• To permit access to authorized users, servlets can be configured by:

Defining Roles

  • An application function can be defined by security roles that are made up of users, groups or both users and groups
  • The relationship between users and groups is identified based on the implementation used
  • Roles can be defined in Java EE deployment descriptor file as web.xml and corresponding mapping to roles in the web server deployment descriptor file as serv-web.xml

Defining Constraints

  • Access permissions can be defined using auth-constraint element in web.xml file
  • Web containers impose authorization at page level
  • Once the user is authenticated, defined in the deployment descriptor checks if the user belongs to any one of the roles

Authorizing Users by Servlets (Cont’d)

Example for defining roles

  • Each element of security-role-mapping in web.xml file maps role names to principals and groups that are allowed by web applications
  • The role-name must match with role-name of security-role element of the equivalent web.xml file

Example of Defining Constraints for Servlet Authorization Servlets