Access control and JSPs

Absolutely, it is very important to enforce controlled access to the deployed Web content and its associated resources based on user privileges and resource policies specified within your Java EE Web environment. In general, JSPs/Servlets (or Web components) adopt Java EE (J2EE) Web container role-based authorization mechanisms to restrict access control for Web components and their associated resources. Controlling access to resources from a JSP Web component can be done in several ways using both declarative and programmatic authorizations.

Declarative authorization uses the Web application deployment descriptor <security-constraint> element and its <auth-constraint> sub-element for determining who is authorized and to determine access protection of resources such as URL patterns and HTTP methods. These security constraints work only if the original Web application request URI initiated by the caller via a RequestDispatcher (which include <jsp:include> and <jsp:forward>). This means that the inside the Web application, the application has control over all required resources. It would not forward a user's request to access a resource unless the requesting user had privileges to access them. In addition, the Web container checks to see if the authenticated user belongs to one of the roles defined in the <auth-contraint> tag of the deployment descriptor. If the user does not belong to the specified roles for the resource, the request will be terminated with an error message.

Programmatic authorization uses selected methods in the HTTPServletRequest interface such as getRemoteUser(), IsUserInRole(role) and getUserPrincipal() methods for controlling access to Web resources. Programmatic access control is good for setting dynamic access control rules within a Web application, multi-role access and content-level authorization. It also can be mapped to the declarative mechanisms if the calling user is defined in the <role-name> element of the deployment descriptor. This helps to check whether the user access to the Web application is privileged to launch a specific role-based action or viewing content etc.

In addition to the above core authorization mechanisms, there are several design and implementation strategies for enforcing content-level authorization strategies using JAAS authorization, Filters and JSP Custom Tag libraries. I would also suggest taking a look at the Authorization Enforcer design pattern described in Core Security Patterns.

• Enabling HTTPS in J2EE Web components
• Core Security Patterns: Best Practices and Strategies for J2EE, Web Services and Identity Management -- Chapter 8.