Java Reference
In-Depth Information
the filter chain. In this case, a small change has been made to the life cycle. As of release 3.1, the service method is
required to run in the same thread as all filters that apply to the servlet. The following
web.xml
excerpt provides a
visual overview of this update:
<!—Filters to be applied ->
<filter>
<filter-name>FilterA</filter-name>
<filter-class>FilterA</filter-class>
</filter>
<filter>
<filter-name>FilterB</filter-name>
<filter-class>FilterB</filter-class>
</filter>
<filter-mapping>
<filter-name>FilterA</filter-name>
<servlet-name>ServletOne</servlet-name>
</filter-mapping>
In this example, when
ServletOne
is processed,
FilterA
must be applied because it is the first filter in the chain.
If
FilterA
contains a
doFilter
method that invokes
FilterB
, then the service method of
FilterA
must be executed in
the same thread as the service method of
FilterB
. This enhancement is handled by the container, but it is important
to understand for concurrency purposes.
Security Enhancements
The new Servlet 3.1 API includes security enhancements that improve the reliability and integrity of servlet-based
applications by applying the following:
init
and
destroy
methods
•
Run-as security roles to
•
Session fixation attack defense
•
Default security semantics for nonspecified HTTP methods
This section will provide a quick overview of these new security enhancements, along with some example code to
help you begin implementing them.
Specifying an Identity for Executing init and destroy Methods
Security roles that are defined for a particular application can be mapped to a servlet by annotating the servlet class
with
@RunAs
. Any calls that a servlet makes to an EJB must provide a security identity, or principal, and the
@RunAs
is a
means to do just that. In Servlet 3.1, if a security role is bound via run-as to a servlet, then calls made from that servlet
to an EJB will be executed under the permission set of the role bound by the
@RunAs
. As such, even if a call is made
from a servlet's
init
or
destroy
method, it will be initiated under the specified permission set.
For example, suppose you want to initiate a call to an EJB from a servlet under an administrative role named
“Admin.” To do so, simply annotate the servlet accordingly and make the calls, as needed. In the following example,
a servlet named
AcmeServlet
is configured for access by any user who is part of the “user” role.
@RunAs("user")
@WebServlet(name = "AcmeServlet", urlPatterns = {"/AcmeServlet"})
public class AcmeServlet extends HttpServlet {