Java @ServletSecurity, @HttpMethodContraint and @HttpConstraint Annotations Examples
- Details
- Written by Nam Ha Minh
- Last Updated on 27 June 2019 | Print Email
The @ServletSecurity annotation is used to specify security constraints on a Java servlet. The annotations @HttpMethodConstraint and @HttpConstraint are used within the @ServletSecurityannotation to define the security constraints.
These annotations provide an alternative mechanism for specifying security constraints declaratively by <security-constraint> elements in the web.xml file.
1. @ServletSecurity annotation syntax
The usage of @ServletSecurity annotation is as follows:
@ServletSecurity(
httpMethodConstraints = <HttpMethodConstraint[]>,
value = <HttpConstraint>
)The httpMethodConstraints attribute specifies one or more constraints for some specific HTTP methods, whereas the value attribute specifies a constraint that applies for all other HTTP methods which are not specified by the httpMethodConstraints attribute.
2. @ServletSecurity annotation examples
- Specifying no security constraints for all HTTP methods:
@WebServlet("/process") @ServletSecurity public class MyServlet extends HttpServlet { // servlet code... } - Specifying that the connection requires encryption for all HTTP methods:
@WebServlet("/process") @ServletSecurity(@HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL)) public class MyServlet extends HttpServlet { // servlet code... } - Denying access to all HTTP POST methods (all HTTP GET methods are allowed):
@WebServlet("/process") @ServletSecurity( httpMethodConstraints = @HttpMethodConstraint(value = "POST", emptyRoleSemantic = EmptyRoleSemantic.DENY) ) public class MyServlet extends HttpServlet { // servlet code... } - Requiring that users must have membership in role “admin” (for all HTTP methods):
@WebServlet("/manage") @ServletSecurity(@HttpConstraint(rolesAllowed = "admin")) public class AdminServlet extends HttpServlet { // servlet code... } - Requiring that users must have membership in role “admin” for HTTP GET and POST methods. For POST method, encryption is required. For all other HTTP methods, no constraints:
@WebServlet("/manage")
@ServletSecurity(
httpMethodConstraints = {
@HttpMethodConstraint(value = "GET", rolesAllowed = "admin"),
@HttpMethodConstraint(value = "POST", rolesAllowed = "admin",
transportGuarantee = TransportGuarantee.CONFIDENTIAL),
}
)
public class AdminServlet extends HttpServlet {
// servlet code...
}
3. @ServletSecurity attributes
Name | Type | Required | Description |
httpMethodConstraints | HttpMethodConstraint[] | Optional | Specifies HTTP method constraints which will apply for the servlet. |
value | HttpConstraint | Optional | Specifies a constraint that applies to all HTTP methods that are not specified by the httpMethodConstraints. |
4. @HttpMethodConstraint attributes
Name | Type | Required | Description |
value | String | Required | Name of HTTP method. |
emptyRoleSemantic | ServletSecurity.EmptyRoleSemantic | Optional | Specifies the default authorization semantic that applies for the servlet when no roles specified by the array rolesAllowed. |
rolesAllowed | String[] | Optional | Specifies role names that are authorized to access the servlet. |
transportGuarantee | ServletSecurity.TransportGurantee | Optional | Specifies type of data protection that applies for the connection (SSL/TLS). |
5. @HttpConstraint attributes
Name | Type | Required | Description |
rolesAllowed | String[] | Optional | Specify authorized role names. |
transportGuarantee | ServletSecurity.TransportGurantee | Optional | Specifies type of data protection that applies for the connection (SSL/TLS). |
value | ServletSecurity.EmptyRoleSemantic | Optional | Specifies the default authorization semantic when no roles specified by the array rolesAllowed. |
6. ServletSecurity.EmptyRoleSemantic enum
This enumeration defines access semantic with two constants:
- DENY: access is denied.
- PERMIT: access is allowed.
7. ServletSecurity.TransportGurantee enum
This enumeration specifies data protection for the transport with two constants:
- CONFIDENTIAL: data must be encrypted (using SSL/TLS).
- NONE: no encryption is required.
Related Java Servlet Annotations:
- @WebServlet annotation
- @WebFilter annotation
- @WebListener annotation
- @WebInitParam annotation
- @HandlesTypes annotation
- @MultipartConfig annotation
Other Java Servlet Tutorials:
- Java Servlet Quick Start for beginners (XML)
- Java Servlet for beginners (annotations)
- Java Servlet and JSP Hello World Tutorial with Eclipse, Maven and Apache Tomcat
- Handling HTML form data with Java Servlet
- Java File Download Servlet Example
About the Author:
Nam Ha Minh is certified Java programmer (SCJP and SCWCD). He began programming with Java back in the days of Java 1.4 and has been passionate about it ever since. You can connect with him on Facebook and watch his Java videos on YouTube.