Java Reference
In-Depth Information
<T extends EventListener> void createListener(Class<T> clazz)
The following excerpt from the servlet org.javaee.7.chapter01.SessionIdTest demonstrates how to change a
session identifier using this new technique.
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
PrintWriter out = response.getWriter();
HttpSession session = request.getSession();
try {
/* TODO output your page here. You may use following sample code. */
out.println("<!DOCTYPE html>");
out.println("<title>Servlet SessionIdTest</title>");
out.println("<h1>Servlet SessionIdTest at " + request.getContextPath() + "</h1>");
out.println("<p>the current sesion id is: " + session.getId());
out.println("<p>the current session id has been changed, now it is: " +
} finally {
Denying Uncovered HTTP Methods
To specify permissions for a given servlet, one must configure security constraints in the web.xml to specify role
auth-constraint for a given web-resource-collection . That said, in Servlet 3.0 and prior, any servlet that was not
explicitly configured with a security constraint within the web.xml was made available for everyone. The new element
<deny-uncovered-http-methods/> can be added to a web.xml in order to deny access to any of the http methods that
have not been specifically addressed within the security constraint.
For example, given the following security constraint configuration, members of the users role will be allowed
GET and POST access to all servlets within the url pattern. Without specifying <deny-uncovered-http-methods/> ,
all other http methods, such as POST , would be open to everyone. However, by specifying the new
<deny-uncovered-http-methods> element, all other methods are not available to anyone. For instance, the following
could be listed within the web.xml for a Servlet 3.0 application in order to secure only the GET method.
Search WWH ::

Custom Search