Chapter 09 - Developing secure web applications (Declarative Approach)

This web application shows how to specify the security aspects of a web application declaratively in the web.xml

Note: To be able run this web application, you should have the user names and passwords configured in the tomcat-users.xml file as explained in section 9.2.5. For your convenience, we are giving sample values for this file. You can copy the following contents into conf/tomcat-users.xml:
<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />

  <user name="john"   password="jjj" roles="employee" />
  <user name="mary"   password="mmm" roles="employee" />
  <user name="bob"   password="bbb" roles="employee, supervisor" />

</tomcat-users>

  1. This web application contains only one servlet named DeclarativeSecureServlet. There is no restriction on GET requests to this servlet. To send a GET request, click on this hyperlink.

  2. However, only users in the role of supervisor can make a POST request. The servlet container sends the "authentication required" message if a POST request is sent to the servlet.

    The following is the web.xml snippet showing the security constraint that allows only a supervisor to send a POST request:

     <security-constraint>
    
       <web-resource-collection>
          <web-resource-name>declarativetest</web-resource-name>
          <url-pattern>/servlet/DeclarativeSecureServlet</url-pattern>
          <http-method>POST</http-method>
       </web-resource-collection>
    
       <auth-constraint>
          <role-name>supervisor</role-name>
       </auth-constraint>
    
       <user-data-constraint>
          <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
    
     </security-constraint>
    
    
    To make a POST request, submit the form present on this page.