Java @ServletSecurity, @HttpMethodContraint and @HttpConstraint Annotations Examples
- Details
- Written by Nam Ha Minh
- Last Updated on 27 June 2019   |   Print Email
The @ServletSecurity annotation is used to specify security constraints on a Java servlet. The annotations @HttpMethodConstraint and @HttpConstraint are used within the @ServletSecurityannotation to define the security constraints.
These annotations provide an alternative mechanism for specifying security constraints declaratively by <security-constraint> elements in the web.xml file.
1. @ServletSecurity annotation syntax
The usage of @ServletSecurity annotation is as follows:
@ServletSecurity( httpMethodConstraints = <HttpMethodConstraint[]>, value = <HttpConstraint> )
The httpMethodConstraints attribute specifies one or more constraints for some specific HTTP methods, whereas the value attribute specifies a constraint that applies for all other HTTP methods which are not specified by the httpMethodConstraints attribute.
2. @ServletSecurity annotation examples
- Specifying no security constraints for all HTTP methods:
@WebServlet("/process") @ServletSecurity public class MyServlet extends HttpServlet { // servlet code... }
- Specifying that the connection requires encryption for all HTTP methods:
@WebServlet("/process") @ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL)) public class MyServlet extends HttpServlet { // servlet code... }
- Denying access to all HTTP POST methods (all HTTP GET methods are allowed):
@WebServlet("/process") @ServletSecurity( httpMethodConstraints = @HttpMethodConstraint(value = "POST", emptyRoleSemantic = EmptyRoleSemantic.DENY) ) public class MyServlet extends HttpServlet { // servlet code... }
- Requiring that users must have membership in role “admin” (for all HTTP methods):
@WebServlet("/manage") @ServletSecurity(@HttpConstraint(rolesAllowed = "admin")) public class AdminServlet extends HttpServlet { // servlet code... }
- Requiring that users must have membership in role “admin” for HTTP GET and POST methods. For POST method, encryption is required. For all other HTTP methods, no constraints:
@WebServlet("/manage") @ServletSecurity( httpMethodConstraints = { @HttpMethodConstraint(value = "GET", rolesAllowed = "admin"), @HttpMethodConstraint(value = "POST", rolesAllowed = "admin", transportGuarantee = TransportGuarantee.CONFIDENTIAL), } ) public class AdminServlet extends HttpServlet { // servlet code... }
3. @ServletSecurity attributes
Name | Type | Required | Description |
httpMethodConstraints | HttpMethodConstraint[] | Optional | Specifies HTTP method constraints which will apply for the servlet. |
value | HttpConstraint | Optional | Specifies a constraint that applies to all HTTP methods that are not specified by the httpMethodConstraints. |
4. @HttpMethodConstraint attributes
Name | Type | Required | Description |
value | String | Required | Name of HTTP method. |
emptyRoleSemantic | ServletSecurity.EmptyRoleSemantic | Optional | Specifies the default authorization semantic that applies for the servlet when no roles specified by the array rolesAllowed. |
rolesAllowed | String[] | Optional | Specifies role names that are authorized to access the servlet. |
transportGuarantee | ServletSecurity.TransportGurantee | Optional | Specifies type of data protection that applies for the connection (SSL/TLS). |
5. @HttpConstraint attributes
Name | Type | Required | Description |
rolesAllowed | String[] | Optional | Specify authorized role names. |
transportGuarantee | ServletSecurity.TransportGurantee | Optional | Specifies type of data protection that applies for the connection (SSL/TLS). |
value | ServletSecurity.EmptyRoleSemantic | Optional | Specifies the default authorization semantic when no roles specified by the array rolesAllowed. |
6. ServletSecurity.EmptyRoleSemantic enum
This enumeration defines access semantic with two constants:
- DENY: access is denied.
- PERMIT: access is allowed.
7. ServletSecurity.TransportGurantee enum
This enumeration specifies data protection for the transport with two constants:
- CONFIDENTIAL: data must be encrypted (using SSL/TLS).
- NONE: no encryption is required.
Related Java Servlet Annotations:
- @WebServlet annotation
- @WebFilter annotation
- @WebListener annotation
- @WebInitParam annotation
- @HandlesTypes annotation
- @MultipartConfig annotation
Other Java Servlet Tutorials:
- Java Servlet Quick Start for beginners (XML)
- Java Servlet for beginners (annotations)
- Java Servlet and JSP Hello World Tutorial with Eclipse, Maven and Apache Tomcat
- Handling HTML form data with Java Servlet
- Java File Download Servlet Example
Comments
Thank you