See wam Menu

Using J2EE Servlet Security APIs

Most permissions for resources secured by WAM are managed at the resource request level (URLs in the HTTP space). However, you may want finer-grained control over web apps that run in J2EE web containers. You do this using J2EE programmatic security, which is enabled by WAM web agents on supported containers.

When you design a J2EE web app or component, you should always think about the kinds of users who will access it. For example, an order fulfillment web app might be accessed by customers, shipping clerks, sales representatives, and managers. Each of these user categories is called a security role, an abstract logical grouping of users that is defined by the person who deploys or manages the application. When a web app is deployed, the deployer will map the roles to security identities in the operational environment.

J2EE programmatic security for web apps consists of the following methods of the HttpServletRequest interface:

  • request.getRemoteUser(): Determine the user name with which the client authenticated. Learn more

  • request.isUserInRole(String name): Determine if a user is in a specific security role. Learn more

  • request.getUserPrincipal(): Returns a java.security.Principal object. Learn more

These APIs allow servlets to make business logic decisions based on the logical role of the remote user. They also allow the servlet to determine the principal name of the current user. Example 1 is a JSP code snippet that shows the use of the isUserInRole() method to determine if an employee account information list should contain all employees or only the currently authenticated user. If the authenticated user has the role of Manager, then he will see a list with all employees. Otherwise, he only sees a list with his own account information.

// Managers see a list of all employees
if (request.isUserInRole("Manager"))
{  
   list = EmployeeList.getAllEmployees();
}
// Employees see a list with their own identity
else
{
  list = EmployeeList.getEmployee(request.getUserPrincipal().getName());
}

Example 1 - Using J2EE web programmatic security

You can use these J2EE servlet security API methods to flexibly apply fine-grained access control to images, links, buttons, or any other web page component.

NOTE: If you want to use the J2EE servlet security API methods when using Tomcat as a JSP/servlet engine for the Apache or IIS web servers, you can with WAM. You simply need to configure the WAM web agents for both the web server and Tomcat.


Have a Question?

Have a how-to question? Seeing a weird error? Contact us.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.