F0101

TOPIC TITLE: Handling Error and Security

SPECIFIC OBJECTIVES:

At the end of the topic session, the students are expected to:

Cognitive :

1. Identify the types of errors in a Web application.

2. Declare HTTP error page and Java exception error page using
the deployment descriptor.
3. Recognize the importance of Web security.
4. Differentiate authentication from authorization.
5. Explain how to configure authentication and authorization in the
deployment descriptor.

Affective:
1. Participate in group activities.
2. Be attentive to the teacher’s lectures and demonstrations.
3. Participate in class and group discussions.

Psychomotor:
1. Develop a Web application that demonstrates error handling and
security.

MATERIALS/EQUIPMENTS:

o OHP
o Topic slides

TOPIC PREPARATION:

o Read about handling errors and security in a Web application.

o It is imperative for the instructor to incorporate various kinds of
teaching strategies while discussing the suggested topics. The
instructor may use the suggested learning activities below to
facilitate a thorough and creative discussion of the topic.
o Prepare the slides to be presented in class.

TOPIC PRESENTATION:

The topic will revolve around handling errors and security. Discussions
will include HTTP error codes, servlet exception, programmatic exception
handling, Web security, authentication and authorization.

This will be the suggested flow of discussion for Handling Errors and
Security.

1. Discuss the HTTP error codes.

2. Identify the ways to handle errors.
3. Explain the Servlet exceptions.
4. Discuss the HTTP error page.
5. Discuss the custom error page.
6. Explain the servlet exception error page.
7. Explain the programmatic exception handling.
8. Discuss Web security.
9. Explain what authentication is.
10. Discuss the types of authentication techniques.

Handling Error and Security * Property of STI

Page 1 of 11
 F0101

11. Explain the BASIC authentication.

12. Explain the FORM-BASED authentication.
13. Discuss authorization.
14. Explain the declarative authorization.

HTTP Error Codes HTTP Error Codes

Page 1 of 23

Java Enterprise Edition Programming

An HTTP response sent from the Web server to the client includes a
status code, which tells the Web browser if the request was successful or
HTTP Error Codes unsuccessful.
 An HTTP response sent from the Web
server to the client includes a status code, 400 Bad Request
which tells the Web browser if the request
was successful or unsuccessful. 401 Unauthorized
400 Bad Request 404 Not Found
401 Unauthorized
404 Not Found
405 Method Not Allowed
405 Method Not Allowed 415 Unsupported Media Type
415 Unsupported Media Type
500 Internal Server Error
500 Internal Server Error
501 Not Implemented 501 Not Implemented
503 Service Unavailable
503 Service Unavailable
Table 1 - HTTP Error Codes
Handling Error and Security * Property of STI
Page 1 of 23

The table above shows the status codes in the 400-500 range. These
Page 2 of 23 are used to indicate some error.
Java Enterprise Edition Programming
By default, the Web browser displays some message to the user. Often
Example Error Page this message is composed of HTML that is generated in the Web
browser. This means that the Web server did not send any HTML
message in the HTTP response. An example generic HTTP error page is
shown in the figure below.

Handling Error and Security * Property of STI

Page 2 of 23

Example Generic Error Page

[HTTP Error Codes, Pages 1-2 of 23]

Servlet Exceptions

In addition to HTTP errors, a Java technology Web application can

generate exceptions to indicate a problem with processing the HTTP
request.

public void doGet(HttpServletRequest request,

HttpServletResponse response) throws ServletException
{
int x = 0, y = 0;
try
{
int z = x / y;

Handling Error and Security * Property of STI

Page 2 of 11
 F0101

Servlet Exceptions }
Page 3 of 23 catch (ArithmeticException ae)
{ throw new ServletException(ae);}
Java Enterprise Edition Programming

}
Servlet Exceptions
A servlet can throw a ServletException to indicate to the Web
In addition to HTTP errors, a Java

technology Web application can generate container that an exception has occurred. An example of a servlet that
exceptions to indicate a problem with
processing the HTTP request. throws an exception is shown in the codes above. The
ArithmeticException is a “non-checked” exception and need not be
public void doGet(HttpServletRequest
request, HttpServletResponse
response)throws ServletException
caught in a try-catch block. All non-check exceptions thrown by the
{
int x = 0, y = 0; service method are caught by the Web container, which issues a servlet
try
{
int z = x / y;
exception on behalf of the srvlet itself. The Web container will catch
}
catch (ArithmeticException ae)
these exceptions and send an HTTP response with a 500 status code
}
{ throw new ServletException(ae);}
and an HTML response with stack trace exception.

