With programmatic security, the topic of this chapter, protected servlets and JSP
pages at least partially manage their own security. To prevent unauthorized access,
each servlet or JSP page must either authenticate the user or verify that the user has
been authenticated previously. Even after the servlet or JSP page grants access to a
user, it can still customize the results for different individual users or categories of
users. To safeguard network data, each servlet or JSP page has to check the network
protocol used to access it. If users try to use a regular HTTP connection to access one
of these URLs, the servlet or JSP page must manually redirect them to the HTTPS
(SSL) equivalent.
4.1 Combining Container-Managed
and Programmatic Security
Declarative security is very convenient: you set up usernames, passwords, access
mechanisms (HTML forms vs. BASIC authentication) and transport-layer requirements
(SSL vs. normal HTTP), all without putting any security-related code in any of
the individual servlets or JSP pages. However, declarative security provides only two
levels of access for each resource: allowed and denied. Declarative security provides
no options to permit resources to customize their output depending on the username
or role of the client that accesses them.
4.1 Combining Container-Managed and Programmatic Security 181
It would be nice to provide this customization without giving up the convenience
of container-managed security for the usernames, passwords, and roles as would be
required if a servlet or JSP page completely managed its own security (as in Section
4.
Pages:
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227