https://blogs.oracle.com/swchan/entry/follow_up_on_servlet_3
By Shing Wai Chan on Oct 29, 2009
- In JSR 250, type level annotations only apply to methods declared in that class, not those inherited. This is an issue for servlets as they extend
javax.servlet.http.HttpServlet
. - The
doGet
method et al may not correspond to http method GET et al as the logic can be overrided inservice
method of the servlet.
Thanks to Ronald Monzilo for discussions in Servlet 3.0 security. The following is the update on Servlet 3.0 security annotations:
- As in servlet 2.5, @DenyAll, @PermitAll, @RolesAllowed will not apply to servlets. @TransportProtected will not be added to JSR 250.
- The following new annotations will be added to javax.servlet.annotation:
- ServletSecurity
- HttpConstraint
- HttpMethodConstraint
- With the above new annotations, one can resolve the issue mentioned above. In addition, it covers the new use case where one want to have security constraint for extended http methods only, for instance FOO.
In this blog, I will illustrate how those annotation work. For convenient of readers of my previous blogs, I will first illustrate the four scenarios mentioned in my previous blog, Servlet 3.0 Security Annotations with the new annotations. Then I have an additional example.
Example 1: For all Http Methods
@WebServlet("/myurl")
@ServletSecurity(@HttpConstraint(rolesAllowed={"javaee"}))
public class TestServlet extends HttpServlet {
...
}
In this case, all http methods are protected and accessible only by users with role javaee.
Example 2: Http Method Level
@WebServlet("/myurl")
@ServletSecurity(httpMethodConstraints={ @HttpMethodConstraint("GET"),
@HttpMethodConstraint(value="POST", rolesAllowed={"javaee"}),
@HttpMethodConstraint(value="TRACE", emptyRoleSemantic=ServletSecurity.EmptyRoleSemantic.DENY) })
public class TestServlet extends HttpServlet {
protected void doGet(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
protected void doPost(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
protected void doTrace(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
}
The behaviors of the above servlet can be summarized as follows:
Http method | Behavior |
---|---|
GET | all can access GET method |
POST | only authenticated users with role javaee can access POST method |
TRACE | no one can access TRACE method |
Example 3: A General Constraint for all Http methods with some Exceptional Cases
@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint(rolesAllowed={"javaee"}),
httpMethodConstraints={ @HttpMethodConstraint(value="POST", rolesAllowed={"staff"}),
@HttpMethodConstraint("TRACE") })
public class TestServlet extends HttpServlet {
...
protected void doPost(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
protected void doTrace(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
}
The behaviors of the above servlet can be summarized as follows:
Http method | Behavior |
---|---|
POST | only authenticated users with role staff can access POST method |
TRACE | all can access TRACE method |
methods other than POST and TRACE | only authenticated users with role javaee can access |
Example 4: Https and protected for a given role
@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint(
transportGuarantee=ServletSecurity.TransportGuarantee.CONFIDENTIAL),
httpMethodConstraints={ @HttpMethodConstraint(value="TRACE", transportGuarantee=ServletSecurity.TransportGuarantee.NONE, rolesAllowed={"javaee"}) })
public class TestServlet extends HttpServlet {
...
protected void doTrace(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
...
}
}
The behaviors of the above servlet can be summarized as follows:
Http method | Behavior |
---|---|
TRACE | Https is supported. It just is not required. Only authenticated users with role javaee can access TRACE method |
methods other than TRACE | require https |
Example 5: Protect FOO only
@WebServlet("/myurl")
@ServletSecurity(value=@HttpConstraint,
httpMethodConstraints={ @HttpMethodConstraint(value="FOO", rolesAllowed={"javaee"}) })
public class TestServlet extends HttpServlet {
...
}
The behaviors of the above servlet can be summarized as follows:
Http method | Behavior |
---|---|
FOO | only authenticated users with role javaee can access POST method |
methods other than FOO | all can access |