[Servlet Exceptions, Page 3 of 23]

Handling Error and Security * Property of STI
Page 3 of 23

Using Custom Error Pages Using Custom Error Pages

Page 4 of 23

Java Enterprise Edition Programming

The generic error pages provided by the Web browser (for HTTP error
Using Custom Error codes) and the Web container (for servlet exceptions) are often ugly and
Pages not very informative to the end user.
The generic error pages provided by the

Web browser (for HTTP error codes) and
There are two ways to activate an error page within a Web application.
the Web container (for servlet exceptions)
are often ugly and not very informative to These are:
the end user.
• Declarative
Two ways to activate an error page within
• Programmatic

a Web application:

 Declarative
 Programmatic
The declarative way makes use of the deployment descriptor to declare
error pages for specific situations such as HTTP errors or Java
technology exceptions, and let the Web container handle the forwarding
to these pages.
Handling Error and Security * Property of STI
Page 4 of 23
The programmatic way handles the Java technology exceptions direct in
the servlet code and forwards the HTTP request to the error page of your
choice.

[Using Custom Error Pages, Page 4 of 23]

Declaring HTTP Error Pages Declaring HTTP Error Pages

Page 5 of 23

Java Enterprise Edition Programming

The error-page element in the deployment descriptor to declare to the
Declaring HTTP Error Web container that if an HTTP response is being sent back with a
Pages particular status code (for example, 404 “File Not Found”), then the HTML
of the response is specified by the error page of your choice.
 The error-page element in the deployment
descriptor to declare to the Web
container that if an HTTP response is
being sent back with a particular status Error pages exist as static HTML or as a dynamic servlets. Just like
code (for example, 404 “File Not Found”),
then the HTML of the response is specified standard HTML pages, static error pages are located anywhere in the
by the error page of your choice.
hierarchy of the Web application. Servlet-based error pages however can
 It contains two sub-elements:


error-code
location
be given a URL mapping.

Error-page element contains two sub-elements. These are:

 error-code
 location

Handling Error and Security * Property of STI

Page 5 of 23 The error-page element must include two sub-elements: error-code—the
HTTP numeric status code, and location—the URL location of the custom

Handling Error and Security * Property of STI

Page 3 of 11
 F0101

error page.

[Declaring HTTP Error Pages, Page 5 of 23]

Example Custom Error Page Example Custom Error Page

Page 6 of 23
<error-page>
Java Enterprise Edition Programming

Example Custom Error

<error-code>404
Page </error-code>
<location>/error/404.html
<error-page>
</location>
<error-code>404
</error-code> </error-page>
<location>/error/404.html
</location>
</error-page>
Whenever a 404 error code occurs in the Web application referred to by
the codes above, the /error/404.html custom error page is sent in the
response. You can specify any number of error page elements, but only
one for a specific HTTP status code.

[Example Custom Error Page, Page 6 of 23]

Handling Error and Security * Property of STI

Page 6 of 23

Declaring Servlet Exception Declaring Servlet Exception Error Pages

Error Pages
Page 7 of 23 The exception-type subelement is used to identify the fully qualified
Java Enterprise Edition Programming
exception class. And this is declared only if you are going to handle
Declaring Servlet errors in your application. The number of declarations depends on the
Exception Error Pages number of exceptions that you want to handle in your Web application.
Using the error-page element, the web

container can forward specific exception The location subelement points to the servlet class that the Web
types to the error page of your choice.
container invokes to respond to an error.
 The exception-type subelement is used to
identify the fully qualified exception
class.
<error-page>
<error-page>
<exception-type> <exception-type>
java.lang.NumberFormatException
</exception-type> java.lang.NumberFormatException
<location>/error/bad_number
</location>
</error-page>
</exception-type>
<location>/error/bad_number
</location>
</error-page>
Handling Error and Security * Property of STI
Page 7 of 23

The deployment descriptor can be used also to handle servlet exceptions.

