Before you begin
Programmatic security is used by security-aware applications when declarative security alone is not sufficient to express the security model of the application. Programmatic security consists of the following methods of the HttpServletRequest interface:When the isUserInRole() method is used, declare a security-role-ref element in the deployment descriptor with a role-name subelement containing the role name passed to this method. Since actual roles are created during the assembly stage of the application, you can use a logical role as the role name and provide enough hints to the assembler in the description of the security-role-ref element to link that role to the actual role. During assembly, the assembler creates a role-link subelement to link the role name to the actual role. Creation of a security-role-ref element is possible if development tools such as WebSphere Studio Application Developer is used. You also can create the security-role-ref element during assembly stage using the assembly tool.
Steps for this task
Results
A programmatically secured servlet application.Example
getUserPrincipal()getRemoteUser()After development, a security-role-ref element can be created:
<security-role-ref> <description>Provide hints to assembler for linking this role name to an actual role here<\description> <role-name>Mgr<\role-name> </security-role-ref>
During assembly, the assembler creates a role-link element:
<security-role-ref> <description>Hints provided by developer to map the role name to the role-link</description> <role-name>Mgr</role-name> <role-link>Manager</role-link> </security-role-ref>
You can add programmatic servlet security methods inside any servlet doGet(), doPost(), doPut(), doDelete() service methods. The following example depicts using a programmatic security API:
public void doGet(HttpServletRequest request, HttpServletResponse response) { .... // to get remote user using getUserPrincipal() java.security.Principal principal = request.getUserPrincipal(); String remoteUser = principal.getName(); // to get remote user using getRemoteUser() remoteUser = request.getRemoteUser(); // to check if remote user is granted Mgr role boolean isMgr = request.isUserInRole("Mgr"); // use the above information in any way as needed by // the application .... }
What to do next
After developing an application, use
the Application Assembly Tool (AAT) to create roles and to link the actual
roles to role names in the security-role-ref elements.