The SIP Servlet application program interface (API) specification defines a set of deployment descriptor elements that can be used for providing declarative and programmatic security for SIP Servlets. The primary method for declaring security constraints is to define one or more security-constraint elements in the sip.xml deployment descriptor. The security-constraint element defines the actual resources in the SIP Servlet, defined in resource-collection elements, that are to be protected. security-constraint also identifies the role names that are authorized to access the resources. All role names used in the security-constraint are defined elsewhere in sip.xml in a security-role element.

SIP Servlets can also programmatically refer to a role name within the Servlet code, and then map the hard-coded role name to an alternate role in the sip.xml security-role-ref element during deployment. Roles must be defined elsewhere in a security-role element before they can be mapped to a hard-coded name in the security-role-ref element.

For SIP servlet Plain Old Java Objects (POJOs), annotations available which provide identical functionality:

• @SipSecurity: specifies security constraints to be enforced on SIP protocol messages.
• @SipConstraint: used within the @SipSecurity annotation to represent the security constraint to be applied to all SIP protocol methods for which a corresponding @SipMethodConstraint does not occur within the @SipSecurity annotation.
• @SipMethodConstraint: used within the @SipSecurity annotation to represent security constraints on specific SIP protocol messages.

For information on using the @SipSecurity annotation see section 22.3.10.1 in JSR-359, https://jcp.org/en/jsr/detail?id=359.

The SIP Servlet specification also enables Servlets to propagate a security role to a called Enterprise JavaBean (EJB) using the run-as element. Once again, roles used in the run-as element must be defined in a separate security-role element in sip.xml.

The SIP Servlet API specification provides more details about the types of security available to SIP Servlets. SIP Servlet security features are similar to security features available with HTTP Servlets; you can find additional information about HTTP Servlet security by referring to these sections in the Oracle WebLogic Server documentation:

• The discussion on securing web applications in Programming WebLogic Security provides an overview of declarative and programmatic security models for Servlets.
• The discussion on EJB security-related deployment descriptors in “Securing Enterprise JavaBeans (EJBs)" in Programming WebLogic Security describes all security-related deployment descriptor elements for EJBs, including the run-as element used for propagating roles to called EJBs.

See also the example sip.xml excerpt in Example 14-1.