The @ServletSecurity annotation is used to specify security constraints on a Java servlet. The annotations @HttpMethodConstraint and @HttpConstraint are used within the @ServletSecurityannotation to define the security constraints.

These annotations provide an alternative mechanism for specifying security constraints declaratively by <security-constraint> elements in the web.xml file.

 

1. @ServletSecurity annotation syntax

The usage of @ServletSecurity annotation is as follows:

@ServletSecurity(
    httpMethodConstraints = <HttpMethodConstraint[]>,
    value = <HttpConstraint>
)

 The httpMethodConstraints attribute specifies one or more constraints for some specific HTTP methods, whereas the value attribute specifies a constraint that applies for all other HTTP methods which are not specified by the httpMethodConstraints attribute.

 

2. @ServletSecurity annotation examples

  • Specifying no security constraints for all HTTP methods:
    @WebServlet("/process")
    @ServletSecurity
    public class MyServlet extends HttpServlet {
    	// servlet code...
    }

     

  • Specifying that the connection requires encryption for all HTTP methods:
    @WebServlet("/process")
    @ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
    public class MyServlet extends HttpServlet {
    	// servlet code...
    }

     

  • Denying access to all HTTP POST methods (all HTTP GET methods are allowed):
    @WebServlet("/process")
    @ServletSecurity(
    		httpMethodConstraints = @HttpMethodConstraint(value = "POST",
    												emptyRoleSemantic = EmptyRoleSemantic.DENY)
    )
    public class MyServlet extends HttpServlet {
    	// servlet code...
    }

     

  • Requiring that users must have membership in role “admin” (for all HTTP methods):
    @WebServlet("/manage")
    @ServletSecurity(@HttpConstraint(rolesAllowed = "admin"))
    public class AdminServlet extends HttpServlet {
    	// servlet code...
    }

     

  • Requiring that users must have membership in role “admin” for HTTP GET and POST methods. For POST method, encryption is required. For all other HTTP methods, no constraints:
@WebServlet("/manage")
@ServletSecurity(
 httpMethodConstraints = {
  @HttpMethodConstraint(value = "GET", rolesAllowed = "admin"),
  @HttpMethodConstraint(value = "POST", rolesAllowed = "admin", 
  						transportGuarantee = TransportGuarantee.CONFIDENTIAL),		 
 }
)
public class AdminServlet extends HttpServlet {
	// servlet code...
}

  

3. @ServletSecurity attributes

Name

Type

Required

Description

httpMethodConstraints

HttpMethodConstraint[]

Optional

Specifies HTTP method constraints which will apply for the servlet.

value

HttpConstraint

Optional

Specifies a constraint that applies to all HTTP methods that are not specified by the httpMethodConstraints.


4. @HttpMethodConstraint attributes

Name

Type

Required

Description

value

String

Required

Name of HTTP method.

emptyRoleSemantic

ServletSecurity.EmptyRoleSemantic

Optional

Specifies the default authorization semantic that applies for the servlet when no roles specified by the array rolesAllowed.

rolesAllowed

String[]

Optional

Specifies role names that are authorized to access the servlet.

transportGuarantee

ServletSecurity.TransportGurantee

Optional

Specifies type of data protection that applies for the connection (SSL/TLS).


5. @HttpConstraint attributes

Name

Type

Required

Description

rolesAllowed

String[]

Optional

Specify authorized role names.

transportGuarantee

ServletSecurity.TransportGurantee

Optional

Specifies type of data protection that applies for the connection (SSL/TLS).

value

ServletSecurity.EmptyRoleSemantic

Optional

Specifies the default authorization semantic when no roles specified by the array rolesAllowed.


6. ServletSecurity.EmptyRoleSemantic enum

This enumeration defines access semantic with two constants:

      • DENY: access is denied.
      • PERMIT: access is allowed.


7. ServletSecurity.TransportGurantee enum

This enumeration specifies data protection for the transport with two constants:

      • CONFIDENTIAL: data must be encrypted (using SSL/TLS).
      • NONE: no encryption is required.

 

Related Java Servlet Annotations:

 

Other Java Servlet Tutorials:


About the Author:

is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.

Add comment

   


Comments 

#3Silvia2024-08-24 08:23
How do I use this to avoid direct access from url?
Thank you
Quote
#2.,2020-01-02 23:08
ServletSecurity.EmptyRoleSemantic enum
Quote
#1Lúcio José Beirão2017-11-27 18:36
Well documented and explained. Thank you very much for sharing this.
Quote