Using the error-page element, the web container can forward specific
exception types to the error page of your choice.

You can specify any number of error-page elements but only one for a
specific Java exception class. This is similar to custom error page. Also,
you can use a superclass like java.lang.Exception to capture a
range of exceptions.

The code above tells the Web container to catch the exception and
forward the HTTP request to the /error/bad_number custom error page.
The /error/bad_number is mapped to a servlet class (the error page
servlet). Before the error page servlet is activated, the Web container
adds two request attributes:

1. javax.servlet.error.exception

This attribute holds the actual exception object thrown by the original

Handling Error and Security * Property of STI

Page 4 of 11
 F0101

servlet. If the servlet threw a ServletException, then this

attribute is the original exception embedded in the
ServletException object. This original exception is also called
the root cause.

2. javax.servlet.error.request_uri

This attribute holds a String of the request URL of the servlet in which
the error occurred which is the page or resource that the user had
originally requested.

These two request attributes are used to dynamically generate the HTML
response for the error page. Access to these attributes is handled by the
getAttribute() method.

[Declaring Servlet Exception Error Pages, Page 7 of 23]

Programmatic Exception Programmatic Exception Handling

Handling
Page 8 of 23 The servlet contains codes to catch all exceptions and handle them
Java Enterprise Edition Programming
directly.
Programmatic
Exception Handling To handle exceptions programmatically, all error-prone business logic is
wrapped in a try-catch block.
 The servlet contains codes to catch all
exceptions and handle them directly.

 To handle exceptions programmatically,
all error-prone business logic is wrapped
in a try-catch block.
Declarative exception handling is powerful and easy to use but it might
not be applicable for some situations. Programmatic exception handling
is another technique. It only applies to Java technology exceptions
thrown by servlets. It is not appropriate for handling HTTP errors.

In programmatic exception handling, you write your servlet code to catch

all exceptions and handle them directly as opposed to letting the Web
container do this for you.
Handling Error and Security * Property of STI
Page 8 of 23
To handle exceptions programmatically, wrap all of your error-prone
business logic in a try-catch block.
Page 9 of 23
//ErrorProneServlet class
Java Enterprise Edition Programming
// Servlet imports
Example import javax.servlet.http.HttpServlet.*;
import javax.servlet.http.*;
import javax.servlet.*;
// ErrorProneServlet class
// Servlet imports
import javax.servlet.http.HttpServlet.*;
// Support classes
import javax.servlet.http.*;
import javax.servlet.*;
// Support classes
import java.io.IOException;
import java.io.IOException;

public final class ErrorProneServlet extends

HttpServlet {

public void doGet(HttpServletRequest request,

HttpServletResponse response)
throws IOException, ServletException {
public final class ErrorProneServlet extends
HttpServlet {

public void doGet(HttpServletRequest request,

HttpServletResponse response)
Handling Error and Security * Property of STI
throws IOException, ServletException {
Page 9 of 23
String string = null;

try {
// Attempt to access the first character // of a
null String object string.charAt(0);

// Catch exceptions and forward to the Exception

Handling Error and Security * Property of STI

Page 5 of 11
 F0101

Page 10 of 23 Handler servlet

} catch (Exception e) {
Java Enterprise Edition Programming

ServletContext context =
Example (cont..) getServletContext();

String string = null; RequestDispatcher errorPage

try {
// Attempt to access the first character // of a
null String object string.charAt(0);
=
// Catch exceptions and forward to the Exception
Handler servlet
context.getNamedDispatcher("ExceptionHandler");
} catch (Exception e) {
ServletContext context =
getServletContext();
RequestDispatcher errorPage
=
context.getNamedDispatcher("ExceptionHandler")
request.setAttribute("javax.servlet.error.exception
;
request.setAttribute("javax.servlet.error.exce
ption", e);
", e);
request.setAttribute("javax.servlet.error.requ
est_uri",

