Securing a web application

duration 15 minutes

Prerequisites:

Learn how to secure a web application through authentication and authorization.

What you’ll learn

You’ll learn how to secure a web application by performing authentication and authorization using Jakarta EE Security. Authentication confirms the identity of the user by verifying a user’s credentials while authorization determines whether a user has access to restricted resources.

Jakarta EE Security provides capability to configure the basic authentication, form authentication, or custom form authentication mechanism by using annotations in servlets. It also provides the SecurityContext API for programmatic security checks in application code.

You’ll implement form authentication for a simple web front end. You’ll also learn to specify security constraints for a servlet and use the SecurityContext API to determine the role of a logged-in user.

Getting started

The fastest way to work through this guide is to clone the Git repository and use the projects that are provided inside:

git clone https://github.com/openliberty/guide-security-intro.git
cd guide-security-intro

The start directory contains the starting project that you will build upon.

The finish directory contains the finished project that you will build.

Before you begin, make sure you have all the necessary prerequisites.

Try what you’ll build

The finish directory in the root of this guide contains the finished application. Give it a try before you proceed.

To try out the application, first go to the finish directory and run the following Maven goal to build the application and deploy it to Open Liberty:

cd finish
mvn liberty:run

After you see the following message, your Liberty instance is ready:

The defaultServer server is ready to run a smarter planet.

The finished application is secured with form authentication.

Navigate your browser to this URL to access the application: http://localhost:9080

The application automatically switches from an HTTP connection to a secure HTTPS connection and forwards you to a login page. If the browser gives you a certificate warning, it’s because the Open Liberty instance created a self-signed SSL certificate by default. You can follow your browser’s provided instructions to accept the certificate and continue.

Sign in to the application with one of the following user credentials from the user registry, which are provided to you:

Username

Password

Role

Group

alice

alicepwd

user

Employee

bob

bobpwd

admin, user

Manager, Employee

carl

carlpwd

admin, user

TeamLead, Employee

dave

davepwd

N/A

PartTime

Notice that when you sign in as Bob or Carl, the browser redirects to the admin page and you can view their names and roles. When you sign in as Alice, you can only view Alice’s name. When you sign in as Dave, you are blocked and see an Error 403: Authorization failed message because Dave doesn’t have a role that is supported by the application.

After you are finished checking out the application, stop the Liberty instance by pressing CTRL+C in the command-line session where you ran Liberty. Alternatively, you can run the liberty:stop goal from the finish directory in another shell session:

mvn liberty:stop

Adding authentication and authorization

For this application, users are asked to log in with a form when they access the application. Users are authenticated and depending on their roles, they are redirected to the pages that they are authorized to access. If authentication or authorization fails, users are sent to an error page. The application supports two roles, admin and user.

Navigate to the start directory to begin.

When you run Open Liberty in dev mode, dev mode listens for file changes and automatically recompiles and deploys your updates whenever you save a new change. Run the following goal to start Open Liberty in dev mode:

mvn liberty:dev

After you see the following message, your Liberty instance is ready in dev mode:

**************************************************************
*    Liberty is running in dev mode.

Dev mode holds your command-line session to listen for file changes. Open another command-line session to continue, or open the project in your editor.

Create the HomeServlet class.
src/main/java/io/openliberty/guides/ui/HomeServlet.java

