A working knowledge of Servlets
and Oracle Application Server security will help you to fully benefit
from the techniques employed in this sample application. Refer to the
Additional References section for related resource
links.
Technical Overview
The Order Management sample application demonstrates
how to secure a web application or web resource by configuring its
security attributes, declaratively, in the web application deployment
descriptor (namely, web.xml). Securing a web application/resource in
this manner will help to prevent unauthorized access. Let's take a more
elaborate look into the working of this sample application.
To prevent unauthorized access, we use the web application
deployment descriptor (web.xml) to identify the protected resources
(URLS) and to designate a page that has a regular HTML form to collect
usernames and passwords. When a user tries to access a protected URL
in an application, he/she will be redirected to the page containing
the form and be prompted to provide certain necessary credentials. Once
the form is submitted, the username and password collected from the user
input are sent to the Oracle Application Server, where the server checks
the validity of these credentials against a predefined set of usernames,
passwords, and roles available in the XML-based repository provided for
this web application to ascertain whether the user has been previously authenticated.
If the login is successful and the user belongs to a role that is permitted
access to the page, the user is granted access to the page originally
requested. If the login is unsuccessful, the user is sent to a designated
error page. This process is completely transparent to the Servlets and
JSP pages.
At times, however, declarative security alone is not sufficient
to express the security model of the application. In such situations,
Programmatic Security needs to be employed. Programmatic security consists
of the following methods of the HttpServletRequest
interface:
getRemoteUser - this method determines the user name with
which the client authenticated
isUserInRole - this method determines if a user is in a specific
security role
getUserPrincipal - method returns a java.security.Principal object
These APIs allow servlets to make business logic decisions
based on the logical role of the remote user. They also allow the servlet
to determine the principal name and role of the current user.
Application Overview
The Order Management sample application
authorizes two types of users to view data.:
The Manager, who can view all the users who
have created the orders in the database and also view the orders
of each user
The Trader, is allowed to view only
his/her own orders
No users from other roles are allowed to view
any of the resources from this application. Though the application server
can authenticate the users under the 'guestusers' role, the application
does not allow hem to view any data.
Application Design
This application
is designed to use the declarative and programmatic way of protecting web
resources. As mentioned earlier the sample application allows two
user roles or groups to access the protected resources - the 'manager'
who can view all the listed users and their orders in the database, and
the 'trader' who can only access his/her own records in the database.
Whenever a user tries to access the protected web resources he/she
will be redirected to the login page. Once the user submits the form with
his/her username and password, the application server checks the
validity of the user. If the user is not authenticated he/she will be redirected
to the error page. Then the SecurityServlet authorizes the user to view the related information,
programmatically, based on the user's role.
Sample Application Files
This section will provide a tabular listing of
the sample application files, along with their respective directory locations
and a description of what they do in the overall scheme of the application:
Readme File and Stylesheets
Directory
File
Description
security/doc
Readme.html
This file
security/doc
otn.css
Stylesheet
used in the Readme.html
security/doc
Install.html
The sample
install instructions document
Servlet and Related Files for the Application
Directory
File
Description
security/src/oracle/otnsamples/servlets
SecurityServlet.java
This Servlet checks for the user roles and displays
the appropriate content.
security/public_html/WEB-INF
web.xml
The web deployment descriptor
security/public_html
login.html
The login page
security/public_html
loginError.html
The error page which is displayed
when the login fails
security/public_html
main.html
The main html page which
calls the SecurityServlet
Configuration and Build Files for the Application
Directory
File
Description
security/src/META-INF
orion-application.xml
Application server server specific deployment descriptor.
security/src/META-INF
jazn-data.xml.xml
Contains
users and user groups
security/src/META-INF
data-sources.xml
Contains
the data sources definition used by the application
Setting up the Sample Application
Refer to the Install.html document for step-by-step
instructions on extracting files, installing, and running the sample successfully.
We hope you found this README file helpful. Please enter
your comments about the Order Management sample application in the OTN
Sample Code Discussion Forum.
Securing Web Application Resources Sample Application
Bookmark
