Web UI framework security - adding request validators

Edit online

The Web UI Framework allows you to set up more than one validation for a request. This validation process requires additional authentication of a user after that user has initially logged in. It allows that user to continue a login session.

About this task

For more information, refer to the Java™ API documentation in your installation directory (<INSTALL_DIR>/xapidocs/core_javadocs).

Procedure

  1. Install the application with the default implementation of the Web UI Framework.
  2. Create your implementation of multiple validations, which you will plug into the Web UI Framework. The Web UI Framework does not have a default implementation of multiple validations. If no implementation is provided, the request is not further validated after the initial authentication.

    The request validations are done for every request, so you need to optimize this feature based on your needs. The implementation of request validators must use the contract defined in ISCUIRequestValidator.

  3. The SCUISecurityResponse class is returned by the request validator's validate method. If the validation fails, the request is redirected to the URL specified in the SCUISecurityResponse class. Also, include settings for the return status, exception, and error message. This information is used by the validate method of the ISCUIRequestValidator in the Web UI Framework.
    The ISCUIRequestValidator interface defines what the Web UI Framework expects in any request validation implementation. This interface uses the following methods:
    • validate

      Takes in SCUIContext. The response is an SCUISecurityResponse object that encapsulates the return status, the URL of the page, exception, and error message. This method executes the business logic needed by the application.

    • init

      Handles initialization.

    • sessionDestroyed

      Closes all opened session-specific handles. The ISCUIValidator extends the ISCUISessionAware interface, a marker interface that will facilitate ISCUIValidator to register itself to the HttpSessionListener implementation class. When the session is invalidated or destroyed, the sessionDestroyed method is called by the listener to close the session-specific handles opened during initialization.

    The following shows an example of an ISCUIRequestValidator interface:

    public interface ISCUIRequestValidator extends ISCUISessionAware
{ 
  public SCUISecurityResponse validate(SCUIContext uiContext);	
  public void init();
	 public void sessionDestroyed();
}

    The request validation consists of one or more instances of RequestValidator that implements the ISCUIRequestValidator interface class. Multiple request validators can be set, but their order is not guaranteed. RequestValidator is plugged in using the context parameter in web.xml as shown in the following example:

    <context-param>
  	<param-name>scui-request-validator1</param-name>	
   <param-value>com.app.MyURLValidator</param-value>
</context-param>
<context-param> 
  	<param-name>scui-request-validator2</param-name> 
  	<param-value>com.app.MyAdminValidator</param-value>
</context-param>

    All of the validation implementation or validators given in the context parameter in web.xml are called (in no particular order) for supporting additional validation.

  4. To implement the customized Java code, build a JAR file that contains the Java class, and then install the JAR file using the install3rdparty.sh script. To implement this customization, rebuild the EAR or WAR file as you did during the installation, and then deploy the application on Applications Manager.