As in servlet 2.5, @DenyAll, @PermitAll, @RolesAllowed will not apply to servlets. @TransportProtected will not be added to JSR 250.
  • The following new annotations will be added to javax.servlet.annotation:
    • ServletSecurity
    • HttpConstraint
    • HttpMethodConstraint
    Note that @ServletSecurity is a type level annotation and the rests are used as parameters in @ServletSecurity.
  • With the above new annotations, one can resolve the issue mentioned above. In addition, it covers the new use case where one want to have security constraint for extended http methods only, for instance FOO.

In this blog, I will illustrate how those annotation work. For convenient of readers of my previous blogs, I will first illustrate the four scenarios mentioned in my previous blog, Servlet 3.0 Security Annotations with the new annotations. Then I have an additional example.

Example 1: For all Http Methods

@WebServlet("/myurl")
@ServletSecurity(@HttpConstraint(rolesAllowed={"javaee"}))
public class TestServlet extends HttpServlet {
    ...
}

In this case, all http methods are protected and accessible only by users with role javaee.

Example 2: Http Method Level

@WebServlet("/myurl")
@ServletSecurity(httpMethodConstraints={ @HttpMethodConstraint("GET"),
    @HttpMethodConstraint(value="POST", rolesAllowed={"javaee"}),
    @HttpMethodConstraint(value="TRACE", emptyRoleSemantic=ServletSecurity.EmptyRoleSemantic.DENY) })
public class TestServlet extends HttpServlet {
    protected void doGet(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        ...
    }

    protected void doPost(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        ...
    }

    protected void doTrace(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        ...
    }
}

The behaviors of the above servlet can be summarized as follows:

Http methodBehavior
GETall can access GET method
POSTonly authenticated users with role javaee can access POST method
TRACEno one can access TRACE method

Example 3: A General Constraint for all Http methods with some Exceptional Cases

@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint(rolesAllowed={"javaee"}),
    httpMethodConstraints={ @HttpMethodConstraint(value="POST", rolesAllowed={"staff"}),
    @HttpMethodConstraint("TRACE") })
public class TestServlet extends HttpServlet {
    ...

    protected void doPost(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        ...
    }

    protected void doTrace(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        ...
    }
}

The behaviors of the above servlet can be summarized as follows:

Http methodBehavior
POSTonly authenticated users with role staff can access POST method
TRACEall can access TRACE method
methods other than POST and TRACEonly authenticated users with role javaee can access
Note that in the previous definitions, the exceptional cases must be the standard http methods. There is no such restriction for the new annotations as illustrated by the Example 5 below.

Example 4: Https and protected for a given role

@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint(
    transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL),
    httpMethodConstraints={ @HttpMethodConstraint(value="TRACE", transportGuarantee=ServletSecurity.TransportGuarantee.NONE, rolesAllowed={"javaee"}) })
public class TestServlet extends HttpServlet {
    ...

    protected void doTrace(HttpServletRequest req, HttpServletResponse res)
        throws IOException, ServletException {

        ...
    }
}

The behaviors of the above servlet can be summarized as follows:

Http methodBehavior
TRACEHttps is supported. It just is not required. Only authenticated users with role javaee can access TRACE method
methods other than TRACErequire https

Example 5: Protect FOO only

@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint,
    httpMethodConstraints={ @HttpMethodConstraint(value="FOO", rolesAllowed={"javaee"}) })
public class TestServlet extends HttpServlet {
    ...
}

The behaviors of the above servlet can be summarized as follows:

Http methodBehavior
FOOonly authenticated users with role javaee can access POST method
methods other than FOOall can access

Comments:

I am trying migrating my web.xml to Servlet 3 new annotations.
Moved my web.xml xml descriptions to Filter java files .But it seems filter defined with @WebFilter never getting hit .
Will @WebFilter work even if web.xml files exists , appreciate any pointer.

Posted by Bheem on January 19, 2010 at 12:09 AM PST #

It should be working. Can you check if there is error in server.log during deployment time?

Posted by Shing Wai Chan on January 19, 2010 at 02:00 AM PST #

Note that annotation is not allowed for web-app_2_4.xsd.
You may like to update to the latest version of the schema.

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" metadata-complete="true" version="3.0" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">

Posted by Shing Wai Chan on January 19, 2010 at 02:30 AM PST #

Shing Wai,

Thanks a lot , Now @WebServlet works great !!! .

Still @WebFilter not getting hit , do you suggest any more changes to web.xml.

Attaching ChainFilter.java and latest web.xml file for your reference .

Sincerely appreciate and thanks to your expert advice .

Thanks And Regards,
Bheem

Posted by Bheem on January 19, 2010 at 11:47 AM PST #

There is a typo in my previous reply. It should be metadata-complete="false" rather than metadata-complete="true".

Posted by Shing Wai Chan on January 19, 2010 at 02:54 PM PST #

Shing Wai,

Little early I sent my last message .

After changing metadata-complete="false" , though @WebFilter getting hit but glassfish showed following error :-(
+++++++++++++++++++++++++++++++++++++++++++++++++++
type: Status report

message:HTTP method GET is not supported by this URL

description:The specified HTTP method is not allowed for the requested resource (HTTP method GET is not supported by this URL +++++++++++++++++++++++++++++++++++++++++++++++++++

Seems something else required too !!!

Thanks And Regards,
Bheem

Posted by Bheem on January 19, 2010 at 09:07 PM PST #

Shing Wai,

Ooops sorry for email floods !
Had bug in my Servlet , for debugging had changed service method name .
Corrected method and everything working fine.

YOUR ARE GOOD !!

BTW what is the need of "metadata-complete" ? any pointers(URLs) would help .

Thanks And Regards,
Bheem

Posted by Bheem on January 19, 2010 at 10:08 PM PST #

You can find more info in lib/schemas/web-common_3_0.xsd.

Posted by Shing Wai Chan on January 20, 2010 at 01:08 AM PST #

Post a Comment:
Comments are closed for this entry.
About

Shing Wai Chan

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today