HomeServlet.java

 1// tag::copyright[]
 2/*******************************************************************************
 3 * Copyright (c) 2018, 2022 IBM Corporation and others.
 4 * All rights reserved. This program and the accompanying materials
 5 * are made available under the terms of the Eclipse Public License 2.0
 6 * which accompanies this distribution, and is available at
 7 * http://www.eclipse.org/legal/epl-2.0/
 8 *
 9 * SPDX-License-Identifier: EPL-2.0
10 *******************************************************************************/
11// end::copyright[]
12package io.openliberty.guides.ui;
13
14import java.io.IOException;
15import jakarta.inject.Inject;
16import jakarta.security.enterprise.SecurityContext;
17import jakarta.security.enterprise.authentication.mechanism.http.FormAuthenticationMechanismDefinition;
18import jakarta.security.enterprise.authentication.mechanism.http.LoginToContinue;
19import jakarta.servlet.ServletException;
20import jakarta.servlet.annotation.HttpConstraint;
21import jakarta.servlet.annotation.ServletSecurity;
22import jakarta.servlet.annotation.WebServlet;
23import jakarta.servlet.http.HttpServlet;
24import jakarta.servlet.http.HttpServletRequest;
25import jakarta.servlet.http.HttpServletResponse;
26
27@WebServlet(urlPatterns = "/home")
28// tag::AuthenticationMechanism[]
29@FormAuthenticationMechanismDefinition(
30    // tag::loginToContinue[]
31    // tag::errorPage[]
32    loginToContinue = @LoginToContinue(errorPage = "/error.html",
33    // end::errorPage[]
34                                        // tag::loginPage[]
35                                       loginPage = "/welcome.html"))
36                                        // end::loginPage[]
37    // end::loginToContinue[]
38// end::AuthenticationMechanism[]
39// tag::ServletSecurity[]
40// tag::HttpConstraint[]
41@ServletSecurity(value = @HttpConstraint(rolesAllowed = { "user", "admin" },
42// end::HttpConstraint[]
43  // tag::TransportGuarantee[]
44  transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL))
45  // end::TransportGuarantee[]
46// end::ServletSecurity[]
47// tag::HomeServlet[]
48public class HomeServlet extends HttpServlet {
49
50    private static final long serialVersionUID = 1L;
51
52    @Inject
53    private SecurityContext securityContext;
54
55    // tag::javaDoc1[]
56    /**
57     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
58     *      response)
59     */
60    // end::javaDoc1[]
61    // tag::doGet[]
62    protected void doGet(HttpServletRequest request, HttpServletResponse response)
63        throws ServletException, IOException {
64        // tag::CallerInRole[]
65        if (securityContext.isCallerInRole(Utils.ADMIN)) {
66            response.sendRedirect("/admin.jsf");
67        // end::CallerInRole[]
68        } else if  (securityContext.isCallerInRole(Utils.USER)) {
69            response.sendRedirect("/user.jsf");
70        }
71    }
72    // end::doGet[]
73
74    // tag::javaDoc2[]
75    /**
76     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
77     *      response)
78     */
79    // end::javaDoc2[]
80    protected void doPost(HttpServletRequest request, HttpServletResponse response)
81        throws ServletException, IOException {
82        doGet(request, response);
83    }
84}
85// end::HomeServlet[]

The HomeServlet servlet is the entry point of the application. To enable form authentication for the HomeServlet class, define the @FormAuthenticationMechanismDefinition annotation and set its loginToContinue attribute with a @LoginToContinue annotation. This @FormAuthenticationMechanismDefinition annotation defines welcome.html as the login page and error.html as the error page.

The welcome.html page implements the login form, and the error.html page implements the error page. Both pages are provided for you under the src/main/webapp directory. The login form in the welcome.html page uses the j_security_check action, which is defined by Jakarta EE and available by default.

Authorization determines whether a user can access a resource. To restrict access to authenticated users with user and admin roles, define the @ServletSecurity annotation with the @HttpConstraint annotation and set the rolesAllowed attribute to these two roles.

The transportGuarantee attribute defines the constraint on the traffic between the client and the application. Set it to CONFIDENTIAL to enforce that all user data must be encrypted, which is why an HTTP connection from a browser switches to HTTPS.

The SecurityContext interface provides programmatic access to the Jakarta EE Security API. Inject a SecurityContext instance into the HomeServlet class. The doGet() method uses the isCallerInRole() method from the SecurityContext API to check a user’s role and then forwards the response to the appropriate page.