}
request.getRequestURI());
errorPage.forward(request, response); request.setAttribute("javax.servlet.error.request_u
}
ri",

Handling Error and Security * Property of STI

Page 10 of 23
request.getRequestURI());
errorPage.forward(request, response);
}
Page 11 of 23 }
Java Enterprise Edition Programming

//ExceptionDisplay class
Example (cont..) // Servlet imports
import javax.servlet.http.HttpServlet.*;
//ExceptionDisplay class
// Servlet imports
import javax.servlet.http.*;
import javax.servlet.http.HttpServlet.*;
import javax.servlet.http.*;
import javax.servlet.*;
import javax.servlet.*;
// Support classes
import java.io.*; // Support classes
public final class ExceptionDisplay extends
HttpServlet {
import java.io.*;
public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws IOException {

response.setContentType("text/html");
public final class ExceptionDisplay extends
PrintWriter out = response.getWriter();
HttpServlet {

public void doGet(HttpServletRequest request,

HttpServletResponse response)
Handling Error and Security * Property of STI
Page 11 of 23
throws IOException {

response.setContentType("text/html");
Page 12 of 23
PrintWriter out = response.getWriter();
Java Enterprise Edition Programming

Example (cont..)
Throwable exception
= (Throwable)
request.getAttribute("javax.servlet.error.exception
Throwable exception
= (Throwable)
request.getAttribute("javax.servlet.error.except
");
ion");
String expTypeFullName
= exception.getClass().getName();
String expTypeName
String expTypeFullName
=
expTypeFullName.substring(expTypeFullName.lastIn
dexOf(".")+1);
= exception.getClass().getName();
String request_uri
= (String)
request.getAttribute("javax.servlet.error.reques
t_uri");
String expTypeName
out.println("<HTML>");
out.println("<HEAD>");
=
out.println("<TITLE>Servlet
Exception</TITLE>");
out.println("</HEAD>");
expTypeFullName.substring(expTypeFullName.lastIndex
out.println("<BODY BGCOLOR='white'>");
out.println("<TABLE BORDER='0' CELLSPACING='0'
CELLPADDING='0' WIDTH='600'>");
out.println("<TR>");
Of(".")+1);
out.println("<TD
ALIGN='center‘VALIGN='center'>");
out.println(" </TD>");
String request_uri
= (String)
request.getAttribute("javax.servlet.error.request_u
Handling Error and Security * Property of STI
Page 12 of 23
ri");

out.println("<HTML>");
out.println("<HEAD>");
out.println("<TITLE>Servlet
Exception</TITLE>");
out.println("</HEAD>");
out.println("<BODY BGCOLOR='white'>");
out.println("<TABLE BORDER='0' CELLSPACING='0'

Handling Error and Security * Property of STI

Page 6 of 11
 F0101

Page 13 of 23 CELLPADDING='0' WIDTH='600'>");

out.println("<TR>");
Java Enterprise Edition Programming

out.println(" <TD ALIGN='center'

