Java Reference
In-Depth Information
the filter chain. In this case, a small change has been made to the life cycle. As of release 3.1, the service method is
required to run in the same thread as all filters that apply to the servlet. The following web.xml excerpt provides a
visual overview of this update:
<!—Filters to be applied ->
In this example, when ServletOne is processed, FilterA must be applied because it is the first filter in the chain.
If FilterA contains a doFilter method that invokes FilterB , then the service method of FilterA must be executed in
the same thread as the service method of FilterB . This enhancement is handled by the container, but it is important
to understand for concurrency purposes.
Security Enhancements
The new Servlet 3.1 API includes security enhancements that improve the reliability and integrity of servlet-based
applications by applying the following:
init and destroy methods
Run-as security roles to
Session fixation attack defense
Default security semantics for nonspecified HTTP methods
This section will provide a quick overview of these new security enhancements, along with some example code to
help you begin implementing them.
Specifying an Identity for Executing init and destroy Methods
Security roles that are defined for a particular application can be mapped to a servlet by annotating the servlet class
with @RunAs . Any calls that a servlet makes to an EJB must provide a security identity, or principal, and the @RunAs is a
means to do just that. In Servlet 3.1, if a security role is bound via run-as to a servlet, then calls made from that servlet
to an EJB will be executed under the permission set of the role bound by the @RunAs . As such, even if a call is made
from a servlet's init or destroy method, it will be initiated under the specified permission set.
For example, suppose you want to initiate a call to an EJB from a servlet under an administrative role named
“Admin.” To do so, simply annotate the servlet accordingly and make the calls, as needed. In the following example,
a servlet named AcmeServlet is configured for access by any user who is part of the “user” role.
@WebServlet(name = "AcmeServlet", urlPatterns = {"/AcmeServlet"})
public class AcmeServlet extends HttpServlet {
Search WWH ::

Custom Search