The src/main/webapp/WEB-INF/web.xml file contains the rest of the security declaration for the application.

web.xml

 1<?xml version="1.0" encoding="UTF-8"?>
 2<!-- tag::copyright[] -->
 3<!--
 4    Copyright (c) 2018, 2019 IBM Corp.
 5
 6    Licensed under the Apache License, Version 2.0 (the "License");
 7    you may not use this file except in compliance with the License.
 8    You may obtain a copy of the License at
 9
10        http://www.apache.org/licenses/LICENSE-2.0
11
12    Unless required by applicable law or agreed to in writing, software
13    distributed under the License is distributed on an "AS IS" BASIS,
14    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15    See the License for the specific language governing permissions and
16    limitations under the License.
17-->
18<!-- end::copyright[]-->
19<!-- tag::webxml[] -->
20<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee" 
21    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
22    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
23    version="3.1">
24    <display-name>Liberty Project</display-name>
25
26    <!-- WebAppJSF: Faces Servlet -->
27    <servlet>
28      <servlet-name>Faces Servlet</servlet-name>
29      <servlet-class>jakarta.faces.webapp.FacesServlet</servlet-class>
30      <load-on-startup>1</load-on-startup>
31    </servlet>
32
33    <!-- WebAppJSF: Faces Servlet Mapping -->
34    <servlet-mapping>
35      <servlet-name>Faces Servlet</servlet-name>
36      <url-pattern>*.jsf</url-pattern>
37    </servlet-mapping>
38
39    <welcome-file-list>
40      <welcome-file>/index.html</welcome-file>
41    </welcome-file-list>
42
43    <!-- tag::webxmlsecurity[] -->
44    <!-- SECURITY ROLES -->
45    <!-- tag::security-role[] -->
46    <security-role>
47      <!-- tag::role-name-admin[] -->
48      <role-name>admin</role-name>
49      <!-- end::role-name-admin[] -->
50    </security-role>
51
52    <security-role>
53      <!-- tag::role-name-user[] -->
54      <role-name>user</role-name>
55      <!-- end::role-name-user[] -->
56    </security-role>
57    <!-- end::security-role[] -->
58
59    <!-- SECURITY CONSTRAINTS -->
60    <!-- tag::security-constraint[] -->
61    <security-constraint>
62      <web-resource-collection>
63        <web-resource-name>AdminViewProperties</web-resource-name>
64        <!-- tag::url-pattern-admin[] -->
65        <url-pattern>/admin.jsf</url-pattern>
66        <!-- end::url-pattern-admin[] -->
67        <http-method>GET</http-method>
68      </web-resource-collection>
69      <auth-constraint>
70        <role-name>admin</role-name>
71      </auth-constraint>
72    </security-constraint>
73
74    <security-constraint>
75      <web-resource-collection>
76        <web-resource-name>UserViewProperties</web-resource-name>
77        <!-- tag::url-pattern-user[] -->
78        <url-pattern>/user.jsf</url-pattern>
79        <!-- end::url-pattern-user[] -->
80        <http-method>GET</http-method>
81      </web-resource-collection>
82      <auth-constraint>
83        <role-name>user</role-name>
84      </auth-constraint>
85    </security-constraint>
86    <deny-uncovered-http-methods/>
87    <!-- end::security-constraint[] -->
88    <!-- end::webxmlsecurity[] -->
89
90    <!-- Handle 403 Error -->
91    <error-page>
92      <error-code>403</error-code>
93      <location>/error403.html</location>
94    </error-page>
95</web-app>
96<!-- end::webxml[] -->

The security-role elements define the roles that are supported by the application, which are user and admin. The security-constraint elements specify that JSF resources like the user.jsf and admin.jsf pages can be accessed only by users with user and admin roles.

Configuring the user registry

User registries store user account information, such as username and password, for use by applications to perform security-related operations. Typically, Open Liberty would be configured to use an external registry like a Lightweight Directory Access Protocol (LDAP) registry. Applications would access information in the registry for authentication and authorization by using APIs like the Jakarta EE Security API.

Open Liberty provides an easy-to-use basic user registry for developers, which you will configure.

