Java @ServletSecurity, @HttpMethodContraint and @HttpConstraint Annotations Examples

Details: Written by Nam Ha Minh; Last Updated on 27 June 2019 | Print Email

The @ServletSecurity annotation is used to specify security constraints on a Java servlet. The annotations @HttpMethodConstraint and @HttpConstraint are used within the @ServletSecurityannotation to define the security constraints.

These annotations provide an alternative mechanism for specifying security constraints declaratively by <security-constraint> elements in the web.xml file.

1. @ServletSecurity annotation syntax

The usage of @ServletSecurity annotation is as follows:

@ServletSecurity(
    httpMethodConstraints = <HttpMethodConstraint[]>,
    value = <HttpConstraint>
)

The httpMethodConstraints attribute specifies one or more constraints for some specific HTTP methods, whereas the value attribute specifies a constraint that applies for all other HTTP methods which are not specified by the httpMethodConstraints attribute.

2. @ServletSecurity annotation examples

Specifying no security constraints for all HTTP methods:

@WebServlet("/process")
@ServletSecurity
public class MyServlet extends HttpServlet {
	// servlet code...
}

Specifying that the connection requires encryption for all HTTP methods:

@WebServlet("/process")
@ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class MyServlet extends HttpServlet {
	// servlet code...
}

Denying access to all HTTP POST methods (all HTTP GET methods are allowed):

@WebServlet("/process")
@ServletSecurity(
		httpMethodConstraints = @HttpMethodConstraint(value = "POST",
												emptyRoleSemantic = EmptyRoleSemantic.DENY)
)
public class MyServlet extends HttpServlet {
	// servlet code...
}

Requiring that users must have membership in role “admin” (for all HTTP methods):

@WebServlet("/manage")
@ServletSecurity(@HttpConstraint(rolesAllowed = "admin"))
public class AdminServlet extends HttpServlet {
	// servlet code...
}

Requiring that users must have membership in role “admin” for HTTP GET and POST methods. For POST method, encryption is required. For all other HTTP methods, no constraints:

@WebServlet("/manage")
@ServletSecurity(
 httpMethodConstraints = {
  @HttpMethodConstraint(value = "GET", rolesAllowed = "admin"),
  @HttpMethodConstraint(value = "POST", rolesAllowed = "admin", 
  						transportGuarantee = TransportGuarantee.CONFIDENTIAL),		 
 }
)
public class AdminServlet extends HttpServlet {
	// servlet code...
}

3. @ServletSecurity attributes

Name	Type	Required	Description
httpMethodConstraints	HttpMethodConstraint[]	Optional	Specifies HTTP method constraints which will apply for the servlet.
value	HttpConstraint	Optional	Specifies a constraint that applies to all HTTP methods that are not specified by the httpMethodConstraints.

4. @HttpMethodConstraint attributes

Name	Type	Required	Description
value	String	Required	Name of HTTP method.
emptyRoleSemantic	ServletSecurity.EmptyRoleSemantic	Optional	Specifies the default authorization semantic that applies for the servlet when no roles specified by the array rolesAllowed.
rolesAllowed	String[]	Optional	Specifies role names that are authorized to access the servlet.
transportGuarantee	ServletSecurity.TransportGurantee	Optional	Specifies type of data protection that applies for the connection (SSL/TLS).

5. @HttpConstraint attributes

Name	Type	Required	Description
rolesAllowed	String[]	Optional	Specify authorized role names.
transportGuarantee	ServletSecurity.TransportGurantee	Optional	Specifies type of data protection that applies for the connection (SSL/TLS).
value	ServletSecurity.EmptyRoleSemantic	Optional	Specifies the default authorization semantic when no roles specified by the array rolesAllowed.

6. ServletSecurity.EmptyRoleSemantic enum

This enumeration defines access semantic with two constants:

- - DENY: access is denied.
  - PERMIT: access is allowed.

7. ServletSecurity.TransportGurantee enum

This enumeration specifies data protection for the transport with two constants:

- - CONFIDENTIAL: data must be encrypted (using SSL/TLS).
  - NONE: no encryption is required.

Related Java Servlet Annotations:

About the Author:

Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.