Previous
Programmatic Security
Even though configuring the deployment descriptor and specifying roles in the tomcat-users.xml file means that you do not need to write Java code, sometimes coding is inevitable. For example, you might want to record all the users that log in. The javax.servlet.http.HttpServletRequest interface provides several methods that enable you to have access to portions of the user’s login information. These methods are getAuthType, isUserInRole, getPrincipal, and getRemoteUser. The methods are explained in the following subsections.
The getAuthType Method
The getAuthType method has the following signature.
public String getAuthType()
This method returns the name of the authentication scheme used to protect the servlet. The return value is one of the following values: BASIC_AUTH, FORM_AUTH, CLIENT_CERT_AUTH, and DIGEST_AUTH. It returns null if the request was not authenticated.
The isUserInRole Method
Here is the signature of the isUserInRole method.
public boolean isUserInRole(String role)
This method indicates whether the authenticated user is included in the specified role. If the user has not been authenticated, the method returns false.
The getUserPrincipal Method
The signature of getUserPrincipal is as follows.
public java.security.Principal getUserPrincipal()
This method returns a java.security.Principal object containing the name of the current authenticated user. If the user has not been authenticated, the method returns null.
The getRemoteUser Method
The getRemoteUser method has the following signature.
public String getRemoteUser()
This method returns the name of the user making this request, if the user has been authenticated. Otherwise, it returns null. Whether the user name is sent with each subsequent request depends on the browser and type of authentication.
Note
You can extend the org.apache.struts.action.RequestProcessor class if you have special needs for security. Check this out in Chapter 22, “How Struts Works”.