Create the userRegistry configuration file.
src/main/liberty/config/userRegistry.xml

userRegistry.xml

 1<server description="Sample Liberty server">
 2  <basicRegistry id="basic" realm="WebRealm">
 3    <!-- tag::user-bob[] -->
 4    <user name="bob"
 5      password="{xor}PTA9Lyg7" /> <!-- bobpwd -->
 6    <!-- end::user-bob[] -->
 7    <!-- tag::user-alice[] -->
 8    <user name="alice"
 9      password="{xor}PjM2PDovKDs=" />  <!-- alicepwd -->
10    <!-- end::user-alice[] -->
11    <!-- tag::user-carl[] -->
12    <user name="carl"
13      password="{xor}PD4tMy8oOw==" />  <!-- carlpwd -->
14    <!-- end::user-carl[] -->
15    <!-- tag::user-dave[] -->
16    <user name="dave"
17      password="{xor}Oz4pOi8oOw==" />  <!-- davepwd -->
18    <!-- end::user-dave[] -->
19
20    <!-- tag::group-name-Manager[] -->
21    <group name="Manager">
22      <member name="bob" />
23    </group>
24    <!-- end::group-name-Manager[] -->
25
26    <!-- tag::group-name-TeamLead[] -->
27    <group name="TeamLead">
28      <member name="carl" />
29    </group>
30    <!-- end::group-name-TeamLead[]-->
31    
32    <!-- tag::group-name-Employee[] -->
33    <group name="Employee">
34      <member name="alice" />
35      <member name="bob" />
36      <member name="carl" />
37    </group>
38    <!-- end::group-name-Employee[] -->
39
40    <!-- tag::group-name-PartTime[] -->
41    <group name="PartTime">
42      <member name="dave" />
43    </group>
44    <!-- end::group-name-PartTime[] -->
45  </basicRegistry>
46</server>

The registry has four users, bob, alice, carl, and dave. It also has four groups: Manager, TeamLead, Employee, and PartTime. Each user belongs to one or more groups.

It is not recommended to store passwords in plain text. The passwords in the userRegistry.xml file are encoded by using the Liberty securityUtility command with XOR encoding.

server.xml

 1<!-- tag::serverxml[] -->
 2<server description="Sample Liberty server">
 3
 4  <featureManager>
 5    <feature>appSecurity-5.0</feature>
 6    <feature>faces-4.0</feature>
 7    <feature>servlet-6.0</feature>
 8  </featureManager>
 9
10  <variable name="http.port" defaultValue="9080"/>
11  <variable name="https.port" defaultValue="9443"/>
12
13  <httpEndpoint id="defaultHttpEndpoint"
14    httpPort="${http.port}"
15    httpsPort="${https.port}" />
16
17  <!-- tag::location[] -->
18  <include location="userRegistry.xml"/>
19  <!-- end::location[]-->
20
21  <application location="guide-security-intro.war" type="war"
22               id="guide-security-intro.war"
23               name="guide-security-intro.war" context-root="/">
24    <!-- tag::application-bnd[] -->
25    <application-bnd>
26      <!-- tag::Security[] -->
27      <!-- tag::security-role-admin[] -->
28      <security-role name="admin">
29      <!-- end::security-role-admin[] -->
30        <!-- tag::Group[] -->
31        <!-- tag::group-name-Manager[] -->
32        <group name="Manager" />
33        <!-- end::group-name-Manager[] -->
34        <!-- tag::group-name-TeamLead[] -->
35        <group name="TeamLead" />
36        <!-- end::group-name-TeamLead[] -->
37        <!-- end::Group[] -->
38      </security-role>
39      <!-- tag::security-role-user[] -->
40      <security-role name="user">
41      <!-- end::security-role-user[] -->
42        <!-- tag::group-name-Employee[] -->
43        <group name="Employee" />
44        <!-- end::group-name-Employee[] -->
45      </security-role>
46      <!-- end::Security[] -->
47    </application-bnd>
48     <!-- end::application-bnd[] -->
49  </application>
50</server>
51<!-- end::serverxml[] -->

Use the include element to add the basic user registry configuration to your Liberty configuration. Open Liberty includes configuration information from the specified XML file in its configuration.

The server.xml configuration file contains the security configuration of the Liberty under the application-bnd element. Use the security-role and group elements to map the groups in the userRegistry.xml file to the appropriate user roles supported by the application for proper user authorization. The Manager and TeamLead groups are mapped to the admin role while the Employee group is mapped to the user role.

