Java Servlet Access Control in JES Web Server 6.1

JES Web Server has a built-in Java Servlet engine for running Java web applications. When running Java webapps there are basically two choices for access control – ACL-based (or so-called native) or J2EE/Servlet-based. These choices are described in the product documentation.

I’ll start with a very simple Java webapp hello.war consisting of the only following content:


I want to limit access to the content (what little there is..) of this webapp. First I will use servlet container-based authentication (as defined by the Java Servlet specification, which is definitely recommended reading if you wish to work the Servlets). The access control requirements are specified in the web.xml file, mine contains:

      <web-resource-name>Protected Area</web-resource-name>


The key bit above is that I want the servlet container to use HTTP BASIC authentication as the <auth-method> and I want the client to be authenticated against the ‘file’ realm.

I should also point out that the role name TestRole must be mapped to one or more user(s) and/or group(s) in that realm (in this case, ‘file’). This mapping occurs in sun-web.xml, where I chose to map it to a single user, user1:


Going back to <realm-name> which has the value ‘file’; this must map to a realm which exists in the server’s configuration file server.xml. There I have an <AUTHREALM> entry with attribute name=’file’ (in fact, this is the default file auth realm entry, I didn’t modify it from the out-of-box setting):

<AUTHREALM name="file" classname="">
  <PROPERTY name="file" value="/tmp/https-hostname/config/keyfile"/>
  <PROPERTY name="jaas-context" value="fileRealm"/>

I also created a user called user1 to populate the user list contained in /tmp/https-hostname/config/keyfile, since that is the user name I mapped to the role back in sun-web.xml (your server is probably not installed in /tmp.. I just used that as an example).

With that, I’m done. After deploying hello.war onto this server I can now access it only after succesfully authenticating as user1.

This is a minimal example that shows the basics, there are certainly more possibilities. If you’re interested in more please read the product documentation, in particular the section on securing Java web applications in addition to the Servlet specification previously mentioned. I also recommend reading an article I wrote some time back, Application Server 7 Access Control Guide for more background on this general topic. While that article focuses on a different product, the access control mechanism defined by the Java Servlet specification is standard and applies equally to Web Server 6.1. Moreover, while there are differences in syntax between the configuration files of the two products, the underlying logic is very similar.

Posted in Sun