Custom security

The following shows a more sophisticated example.

In order to provide custom authentication, application developers implement a custom HttpAuthenticationMechanism, especially the validateRequest() method. The class only has to be visible to the container as a CDI bean. The rest is done by the application container. This simplifies the security integration for developers.

The following shows a basic example, with pseudo code representing the actual authentication:

import javax.security.enterprise.AuthenticationException;
import javax.security.enterprise.authentication.mechanism.http.*;
import javax.security.enterprise.credential.UsernamePasswordCredential;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStoreHandler;

@ApplicationScoped
public class TestAuthenticationMechanism implements
        HttpAuthenticationMechanism {

    @Inject
    IdentityStoreHandler identityStoreHandler;

    @Override
    public AuthenticationStatus validateRequest(HttpServletRequest request,
            HttpServletResponse response,
            HttpMessageContext httpMessageContext)
            throws AuthenticationException {

        // get the authentication information
        String name = request.get...
        String password = request.get...

        if (name != null && password != null) {

            CredentialValidationResult result = identityStoreHandler
                    .validate(new UsernamePasswordCredential(name,
                    password));

            return httpMessageContext.notifyContainerAboutLogin(result);
        }

        return httpMessageContext.doNothing();
    }
}

The validateRequest() implementation accesses the user information contained in the HTTP request, for example via the HTTP headers. It delegates the validation to the identity store using the IdentityStoreHandler. The validation result contains the result that is provided to the security HTTP message context.

Depending on the requirements, a custom identity handler implementation is required as well. It can provide custom authentication and authorization methods.

If decentralized security protocols, such as OAuth, are being used, a custom identity handler will implement the security access token validation.

The following shows a custom identity store:

import javax.security.enterprise.identitystore.IdentityStore;

@ApplicationScoped
public class TestIdentityStore implements IdentityStore {

    public CredentialValidationResult validate(UsernamePasswordCredential
            usernamePasswordCredential) {

        // custom authentication or authorization
        // if valid

        return new CredentialValidationResult(username, roles);

        // or in case of invalid credentials

        return CredentialValidationResult.INVALID_RESULT;
    }
}

The web.xml servlet deployment descriptor is used to specify the secure resources. The application container takes care of the integration:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Protected pages</web-resource-name>
        <url-pattern>/management</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin-role</role-name>
    </auth-constraint>
</security-constraint>

An HTTP authentication mechanism provides a straightforward, yet flexible, way to implement JASPIC security. Its implementation is simpler compared to a plain JASPIC approach.

It provides the possibility of intercepting communication flows and can integrate the application with third-party security providers.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.55.18