Defensive Java Programming Notes (10 of 11) Web Container Security Features

Leeland's picture

Warning this is amazingly boring.



Web containers are things like Apache Tomcat, WebSphere, Java Systems Webserver, JBOSS, Weblogic, and lots more.



There are some common things:

  • Web applications created by developers

  • Security needs for a given web application are usually deployment-specific

  • Deployers should be able to specify security settings without changing application code




The method used to meet these security needs is what is known as declarative security which provides a means to have a consistent security model applied across the entire web application. Declarative security is provided by the deployment descriptor which is an XML file named web.xml stored in the WEB-INF directory of the individual web application.



The deployment descriptor file has the XML element web-app as the root element. Here is an example of the layout for the web.xml file:



<?xml version="1.0" encoding="ISO-8859-1"?>



<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

"http://java.sun.com/dtd/web-app_2_3.dtd"



<web-app>
    <!-- ...non-security elements... -->

    <display-name>
      The name of the application 
    </display-name>
    <description>
      C'mon, you know what goes into a description, don't you?
    </description>

    <context-param>
      <param-name>name_of_context_initialization_parameter</param-name>
      <param-value>value_of_context_initializtion_parameter</param-value>
      <description> Again, some description </description>
    </context-param>

    <servlet>
      <servlet-name>guess_what_name_of_servlet</servlet-name>
      <description>Again, some description</description>
      <servlet-class>com.foo-bar.somepackage.TheServlet</servlet-class>
      <init-param>
        <param-name>foo</param-name>
        <param-value>bar</param-value>
      </init-param>
    </servlet>

    <servlet-mapping>
      <servlet-name>name_of_a_servlet</servlet-name>
      <url-pattern>*.some_pattern</url-pattern>
    </servlet-mapping>

    <servlet-mapping>
      <servlet-name>image</servlet-name>
      <url-pattern>/image</url-pattern>
    </servlet-mapping>

    <session-config>
      <session-timeout>30</session-timeout> 
    </session-config>

</web-app>




context-param

The values within the context-param element can be accessed like so:



String value = getServletContext().getInitParameter("name_of_context_initialization_parameter");




Servlet initialization parameters (that is: the values within the servlet element) can be retrieved in a servlet or JSP page by calling:



String value = getServletConfig().getInitParameter("foo");




session-timeout

<session-timeout>: The timeout for a session in minutes.



servlet

For each servlet in the web application, there is a <servlet> element. The name identifies the servlet (<servlet-name>).

servlet-mapping



Each servlet in the web application gets a servlet mapping. The url pattern is used to map URI to servlets.

Obviously, the order of the elements matters!

Thread Slivers eBook at Amazon