Some times declarative security is not enough, in that case we should go for programmatic security.

Example:
Based on user role we have to provide the corresponding customized response.If the user is admin then admin related response we have to provide otherwise we have to provide normal response.

For this type of requirements we should go for programmatic security and declarative security is not enough.

We can implement programmatic security by using the following methods of HttpServletRequest.

  1. public boolean isUserInRole(String roleName)
    If the authenticated user belongs to the specified role then this method returns true.
    If the authenticated user not belongs to the specified role then this method returns true.
  2. public String getRemoteUser()
    It returns the name of the authenticated user.If the user has not been authenticated then this method returns null.
  3. public Principal getUserPrincipal()
    This method returns java.security.Principal object which provides user information.
    And it returns null,if the user has not been authenticated.

Example:

  if(req.isUserInRole("admin")){
    out.println("Admin related response");
  }else{
    ou.println("normal response");
  }
 

The main problem in this approach is we are hard coding the role names in the servlet.If there is any change in the role name modifying servlet code is costly and creates maintenance problem.

To resolve this we can use tag.By using this tag we can map hard coded role names with the original role name.

<servlet>
....
<security-role-ref>
  <role-name>admin</role-name><!--admin logical role name-->
  <role-link>javaadmin</role-link><!--Original role name -->
</security-role-ref>

</servlet>