Java Reference
In-Depth Information
<T extends EventListener> void createListener(Class<T> clazz)
•
@WebListener
The following excerpt from the servlet
org.javaee.7.chapter01.SessionIdTest
demonstrates how to change a
session identifier using this new technique.
•
...
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
HttpSession session = request.getSession();
try {
/* TODO output your page here. You may use following sample code. */
out.println("<!DOCTYPE html>");
out.println("<html>");
out.println("<head>");
out.println("<title>Servlet SessionIdTest</title>");
out.println("</head>");
out.println("<body>");
out.println("<h1>Servlet SessionIdTest at " + request.getContextPath() + "</h1>");
out.println("<p>the current sesion id is: " + session.getId());
request.changeSessionId();
out.println("<p>the current session id has been changed, now it is: " +
session.getId());
out.println("</body>");
out.println("</html>");
} finally {
out.close();
}
}...
Denying Uncovered HTTP Methods
To specify permissions for a given servlet, one must configure security constraints in the
web.xml
to specify role
auth-constraint
for a given
web-resource-collection
. That said, in Servlet 3.0 and prior, any servlet that was not
explicitly configured with a security constraint within the
web.xml
was made available for everyone. The new element
<deny-uncovered-http-methods/>
can be added to a
web.xml
in order to deny access to any of the http methods that
have not been specifically addressed within the security constraint.
For example, given the following security constraint configuration, members of the users role will be allowed
GET
and
POST
access to all servlets within the url pattern. Without specifying
<deny-uncovered-http-methods/>
,
all other http methods, such as
POST
, would be open to everyone. However, by specifying the new
<deny-uncovered-http-methods>
element, all other methods are not available to anyone. For instance, the following
could be listed within the
web.xml
for a Servlet 3.0 application in order to secure only the
GET
method.
