Servlets don’t have to handle their own security arrangements. Instead, they can rely on the capabilities of the web server to limit access where required. The security capabilities of most web servers are limited to basic on-or-off access to specific resources, controlled by username and password (or digital certificate), with possible encryption-in-transmission using SSL. Most servers are limited to basic authentication, which transmits passwords more or less in the clear, while some support the more advanced digest authentication protocol, which works by transmitting a hash of the user’s password and a server-generated value, rather than the password itself. Both of these approaches look the same to the user; the familiar “Enter username and password” window pops up in the web browser.

Recent versions of the Servlet API take a much less hands-off approach to security. The web.xml file can be used to define which servlets and resources are protected, and which users have access. The user access model is the J2EE User-Role model, in which users can be assigned one or more Roles. Users with a particular role are granted access to protected resources. A user named Admin might have both the Administrator role and the User role, while users Bob and Ted might only have the User role.

In addition to basic, digest and SSL authentication, the web application framework allows for HTML form-based logins. This approach allows the developer to specify an HTML or JSP page containing ...