Chapter 8 Examples from Java Servlet
Programming, 2nd Ed
- 8-1 to 8-3: Are you sure you have permissions
to read this example?
- 8-4: Snooping the authentication information
- 8-5 to 8-7: Configuring form-based authentication
- 8-8: Security in a servlet
- 8-9 to 8-11: Form-based custom authorization
- 8-13: Examining client certificates
Examples from other chapters:
- Example 8.1 to 8.3: Are you sure you have permissions to
read this example?
- This servlet is protected by BASIC authentication as shown in
web.xml and tomcat-users.xml. To see the salary information you'll
need to login as a "manager" using names and passwords
- Example 8.4: Snooping the authentication information
- This servlet tells the client its name, its principal, the kind
of authentication performed (BASIC, DIGEST, FORM, CLIENT-CERT),
and whether the user is a manager. You'll need to login, but you
probably did that above.
- Example 8.5 to 8.7: Configuring form-based authentication
- This servlet is protected by form-based authentication as shown
in web.xml and tomcat-users.xml. To see the salary information
you'll need to login again as a "manager" (since it's
a different method of authentication).
- Example 8.8: Security in a servlet
- This servlet performs custom authorization, receiving an Authorization
header and sending the SC_UNAUTHORIZED status code and WWW-Authenticate
header when necessary. The servlet restricts access to its “top-secret
stuff” to those users (and passwords) it recognizes in its user
- Example 8.9 to 8.11: Form-based custom authorization
- These servlets and HTML pages together demonstrate form-based
custom authorization. The login page asks the user for their name
and password, the LoginHandler servlet checks if the login is
valid, and the ProtectedResource servlet verifies that everyone
accessing it has first gone through the login process. In this
example LoginManager naively trusts any username/password pair.
- Example 8.13: Examining client certificates
- This servlet prints the client’X.509 certificate chain, if available.
In this example, since we're not using SSL, it won't be available.