Learn how to secure a web application.
You will learn how to secure a web application by performing authentication and authorization.
Authentication confirms the identity of the user. The most common type of authentication is user name and password, through basic authentication or form authentication. Both basic authentication and form authentication do not protect login credentials through the HTTP response. However, form authentication is slightly more secure because a log out functionality can be implemented and there is also an automatic log out after a certain amount of time of inactivity.
This application demonstrates both methods of authentication. You will be setting up a basic user registry with test variables. Authorization determines whether a user has access to a specific role within the system. This application specifies two roles: Administrator and User.
The application itself allows users and admins to access servlets. Administrators have access to both servlets, the HelloServlet and the AdminServlet. Whereas the user will only have access to the HelloServlet.
The fastest way to work through this guide is to clone the Git repository and use the projects that are provided inside:
git clone https://github.com/openliberty/guide-microprofile-security.git cd guide-microprofile-security
The start directory contains the starting project that you will build upon.
The finish directory contains the finished project, which is what you will build.
Try what you’ll build
The finish directory in the root of this guide contains the finished security application with form authentication. Feel free to give it a try before you proceed.
To try out the application, first navigate to the finish directory and then run the following Maven goals to build the application and run it inside Open Liberty:
mvn install liberty:start-server
Next, point your browser to:
The application can be accessed under two different roles:
| Username | Password | Role |
|---|---|---|
bob |
bobpwd |
admin |
alice |
alicepwd |
user |
You can try out the authentication of the application by clicking the first link and signing in with either credentials from the Basic Registry and you can try the authorization by clicking the second link and signing in as Bob to view the AdminServlet. When you sign in as Alice, you will not have access to the AdminServlet.
In order to sign in as different users, you must close the browser and re-open it at the same link.
Once you are done checking out the application, stop the Open Liberty server:
mvn liberty:stop-server
Navigate to the start directory to begin.
The user registry is set up to define users and group information. To do this, you need to add the following Basic Registry into the server.xml file:
link:finish/src/main/liberty/config/server.xml[role=include]Now that you’ve defined users and groups in the basic user registry for authentication. The names for the users and groups must be unique. In this application, there is a group called "admin" and another group called "user".
As you can see, the password is encoded here with Liberty’s securityUtility command. Here, the application uses the xor encoding. There are two other supported encodings are well: hash and aes that can be used.
Authorization determines whether a user has access to a certain role within the system.
This can be achieved with the annotation @ServletSecurity. Create the HelloServlet class in the src/main/java/io/openliberty/guides/hello/HelloServlet.java file:
link:finish/src/main/java/io/openliberty/guides/hello/HelloServlet.java[role=include]The roles "admin" and "user" are identical to the group names in the basic registry. They must be exactly the same for the mapping to work. They are declared under rolesAllowed so that the Hello Servlet can only be accessed by those two user groups.
The same @ServletSecurity annotation is applied, except only "admin" roles are allowed. AdminServlet is a servlet that displays the message Hello Admin! How are you today? when accessed.
link:finish/src/main/java/io/openliberty/guides/hello/AdminServlet.java[role=include]This specifies that even if a "user" such as Alice is signed in, they will not be able to access the Admin Servlet.
Next, authentication is implemented in order to confirm the identity of the user. This application currently uses Basic Authentication. Basic Authentication is a simple method to authenticate a user with a username and password. The request is sent with an Authorization header that contains the word Basic followed by a base64-encoded string in the format username:password.
Open the HelloServlet class in the src/main/java/io/openliberty/guides/hello/HelloServlet.java file. Notice the @BasicAuthenticationMechanismDefinition annotation in the class. The realm name is specified in the annotation as webRealm.
ADD CODE HERE (hard coded since the finish folder will have form)
At this point, your application is secured using basic authentication. You can try running this now using the instructions from Try What You’ll Build in the start directory.
The next type of authentication that will be implemented is Form Authentication. Form Authentication is an authentication mechanism where the user is able to fill in their login credentials using a form that the developer is able to edit.
It is more secure than Basic Authentication because logout functionality can be implemented and the user will be logged out automatically after a certain amount of time.
Remove the @BasicAuthenticationMechanismDefinition and replace it with @FormAuthenticationMechanismDefinition.
link:finish/src/main/java/io/openliberty/guides/hello/HelloServlet.java[role=include]The LoginToContinue annotation allows the application to add specific login functionality to the AuthenticationMechanism. The elements in this annotation are the errorPage and the loginPage. These are resources that the caller will see depending on if they provide the correct credentials.
To see the new application in action, run the Maven liberty:start-server command from the start directory:
$ mvn liberty:start-server