Example (cont..) VALIGN='center'>");
out.println(" </TD>");
out.println(" <TD BGCOLOR='pink' ALIGN='center'
VALIGN='center'>");
out.println(" <TD BGCOLOR='pink'
out.print(" <FONT SIZE='5'
COLOR='red'><B>");
out.print(expTypeName);
ALIGN='center' VALIGN='center'>");
out.println("</B></FONT>");
out.println(" </TD>");
out.println("</TR>");
out.print(" <FONT SIZE='5'
out.println("<TR HEIGHT='15'><TD
HEIGHT='15'><!-- vertical space --></TD></TR>");
out.println("<TR>");
out.println(" <TD></TD>");
COLOR='red'><B>");
out.println(" <TD>");
out.print(" <B>");
out.print(exception.getMessage());
out.print(expTypeName);
out.println("</B><BR><BR>");
out.println("This was the request URI: <BR>");
out.println("<CODE>" + request_uri +
"</CODE><BR><BR>");
out.println("</B></FONT>");
out.println("This is the complete stack trace
of the exception:");
out.println("<FONT SIZE='1'><PRE>");
out.println(" </TD>");
exception.printStackTrace(out);
out.println("</PRE></FONT>");
out.println(" </TD>");
out.println("</TR>");
out.println("</TR>");
out.println("</TABLE>");
out.println("</BODY>");
out.println("</HTML>");
out.println("<TR HEIGHT='15'><TD
}
} HEIGHT='15'><!-- vertical space --></TD></TR>");
Handling Error and Security * Property of STI
Page 13 of 23
out.println("<TR>");
out.println(" <TD></TD>");
out.println(" <TD>");
out.print(" <B>");
out.print(exception.getMessage());
out.println("</B><BR><BR>");
out.println("This was the request URI: <BR>");
out.println("<CODE>" + request_uri +
"</CODE><BR><BR>");
out.println("This is the complete stack trace
of the exception:");
out.println("<FONT SIZE='1'><PRE>");
exception.printStackTrace(out);
out.println("</PRE></FONT>");
out.println(" </TD>");
out.println("</TR>");
out.println("</TABLE>");
out.println("</BODY>");
out.println("</HTML>");
}

In the catch clause, you can forward the request to the exception
handling error page using a RequestDispatcher object. The request
dispatcher object is retrieved from the servlet context using the
getNamedDispatcher() method. The string passed to the
getNamedDispatcher() method must be the name of the exception
handling servlet defined in the deployment descriptor. You can also pass
request attributes to the exception handling servlet.

The exception handling servlet must be declared or defined in the Web

application deployment descriptor. You do not need to specify a URL
mapping for exception handling servlets. Do not create a URL mapping
for the exception handler servlets. When you create a URL mapping, the
mapping is exposed to the users of the Web application. The user could
try to activate the exception handler servlet by entering the URL directly
into the Web browser. Creating a servlet definition without a URL
mapping for the exception handling servlet ensures that it will be hidden
from the user.

Note to the instructor: Code, compile and deploy the codes above and
show the result to your students.

[Programmatic Exception Handling, Pages 8-13 of 23]

Handling Error and Security * Property of STI

Page 7 of 11
 F0101

Web Security Issues Web Security Issues

Page 14 of 23

Java Enterprise Edition Programming

Security is critical to any Web application because the Web server is
exposed to the Internet directly. Malicious or benign users might try to
Web Security Issues break into your Web server and access secure information or
applications. This could easily jeopardize your business data as well as
Security is critical to any Web application

because the Web server is exposed to the
the identity and confidential information of your customers.
Internet directly.

Web security is a challenging field.


Web security is a challenging field. It is difficult to keep up-to-date on the
latest security measures and crackers/hackers are constantly finding
holes in existing security measures. It is impossible to have perfect
security but minimal security is much better than no security. The Servlet
specification does not describe all of the security measures.

[Web Security Issues, Page 14 of 23]

Handling Error and Security * Property of STI

Page 14 of 23

Authentication Authentication
Page 15 of 23

Java Enterprise Edition Programming

Authentication is the process of verifying the user’s identity.
Authentication Authentication is a security measure that can be configured in the Web
container.
 Authentication is the process of verifying
the user’s identity.

 Authentication is a security measure that Authentication techniques:

can be configured in the Web container.

Authentication techniques:

 BASIC
BASIC




DIGEST
FORM
DIGEST
 CLIENT-CERT
 FORM
 CLIENT-CERT

In the BASIC authentication, the Web browser solicits the username and
password and sends data to the Web server.
Handling Error and Security * Property of STI
Page 15 of 23

In the DIGEST authentication, the Web browser solicits the username

and password and sends this data to the Web server which has been
encoded using an algorithm such as MD5.

In the FORM authentication, the Web application supplies an HTML form

that is sent to the Web browser.

