File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes programmatic security and declarative security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "programmatic security and declarative security" Watch "programmatic security and declarative security" New topic

programmatic security and declarative security

al langley
Ranch Hand

Joined: Mar 28, 2008
Posts: 35
I have used the <security-constraint> tags and just started to use realms with a database in Tomcat (thanks for the link again Ben Souther) to allow certain users to view certain pages.
But what if I only want a user to be authenticated once, and for the rest of the session the user can access all pages he is authorized to view without having to be authenticated each time.

How are declarative and programmatic security typically used in these situations?

This is what I was thinking:
The first time a user logs in from the login page, the username/password as well as the authentication method that is declared in the <security-constraints> sections of the DD is used.

Once the user has been authenticated the first time (a correct username/password combo) I set a Boolean variable
in a session object to true.

Then for all other pages that require authentication, I just check the session object to see if the attribute value is set to true. If it is (and the user is logged in) I display the appropriate info, otherwise I display a message for the user to go log in.

I'm just curious as to how such cases are typically handled and if there is a more secure(or proper) way to handle this.
Thanks for taking the time to read my question.
Any thoughts or suggestions would be much appreciated.
[ May 19, 2008: Message edited by: al langley ]
Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
If you're using declarative security you don't need to do anything in your code - the servlet container will handle it (and it won't ask a user for the password more than once per session).

But you're talking about doing something in your code - that sounds as if you're actually doing programmatic security? The two don't mix well. I rarely use declarative security these days, because it's rather inflexible.
al langley
Ranch Hand

Joined: Mar 28, 2008
Posts: 35
Thanks for the response!

I have a situation where I have pages that only authorized users should be able to see. I think the scenarios are simple enough to be covered by declarative security. But I was wondering what factors I should look at.

I'd like to learn more about security and how it is typically handled when it comes to servlets and web apps in general. Anyone know a good book, or link?

Thanks again.
Pat Farrell

Joined: Aug 11, 2007
Posts: 4659

I use a security filter, and at the top of every JSP page include code to check access, and if not allowed, redirect to the login page.

You can never trust how someone gets to a particular page. Never ever.

You can not trust a browser. You can't know if its really a user or a bad guy.
Bear Bibeault
Author and ninkuma

Joined: Jan 10, 2002
Posts: 63837

Pat's approach is very customary and he is 100% spot-on in saying that you can never trust any data coming from a browser. Check early! Check often!

You can avoid putting code on every page by employing a servlet filter.

[Asking smart questions] [About Bear] [Books by Bear]
al langley
Ranch Hand

Joined: Mar 28, 2008
Posts: 35
Thanks, will try out the security filter.

The advice is very appreciated!
I agree. Here's the link:
subject: programmatic security and declarative security
jQuery in Action, 3rd edition