Research and Development on EE Security API (JSR 375)
-
01-security-api-embedded - Get Security API code up and running embedded within a WAR.
Each request to this application runs the Security API code. Watch log file to verify it's working. Nothing actually protected. -
02-security-api-goodneighbor - When the Security API is being used by a WAR, will it protect only the WAR it's in or every WAR deployed to the server?
-
02-security-api-helloworld - This is a test application to be used with 02-security-api-goodneighbor. Watch the log files of this application and you'll see that no Security API code is executed when this application is used.
-
03-security-api-principal - Can a Principal object be generated from
HttpServletRequest
? No roles, just a Principal with a given name? -
04-security-api-isuserinrole-webxml - Can a Principal object be generated from
HttpServletRequest
? Both name and roles come fromHttpServletRequest
. The roles for the application are inweb.xml
. -
04-security-api-isuserinrole-glassfishwebxml - Can a
Prinicpal
object be generated from HttpServletRequet? Both name and identity-management groups come fromHttpServletRequest
. The application uses application-specific roles inweb.xml
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
05-security-api-isuserinrole-declareroles - Can a Principal object be generated from
HttpServletRequest
? Both name and roles come fromHttpServletRequest
. The roles for the application are in@DeclareRoles
. No roles are inweb.xml
. -
05-security-api-isuserinrole-glassfishwebxml - Can a
Prinicpal
object be generated from HttpServletRequet? Both name and identity-management groups come fromHttpServletRequest
. The application uses application-specific roles in@DeclareRoles
- no roles are inweb.xml
! The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
06-security-api-sessionid - Can JSESSIONID be created on the 1st request and then remain constant?
-
07-security-api-multiplerequests - If request 'A' sets the principal, can I make requests 'B', 'C', and 'D' and maintain that principal across the requests?
-
08-security-api-servlet-protected-annotations - Can there be a servlet that's protected which is accessible only by a certain application-specific role? The servlet is protected by
@ServletSecurity
. The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
.web.xml
is essentially empty. -
08-security-api-servlet-protected-webxml - Can there be a servlet that's protected which is accessible only by a certain application-specific role? The servlet is protected by in
web.xml
. The application uses application-specific roles inweb.xml
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
09-security-api-jsp-protected-annotations - Can there be a JSP that's protected which is accessible only by a certain application-specific role? The JSP is protected by in
web.xml
. The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
09-security-api-jsp-protected-webxml - Can there be a JSP that's protected which is accessible only by a certain application-specific role? The JSP is protected by in
web.xml
. The application uses application-specific roles inweb.xml
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
10-security-api-unprotected-to-protected - If the application has a public servlet that attempts to forward to either a protected servlet or JSP, will the forward request be denied?
-
11-security-api-get-cdi-bean-identitystorehandler - When I get to the important code (the code I write to create the Principal and groups) can I use CDI to get an instance of some object which will help me get the principal and group information?
-
12-security-api-ejb-integration - If I have an EJB which is protected by
@RolesAllowed
, will an EJB method call fail if I don't have that role? Will an EJB method call succeed if I do have that role? -
13-security-api-wrapping-request-doesnt-work - Does proxying the
HttpServletRequest
with a@WebFilter
work just as well? -
14-security-api-jsf-page-protected-webxml - Can there be a JSF page that's protected which is accessible only by a certain application-specific role? The JSF page is protected by
<security-constraint>
inweb.xml
. The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
15-security-api-jsf-managedbean-protected-webxml - If my JSF page tries to call a method on a managed bean which it should not have access to, will the method call fail? The application uses application-specific roles in
@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
16-security-api-jsf-ajax-protected-webxml - Can there be a JSF AJAX call that's protected which is accessible only by a certain application-specific role? The JSF AJAX call is protected by
<security-constraint>
inweb.xml
. The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
17-security-api-jaxrs-protected-ejb-annotations - Can there be a JAX-RS client call that's protected which is accessible only by a certain application-specific role? The JAX-RS client is protected by
@RolesAllowed
(without the use of proprietary Jersey code).
The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
17-security-api-jaxrs-protected-jersey-annotations - Can there be a JAX-RS client call that's protected which is accessible only by a certain application-specific role? The JAX-RS client is protected by
@RolesAllowed
(without the use of standard EJBs).
The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
17-security-api-jaxrs-protected-webxml - Can there be a JAX-RS client call that's protected which is accessible only by a certain application-specific role? The JAX-RS client is protected by
<security-constraint>
inweb.xml
(without the use of standard EJBs or proprietary Jersey code).
The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
. -
18-security-api-contexts-in-each-major-technology - How do you get the Principle from each major technology?
- JSP
- Servlet
- EJB
- JSF
- JAX-RS
- Test URL: http://localhost:8080/18-security-api-contexts-in-each-major-technology
-
20-security-api-customprincipal-web - Can I create my own custom
TestPrincipal
object? The ideas is the customTestPrincipal
object can contain more information about the user whose logged in than a normalPrincipal
object. In addition, can theTestPrincipal#toString()
method be overloaded to return a JSON representation of the principal data? This way, as features are developed, code doesn't need to typecast and be coupled to theTestPrincipal
object. Instead, features can use the JSON representation to build their own object to use internally. -
21-security-api-identitystorehandler - Can I create my own
IdentityStore
,Credential
, andPrincipal
and haveIdentityStoreHandler
validate the request? -
22-security-api-multiple-identitystore - Can I create multiple
IdentityStore
implementations with one implementation responsible for authenticating the user and the other implementations responsible for getting the roles for the user? The application uses application-specific roles in@DeclareRoles
. The identity-management groups are mapped to application-specific roles inglassfish-web.xml
.
Enjoy!