Declaring Security Requirements

<< Security Requirements forWeb Applications | Using the RunAs Annotation >>

Declaring Security Requirements

deployment information. When the full attribute is set to true, the deployment descriptor
ignores any servlet annotations present in the class files of the application. Thus, deployers can
use deployment descriptors to customize or override the values specified in annotations.

Many elements for security in a web application deployment descriptor cannot, as yet, be
specified as annotations, therefore, for securing web applications, deployment descriptors are a
necessity. However, where possible, annotations are the recommended method for securing
web components.

The following sections discuss the use of annotations and deployment descriptor elements to
secure web applications:

"Declaring Security Requirements Using Annotations" on page 849

"Declaring Security Requirements in a Deployment Descriptor" on page 851

Declaring Security Requirements Using Annotations

The Java Metadata Specification (JSR-175), which is part of J2SE 5.0 and greater, provides a
means of specifying configuration data in Java code. Metadata in Java code is more commonly
referred to in this document as annotations. In Java EE, annotations are used to declare
dependencies on external resources and configuration data in Java code without the need to
define that data in a configuration file. Several common annotations are specific to specifying
security in any Java application. These common annotations are specified in JSR-175,

Metadata Facility for the Java Programming Language
(http://www.jcp.org/en/jsr/detail?id=175)

, and JSR-250,

Common Annotations for the

Java Platform (http://www.jcp.org/en/jsr/detail?id=250)

. Annotations specific to web

components are specified in the

Java Servlet 2.5 Specification

(http://www.jcp.org/en/jsr/detail?id=154)

In servlets, you can use the annotations discussed in the following sections to secure a web
application:

"Using the @DeclareRoles Annotation" on page 849

"Using the @RunAs Annotation" on page 850

Using the @DeclareRoles Annotation

This annotation is used to define the security roles that comprise the security model of the
application. This annotation is specified on a class, and it typically would be used to define roles
that could be tested (for example, by calling isUserInRole) from within the methods of the
annotated class.

Following is an example of how this annotation would be used. In this example, BusinessAdmin
is the only security role specified, but the value of this parameter can include a list of security
roles specified by the application.

Defining Security Requirements for Web Applications

Chapter 30 · Securing Web Applications

849