Running the application

You started the Open Liberty in dev mode at the beginning of the guide, so all the changes were automatically picked up.

HomeServlet.java

 1// tag::copyright[]
 2/*******************************************************************************
 3 * Copyright (c) 2018, 2022 IBM Corporation and others.
 4 * All rights reserved. This program and the accompanying materials
 5 * are made available under the terms of the Eclipse Public License 2.0
 6 * which accompanies this distribution, and is available at
 7 * http://www.eclipse.org/legal/epl-2.0/
 8 *
 9 * SPDX-License-Identifier: EPL-2.0
10 *******************************************************************************/
11// end::copyright[]
12package io.openliberty.guides.ui;
13
14import java.io.IOException;
15import jakarta.inject.Inject;
16import jakarta.security.enterprise.SecurityContext;
17import jakarta.security.enterprise.authentication.mechanism.http.FormAuthenticationMechanismDefinition;
18import jakarta.security.enterprise.authentication.mechanism.http.LoginToContinue;
19import jakarta.servlet.ServletException;
20import jakarta.servlet.annotation.HttpConstraint;
21import jakarta.servlet.annotation.ServletSecurity;
22import jakarta.servlet.annotation.WebServlet;
23import jakarta.servlet.http.HttpServlet;
24import jakarta.servlet.http.HttpServletRequest;
25import jakarta.servlet.http.HttpServletResponse;
26
27@WebServlet(urlPatterns = "/home")
28// tag::AuthenticationMechanism[]
29@FormAuthenticationMechanismDefinition(
30    // tag::loginToContinue[]
31    // tag::errorPage[]
32    loginToContinue = @LoginToContinue(errorPage = "/error.html",
33    // end::errorPage[]
34                                        // tag::loginPage[]
35                                       loginPage = "/welcome.html"))
36                                        // end::loginPage[]
37    // end::loginToContinue[]
38// end::AuthenticationMechanism[]
39// tag::ServletSecurity[]
40// tag::HttpConstraint[]
41@ServletSecurity(value = @HttpConstraint(rolesAllowed = { "user", "admin" },
42// end::HttpConstraint[]
43  // tag::TransportGuarantee[]
44  transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL))
45  // end::TransportGuarantee[]
46// end::ServletSecurity[]
47// tag::HomeServlet[]
48public class HomeServlet extends HttpServlet {
49
50    private static final long serialVersionUID = 1L;
51
52    @Inject
53    private SecurityContext securityContext;
54
55    // tag::javaDoc1[]
56    /**
57     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
58     *      response)
59     */
60    // end::javaDoc1[]
61    // tag::doGet[]
62    protected void doGet(HttpServletRequest request, HttpServletResponse response)
63        throws ServletException, IOException {
64        // tag::CallerInRole[]
65        if (securityContext.isCallerInRole(Utils.ADMIN)) {
66            response.sendRedirect("/admin.jsf");
67        // end::CallerInRole[]
68        } else if  (securityContext.isCallerInRole(Utils.USER)) {
69            response.sendRedirect("/user.jsf");
70        }
71    }
72    // end::doGet[]
73
74    // tag::javaDoc2[]
75    /**
76     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
77     *      response)
78     */
79    // end::javaDoc2[]
80    protected void doPost(HttpServletRequest request, HttpServletResponse response)
81        throws ServletException, IOException {
82        doGet(request, response);
83    }
84}
85// end::HomeServlet[]

Point your browser to the http://localhost:9080 URL.

As you can see, the browser gets automatically redirected from an HTTP connection to an HTTPS connection because the transport guarantee is defined in the HomeServlet class.

You will see a login form because form authentication is implemented and configured. Sign in to the application by using one of the credentials from the following table. The credentials are defined in the configured user registry.

