How to programmatically setup a in Servlets 3.x?

Question

In my current web application I am trying to get rid of web.xml and I have not been able to properly setup the security constraint that forces all requests to the application to use HTTPS.

<security-constraint>
  <web-resource-collection>
     <web-resource-name>all</web-resource-name>
     <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
</security-constraint>

How can I turn the above web.xml configuration snippet in servlet 3.x configuration code that does the same thing?

UPDATE

I want the constraint to apply to every servlet, filter, and static resource in application, the examples I have seen online so far show to attach a security constraint to a servlet, but I want the security constraint attached to the web app. In the xml snippet above you see that it does not reference any specific servlet

We are migrating our Spring XML based configuration to class based configuration. I am also looking for equivalent java configuration for the above xml configuration (web.xml). If you have already, please share. — Ram, Dec 17 '19 at 13:54

Sotirios Delimanolis · Answer 1 · 2013-10-10T14:09:05.127

14

I believe you are looking for the @ServletSecurity annotation

@WebServlet(urlPatterns = "/*")
@ServletSecurity(value = @HttpConstraint(transportGuarantee = TransportGuarantee.CONFIDENTIAL))
public class SomeServlet extends HttpServlet { ... }

Or with ServletRegistration in a ServletContainerInitializer (or anywhere you have access to a ServletContext)

ServletRegistration.Dynamic dynamic = context.addServlet("someServlet", SomeServlet.class);
dynamic.addMapping("/*");
HttpConstraintElement httpConstraintElement = new HttpConstraintElement(TransportGuarantee.CONFIDENTIAL);
ServletSecurityElement servletSecurityElement = new ServletSecurityElement(httpConstraintElement);
dynamic.setServletSecurity(servletSecurityElement);

edited Oct 10 '13 at 14:09

answered Oct 10 '13 at 14:03

Sotirios Delimanolis

274,122
60
696
724

1

I want the constraint on all resources not on a specific as I want this constraint to apply to .css, .js, .jsp, .html no matter what I only want https. – ams Oct 10 '13 at 17:20
1

@ams Looking at the `ServletContext` interface, I could not find a way. – Sotirios Delimanolis Oct 10 '13 at 17:55
1

It seems that sometimes the spec designers forget things in their specs. – ams Oct 10 '13 at 22:07

score 1 · Answer 2 · answered Oct 31 '13 at 17:17

I was able to do this for a project by configuring the glassfish domain security:

Create a new security domain, in this example call it: FooRealm
Add users w (or w/o) passwords to FooRealm
Add each user to "GroupFoo"

That covers your glassfish config, here is your web.xml:

<security-constraint>
    <display-name>SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>Everything</web-resource-name>
        <description>Everything</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>UserAuthenticationConstraint</description>
        <role-name>GroupFoo</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>FooRealm</realm-name>
    <form-login-config>
        <form-login-page>/Login.jsp</form-login-page>
        <form-error-page>/LoginError.html</form-error-page>
    </form-login-config>
</login-config>

Anuradha G · Answer 3 · 2020-04-15T07:05:44.310

If you after deploy to JBoss or WildFly (Undertow based server ) there is a solution.

add ServletContainerInitializer or WebApplicationInitializer to you project .

onStartup(Set<Class<?>> c, ServletContext ctx) or onStartup(ServletContext ctx)

io.undertow.servlet.spec.ServletContextImpl servletContextImpl = (ServletContextImpl) ctx;
io.undertow.servlet.api.Deployment deployment = (DeploymentImpl) servletContextImpl.getDeployment();
DeploymentInfo deploymentInfo = deployment.getDeploymentInfo();
deploymentInfo.addSecurityConstraint(Servlets.securityConstraint()
                    .addRoleAllowed("*")
                    .addWebResourceCollections(Servlets.webResourceCollection().addUrlPattern("/*")));

//auth-mode 
deploymentInfo.setLoginConfig(Servlets.loginConfig("BASIC", null));
//deploymentInfo.setLoginConfig(Servlets.loginConfig("SPNEGO", "SPNEGO"));

deploymentInfo.addSecurityRole("*");
deploymentInfo.setSecurityDisabled(false);

....
 //ur Servlets go here
 ServletRegistration.Dynamic servlet = ctx.addServlet("rwtServlet", "org.eclipse.rap.rwt.engine.RWTServlet");

 servlet.addMapping("/rap");

 ctx.addListener("org.eclipse.rap.rwt.engine.RWTServletContextListener");

note: make sure to add undertow-servlet as compile time time dependency

<dependency>
    <groupId>io.undertow</groupId>
    <artifactId>undertow-servlet</artifactId>
    <version>2.0.30.Final</version>
</dependency>

How to programmatically setup a in Servlets 3.x?

3 Answers3

Linked