In the CLIENT-CERT, the Web container uses Secure Socket Layer

(SSL) to verify the user. The user must have an SSL certificate.

[Authentication, Page 15 of 23]

Handling Error and Security * Property of STI

Page 8 of 11
 F0101

Declarative Authentication Declarative Authentication

Page 16 of 23

Java Enterprise Edition Programming

Use the deployment descriptor to declare the Web application’s
Declarative authentication technique:
Authentication
<login-config>
 Use the deployment descriptor to declare <auth-method>BASIC</auth-method>
the Web application’s authentication
technique:
</login-config>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
The auth-method element can take any of four authentication
techniques discussed earlier. The CLIENT-CERT uses SSL and is the
most secure of the four techniques but requires the user to have an X-
509 certificate. The BASIC, DIGEST and FORM authentication methods
send the username and password data from the Web browser to the Web
container using either weak or no encryption.
Handling Error and Security * Property of STI
Page 16 of 23 [Declarative Authentication, Page 16 of 23]

BASIC Authentication BASIC Authentication

Page 17 of 23

Java Enterprise Edition Programming

The BASIC authentication method uses the built-in HTTP BASIC
BASIC authentication protocol. When the Web container decides to authenticate
Authentication a user for a confidential request, the Web container sends an HTTP
challenge back to the Web browser. The Web browser then must prompt
The BASIC authentication method uses the

built-in HTTP BASIC authentication
the user for a username and password. When the user enters the
protocol.
username and password, the Web browser sends this data back to the
The Web container verifies the data

against the vendor-specific security realm. Web container.

The Web container verifies the data against the vendor-specific security
realm. If the password is verified and the user is a member of the
required security role, then the Web container activates the original HTTP
request which could be a static HTML page or the activation of a servlet.

[BASIC Authentication, Page 17 of 23]

Handling Error and Security * Property of STI
Page 17 of 23

Form-Based Authentication Form-Based Authentication

Page 18 of 23

Java Enterprise Edition Programming

The Servlet specification allows you to configure the Web application to
Form-Based perform an authentication using your own HTML pages. This
Authentication configuration is set in the login-config element.
The Servlet specification allows you to

configure the Web application to perform
The login form is a special HTML form. The Servlet specification
an authentication using your own HTML
pages. mandates that the ACTION attribute of the form must be the phrase
 This configuration is set in the login-config j_security_check. The username and password input fields must be
element.
j_username and j_password respectively.
 The login form is a special HTML form.
The Servlet specification mandates that
the ACTION attribute of the form must be
the phrase j_security_check.
 The username and password input fields
BASIC HTTP authentication is considered a brute force mechanism.
must be j_username and j_password,
respectively.
Often, you would want to create an HTML page that presents a more
elegant authentication entry form. When the user attempts to access a
restricted Web resource, the Web container sends the login form,
specified in the form-login-page element, back to the Web browser.
Handling Error and Security * Property of STI
Page 18 of 23

When the user fills in this form and selects the Submit button, the Web
container intercepts the j_security_check action and handles the
authentication. There is nothing that you need to code to make the
j_security_check action work. The Web container implements the servlet

Handling Error and Security * Property of STI

Page 9 of 11
 F0101

that executes when the j_security_check action is received.

[Form-Based Authentication, Page 18 of 23]

Authorization Authorization
Page 19 of 23

Java Enterprise Edition Programming

Authorization is the process of partitioning Web resources based on user
roles. It is a security measure that can be configured in the Web
Authorization container.
Authorization is the process of partitioning

Web resources based on user roles.
The mapping between a Web resource collection, a related set of Web
 It is a security measure that can be pages and servlets, and a given user role is called a security domain.
configured in the Web container.
Authentication and authorization are usually used together. It is used to
verify that the user belongs to the specified security role for the requested
Web resource.