Username

Password

Role

Group

alice

alicepwd

user

Employee

bob

bobpwd

admin, user

Manager, Employee

carl

carlpwd

admin, user

TeamLead, Employee

dave

davepwd

N/A

PartTime

Notice that when you sign in as Bob or Carl, the browser redirects to the admin page and you can view their names and roles. When you sign in as Alice, you can only view Alice’s name. When you sign in as Dave, you are blocked and see an Error 403: Authorization failed message because Dave doesn’t have a role that is supported by the application.

Testing the application

Write the SecurityIT class to test the authentication and authorization of the application.

Create the SecurityIT class.
src/test/java/it/io/openliberty/guides/security/SecurityIT.java

SecurityIT.java

  1// tag::copyright[]
  2/*******************************************************************************
  3 * Copyright (c) 2018, 2022 IBM Corporation and others.
  4 * All rights reserved. This program and the accompanying materials
  5 * are made available under the terms of the Eclipse Public License 2.0
  6 * which accompanies this distribution, and is available at
  7 * http://www.eclipse.org/legal/epl-2.0/
  8 *
  9 * SPDX-License-Identifier: EPL-2.0
 10 *******************************************************************************/
 11// end::copyright[]
 12package it.io.openliberty.guides.security;
 13
 14import static org.junit.jupiter.api.Assertions.assertEquals;
 15import static org.junit.jupiter.api.Assertions.assertTrue;
 16
 17import java.net.URI;
 18import java.util.ArrayList;
 19import java.util.List;
 20
 21import javax.net.ssl.SSLContext;
 22import jakarta.servlet.http.HttpServletResponse;
 23
 24import org.apache.http.HttpResponse;
 25import org.apache.http.NameValuePair;
 26import org.apache.http.client.HttpClient;
 27import org.apache.http.client.config.CookieSpecs;
 28import org.apache.http.client.config.RequestConfig;
 29import org.apache.http.client.entity.UrlEncodedFormEntity;
 30import org.apache.http.client.methods.HttpGet;
 31import org.apache.http.client.methods.HttpPost;
 32import org.apache.http.impl.client.HttpClientBuilder;
 33import org.apache.http.message.BasicNameValuePair;
 34import org.apache.http.util.EntityUtils;
 35import org.junit.jupiter.api.BeforeEach;
 36import org.junit.jupiter.api.Test;
 37
 38public class SecurityIT {
 39
 40    private static String urlHttp;
 41    private static String urlHttps;
 42
 43    @BeforeEach
 44    public void setup() throws Exception {
 45        urlHttp = "http://localhost:" + System.getProperty("http.port");
 46        urlHttps = "https://localhost:" + System.getProperty("https.port");
 47        ITUtils.trustAll();
 48    }
 49
 50    @Test
 51    // tag::testAuthenticationFail[]
 52    public void testAuthenticationFail() throws Exception {
 53        executeURL("/", "bob", "wrongpassword", true, -1, "Don't care");
 54    }
 55    // end::testAuthenticationFail[]
 56
 57    @Test
 58    // tag::testAuthorizationForAdmin[]
 59    public void testAuthorizationForAdmin() throws Exception {
 60        executeURL("/", "bob", "bobpwd", false,
 61            HttpServletResponse.SC_OK, "admin, user");
 62    }
 63    // end::testAuthorizationForAdmin[]
 64
 65    @Test
 66    // tag::testAuthorizationForUser[]
 67    public void testAuthorizationForUser() throws Exception {
 68        executeURL("/", "alice", "alicepwd", false,
 69            HttpServletResponse.SC_OK, "<title>User</title>");
 70    }
 71    // end::testAuthorizationForUser[]
 72
 73    @Test
 74    // tag::testAuthorizationFail[]
 75    public void testAuthorizationFail() throws Exception {
 76        executeURL("/", "dave", "davepwd", false,
 77            HttpServletResponse.SC_FORBIDDEN, "Error 403: Authorization failed");
 78    }
 79    // end::testAuthorizationFail[]
 80
 81    private void executeURL(
 82        String testUrl, String userid, String password,
 83        boolean expectLoginFail, int expectedCode, String expectedContent)
 84        throws Exception {
 85
 86        // Use HttpClient to execute the testUrl by HTTP
 87        URI url = new URI(urlHttp + testUrl);
 88        HttpGet getMethod = new HttpGet(url);
 89        HttpClientBuilder clientBuilder = HttpClientBuilder.create();
 90        SSLContext sslContext = SSLContext.getDefault();
 91        clientBuilder.setSSLContext(sslContext);
 92        clientBuilder.setDefaultRequestConfig(
 93            RequestConfig.custom().setCookieSpec(CookieSpecs.STANDARD).build());
 94        HttpClient client = clientBuilder.build();
 95        HttpResponse response = client.execute(getMethod);
 96
 97        // Response should be login.html
 98        String loginBody = EntityUtils.toString(response.getEntity(), "UTF-8");
 99        assertTrue(loginBody.contains("window.location.assign"),
100            "Not redirected to home.html");
101        String[] redirect = loginBody.split("'");
102
103        // Use j_security_check to login
104        HttpPost postMethod = new HttpPost(urlHttps + "/j_security_check");
105        List<NameValuePair> nvps = new ArrayList<NameValuePair>();
106        nvps.add(new BasicNameValuePair("j_username", userid));
107        nvps.add(new BasicNameValuePair("j_password", password));
108        postMethod.setEntity(new UrlEncodedFormEntity(nvps, "UTF-8"));
109        response = client.execute(postMethod);
110        assertEquals(HttpServletResponse.SC_FOUND,
111            response.getStatusLine().getStatusCode(),
112            "Expected " + HttpServletResponse.SC_FOUND + " status code for login");
113
114        // Return if login fails
115        if (expectLoginFail) {
116            String location = response.getFirstHeader("Location").getValue();
117            assertTrue(location.contains("error.html"),
118                "Error.html was not returned");
119            return;
120        }
121
122        // Use HttpClient to execute the redirected url
123        url = new URI(urlHttps + redirect[1]);
124        getMethod = new HttpGet(url);
125        response = client.execute(getMethod);
126        assertEquals(expectedCode, response.getStatusLine().getStatusCode(),
127            "Expected " + expectedCode + " status code for login");
128
129        // Return if not SC_OK
130        if (expectedCode != HttpServletResponse.SC_OK) {
131            return;
132        }
133
134        // Check the content of the response returned
135        String actual = EntityUtils.toString(response.getEntity(), "UTF-8");
136        assertTrue(actual.contains(userid),
137            "The actual content did not contain the userid \"" + userid
138            + "\". It was:\n" + actual);
139        assertTrue(actual.contains(expectedContent),
140            "The url " + testUrl + " did not return the expected content \""
141            + expectedContent + "\"" + "The actual content was:\n" + actual);
142    }
143
144}

