Follow these steps to complete this recipe:
- First, let's create a list of roles for our application:
public class Roles {
public static final String ADMIN = "admin";
public static final String USER = "user";
}
- Now, we need to create a list of tasks that can be performed by only one of the roles – one task that everyone can do and another task that no one can do:
@Stateful
public class UserBean {
@RolesAllowed({Roles.ADMIN})
public void adminOperation(){
System.out.println("adminOperation executed");
}
@RolesAllowed({Roles.USER})
public void userOperation(){
System.out.println("userOperation executed");
}
@PermitAll
public void everyoneCanDo(){
System.out.println("everyoneCanDo executed");
}
@DenyAll
public void noneCanDo(){
System.out.println("noneCanDo executed");
}
}
- Now, we need to create an environment for both the USER and ADMIN roles so that they can carry out their tasks:
@Named
@RunAs(Roles.USER)
public class UserExecutor implements RoleExecutable {
@Override
public void run(Executable executable) throws Exception {
executable.execute();
}
}
@Named
@RunAs(Roles.ADMIN)
public class AdminExecutor implements RoleExecutable {
@Override
public void run(Executable executable) throws Exception {
executable.execute();
}
}
- Then, we need to implement HttpAuthenticationMechanism:
@ApplicationScoped
public class AuthenticationMechanism implements HttpAuthenticationMechanism {
@Override
public AuthenticationStatus validateRequest(HttpServletRequest
request, HttpServletResponse response, HttpMessageContext
httpMessageContext)
throws AuthenticationException {
if (httpMessageContext.isAuthenticationRequest()) {
Credential credential =
httpMessageContext.getAuthParameters().
getCredential();
if (!(credential instanceof CallerOnlyCredential)) {
throw new IllegalStateException("Invalid
mechanism");
}
CallerOnlyCredential callerOnlyCredential =
(CallerOnlyCredential)
credential;
if (null == callerOnlyCredential.getCaller()) {
throw new AuthenticationException();
} else switch (callerOnlyCredential.getCaller()) {
case Roles.ADMIN:
return httpMessageContext
.notifyContainerAboutLogin
(callerOnlyCredential.getCaller(),
new HashSet<>
(asList(Roles.ADMIN)));
case Roles.USER:
return httpMessageContext
.notifyContainerAboutLogin
(callerOnlyCredential.getCaller(),
new HashSet<>
(asList(Roles.USER)));
default:
throw new AuthenticationException();
}
}
return httpMessageContext.doNothing();
}
}
- Finally, we need to create a servlet for each role (USER and ADMIN):
@DeclareRoles({Roles.ADMIN, Roles.USER})
@WebServlet(name = "/UserServlet", urlPatterns = {"/UserServlet"})
public class UserServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Inject
private SecurityContext securityContext;
@Inject
private UserExecutor userExecutor;
@Inject
private UserBean userActivity;
@Override
public void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException,
IOException {
try {
securityContext.authenticate(
request, response, withParams().credential(new
CallerOnlyCredential(Roles.USER)));
response.getWriter().write("Role "admin" access: " +
request.isUserInRole(Roles.ADMIN) + "
");
response.getWriter().write("Role "user" access: " +
request.isUserInRole(Roles.USER) + "
");
userExecutor.run(() -> {
try {
userActivity.adminOperation();
response.getWriter().write("adminOperation
executed: true
");
} catch (Exception e) {
response.getWriter().write("adminOperation
executed: false
");
}
try {
userActivity.userOperation();
response.getWriter().write("userOperation
executed: true
");
} catch (Exception e) {
response.getWriter().write("userOperation
executed: false
");
}
});
try {
userActivity.everyoneCanDo();
response.getWriter().write("everyoneCanDo
executed: true
");
} catch (Exception e) {
response.getWriter().write("everyoneCanDo
executed: false
");
}
try {
userActivity.noneCanDo();
response.getWriter().write("noneCanDo
executed: true
");
} catch (Exception e) {
response.getWriter().write("noneCanDo
executed: false
");
}
} catch (Exception ex) {
System.err.println(ex.getMessage());
}
}
}
@DeclareRoles({Roles.ADMIN, Roles.USER})
@WebServlet(name = "/AdminServlet", urlPatterns = {"/AdminServlet"})
public class AdminServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
@Inject
private SecurityContext securityContext;
@Inject
private AdminExecutor adminExecutor;
@Inject
private UserBean userActivity;
@Override
public void doGet(HttpServletRequest request,
HttpServletResponse
response) throws ServletException, IOException {
try {
securityContext.authenticate(
request, response, withParams().credential(new
CallerOnlyCredential(Roles.ADMIN)));
response.getWriter().write("Role "admin" access: " +
request.isUserInRole(Roles.ADMIN) + "
");
response.getWriter().write("Role "user" access: " +
request.isUserInRole(Roles.USER) + "
");
adminExecutor.run(() -> {
try {
userActivity.adminOperation();
response.getWriter().write("adminOperation
executed: true
");
} catch (Exception e) {
response.getWriter().write("adminOperation
executed: false
");
}
try {
userActivity.userOperation();
response.getWriter().write("userOperation
executed: true
");
} catch (Exception e) {
response.getWriter().write("userOperation
executed: false
");
}
});
try {
userActivity.everyoneCanDo();
response.getWriter().write("everyoneCanDo
executed: true
");
} catch (Exception e) {
response.getWriter().write("everyoneCanDo
executed: false
");
}
try {
userActivity.noneCanDo();
response.getWriter().write("noneCanDo
executed: true
");
} catch (Exception e) {
response.getWriter().write("noneCanDo
executed: false
");
}
} catch (Exception ex) {
System.err.println(ex.getMessage());
}
}
}