[Authorization, Page 19 of 23]

Handling Error and Security * Property of STI

Page 19 of 23

Declarative Authorization Declarative Authorization

Page 20 of 23

Java Enterprise Edition Programming

To implement declarative authorization you must perform the following:
Declarative
Authorization 1. Identify the Web resource collections
2. Identify the roles
To implement declarative authorization

you must:
3. Map the Web resource collection to the roles
1. Identify the Web resource collections 4. Identify the users in each of those roles
2. Identify the roles

3. Map the Web resource collection to The details for each will be discussed in the succeeding slides.
the roles

4. Identify the users in each of those

roles [Declarative Authorization, Page 20 of 23]

Handling Error and Security * Property of STI

Page 20 of 23

Web Resource Collection Web Resource Collection

Page 21 of 23

Java Enterprise Edition Programming

Web Resource
Collection
 A Web resource collection is a group of
Web pages and servlet Universal Resource
Identifier (URIs).
A Web resource collection is configured in

the deployment descriptor. The web-
resource-collection element includes two
subelements: url-pattern and http-
method.
Handling Error and Security
A Web resource collection is a group of Web pages and servlet Universal
Resource Identifier (URIs). Usually, a Web resource collection has a
common theme such as administration, distinct business uses, preferred
customers, and so on.
A Web resource collection is configured in the deployment descriptor.
The web-resource-collection element includes two subelements: url-
pattern and http-method. The url-pattern element specifies a URL that is
relative to the Web application context root. The url-pattern element can
be a specific resource or a pattern that handles multiple resources. The *
character is a wildcard in the URL pattern which will match any static
page, servlet mapping and subdirectories under the given Web resource.
You can specify any number of url-pattern elements in a Web resource
collection configuration.
* Property of STI
Page 21 of 23

Handling Error and Security * Property of STI

Page 10 of 11
 F0101

The http-method element specifies the HTTP method for the requests
that must be authorized by the Web container for the given Web resource
collection. You can specify any number of http-method elements in a
Web resource collection configuration. It is a good programming practice
to include both POST and GET HTTP methods.

[Web Resource Collection, Page 21 of 23]

Declaring Security Roles Declaring Security Roles

Page 22 of 23

Java Enterprise Edition Programming

The next step is to configure the security roles of users that are
Declaring Security authorized to access the Web resource collection. Security roles are
Roles configured using the security-constraint element. The web-resource-
collection element is embedded in the security-constraint element. Each
The next step is to configure the security

roles of users that are authorized to
security role must be declared in a security-role element in the
access the Web resource collection. This
is configured in a security-constraint deployment descriptor.
element.

 An auth-constraint element is included in

the security constraint. It has a An auth-constraint element is included in the security constraint. It has a
subelement named role-name.
subelement named role-name.

[Declaring Security Roles, Page 22 of 23]

Handling Error and Security * Property of STI

Page 22 of 23

Security Realms Security Realms

Page 23 of 23

Java Enterprise Edition Programming

A security realm is a software component for matching users to roles.
Security Realms  Flat-file (MemoryRealm class in the Tomcat server)
 Database tables (JDBCRealm class in the Tomcat Server)
 A security realm is a software component
for matching users to roles. It also
 Lightweight Directory Access Protocol
verifies the user’s password. Every Web
container must include a security realm.  Network Information System
 Flat-file (MemoryRealm class in the Tomcat
server)
 Database tables (JDBCRealm class in the
Tomcat Server)
The security realm also verifies the user’s password. Every Web


Lightweight Directory Access Protocol
Network Information System
container must include a security realm. Security realms are used for
both authentication and authorization. This security realm is configured in
the server.xml located in the installation directory of the Web server.

[Security Realms, Page 23 of 23]

Handling Error and Security * Property of STI

Page 23 of 23

EVALUATION:

o Ask the students to perform the laboratory exercise for this topic.

REFERENCES:

o Cadenhead, Rogers and Lemay, Laura, Sams teach yourself

java™ 2 in 21 days (4th ed.)
o van der LINDEN, Peter, Just Java™ 2 (6th ed.)
o The Java Tutorial - An excellent collection of on-line from SUN
Microsystems (http://java.sun.com/docs/books/tutorial/)
o Schildt, Herbert, Java 2 the complete reference (5th ed.)

Handling Error and Security * Property of STI

Page 11 of 11