The testAuthenticationFail() method tests an invalid user authentication while the testAuthorizationFail() method tests unauthorized access to the application.

The testAuthorizationForAdmin() and testAuthorizationForUser() methods verify that users with admin or user roles are properly authenticated and can access authorized resource.

Running the tests

Because you started Open Liberty in dev mode, you can run the tests by pressing the enter/return key from the command-line session where you started dev mode.

You see the following output:

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running it.io.openliberty.guides.security.SecurityIT
Tests run: 4, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 1.78 sec - in it.io.openliberty.guides.security.SecurityIT

Results :

Tests run: 4, Failures: 0, Errors: 0, Skipped: 0

When you are done checking out the service, exit dev mode by pressing CTRL+C in the command-line session where you ran Liberty.

Great work! You’re done!

You learned how to use Jakarta EE Security in Open Liberty to authenticate and authorize users to secure your web application.

Next, you can try the related MicroProfile JWT guide. It demonstrates technologies to secure backend services.

Guide Attribution

Securing a web application by Open Liberty is licensed under CC BY-ND 4.0

Copy file contents
Copied to clipboard

Prerequisites:

Nice work! Where to next?

What did you think of this guide?

Extreme Dislike Dislike Like Extreme Like

What could make this guide better?

Raise an issue to share feedback

Create a pull request to contribute to this guide

Need help?

Ask a question on Stack Overflow

Like Open Liberty? Star our repo on GitHub.

Star