3

Is there any possiblity to obtain the list of constraints from web.xml ? 

 <security-constraint>
    <web-resource-collection>
        <web-resource-name>admin</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
 </security-constraint>

Even better is there a programmatic way to add new constraints ?

Thanks, Victor

victor
  • 1,626
  • 1
  • 14
  • 23
  • Maybe relevant: https://blogs.oracle.com/swchan/entry/follow_up_on_servlet_3 and this: https://weblogs.java.net/blog/kumarjayanti/archive/2009/12/24/using-servletsecurity-annotation-javaee-6 – Sotirios Delimanolis May 24 '13 at 13:56

2 Answers2

3

If you have a ServletContainerInitializer, in its onStartup() method, you would basically do what your container does when it parses your web.xml. For example:

@Override
public void onStartup(Set<Class<?>> classes, ServletContext ctx) throws ServletException {
    ServletRegistration.Dynamic servlet = ctx.addServlet("myServlet", "com.package.myServlet"); // loop through classes set to find all your servlets
    HttpConstraintElement constraint = new HttpConstraintElement(); // many constructors with options
    ServletSecurityElement securityElement = new ServletSecurityElement(constraint); // many different constructors
    servlet.setServletSecurity(securityElement);
}

There are a lot of options in the constructors I've commented for all sorts of configurations, even through the servlet 3.0 security annotations. I'll let you discover them all.

As for adding new constraints after initialization, the javadoc for setServletSecurity() says:

* @throws IllegalStateException if the {@link ServletContext} from
* which this <code>ServletRegistration</code> was obtained has
* already been initialized

I couldn't find anything for obtaining a list of constraints through ServletContext interface, but you can always parse the web.xml yourself.

Sotirios Delimanolis
  • 274,122
  • 60
  • 696
  • 724
  • I wouldn't want to go with a solution which requires straying away to much from the std, but the `ServletContainerInitializer` sounds good. I've seen here ( http://piotrnowicki.com/2011/03/using-servlets-3-0-servletcontainerinitializer/ ) that I can even embed it in my web app. Good solution I will try it on to see if it fits :) – victor May 24 '13 at 14:35
  • @victor Your container will first check your `META-INF/services` for a file containing the full class name of your class that implements [ServletContainerInitializer](http://docs.oracle.com/javaee/6/api/javax/servlet/ServletContainerInitializer.html). You're not limited to just that. You can also have, in parallel, your web.xml configuration. – Sotirios Delimanolis May 24 '13 at 14:41
0

As per Servlet 3.0 on Annotations and Deployment descriptors there is no mention of adding new security-constraints programatically. So, I doubt if you can add security contraints programatically.

Vikas V
  • 3,176
  • 2
  • 37
  • 60