Implementing servlet authentication

Extending the base class javax.servlet.http.HttpServlet provides no inherent security for your servlet. By default, anyone can trigger servlet code without authenticating.

Warning: You must add your own authentication for your servlet to protect information and data integrity. If you have any questions about server security, contact Guidewire Customer Support.

The package gw.servlet provides abstract classes that you extend to create a servlet that provides user authentication. The class AbstractGWAuthServlet translates the security headers in the request and authenticates with the Guidewire server. The subclass AbstractBasicAuthenticationServlet authenticates using HTTP basic authentication. These classes support using only one type of authentication at run time. To support both HTTP basic authentication and Guidewire authentication in the same servlet, extend HTTPServlet and use utility methods from the ServletUtils class. By using ServletUtils, you can use the session key if available and if not you can use HTTP Basic authentication headers or custom headers.

For security reasons, a servlet saves the connection's session ID only if the HTTP connection is secure (HTTPS). This behavior can be changed for network topologies that secure the connection through other means, such as by not allowing external access to the server. To force the saving of the connection's session ID, set the system property gw.servlet.ServletUtils.BypassIsSecure to true.

Guidewire recommends that your servlets use HTTP basic authentication, which is supported by the AbstractBasicAuthenticationServlet class.