Defensive Java Programming Notes (10 of 11) Web Container Security Features

  • strict warning: Non-static method view::load() should not be called statically in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/views.module on line 906.
  • strict warning: Declaration of views_handler_argument::init() should be compatible with views_handler::init(&$view, $options) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 744.
  • strict warning: Declaration of views_handler_filter::options_validate() should be compatible with views_handler::options_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter::options_submit() should be compatible with views_handler::options_submit($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 607.
  • strict warning: Declaration of views_handler_filter_boolean_operator::value_validate() should be compatible with views_handler_filter::value_validate($form, &$form_state) in /hermes/walnaweb12a/b57/moo.greydragoncom/nodsw/sites/all/modules/views/handlers/ on line 159.
Leeland's picture

Warning this is amazingly boring.

Web containers are things like Apache Tomcat, WebSphere, Java Systems Webserver, JBOSS, Weblogic, and lots more.

There are some common things:

  • Web applications created by developers

  • Security needs for a given web application are usually deployment-specific

  • Deployers should be able to specify security settings without changing application code

The method used to meet these security needs is what is known as declarative security which provides a means to have a consistent security model applied across the entire web application. Declarative security is provided by the deployment descriptor which is an XML file named web.xml stored in the WEB-INF directory of the individual web application.

The deployment descriptor file has the XML element web-app as the root element. Here is an example of the layout for the web.xml file:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app

PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"


    <!-- ...non-security elements... -->

      The name of the application 
      C'mon, you know what goes into a description, don't you?

      <description> Again, some description </description>

      <description>Again, some description</description>






The values within the context-param element can be accessed like so:

String value = getServletContext().getInitParameter("name_of_context_initialization_parameter");

Servlet initialization parameters (that is: the values within the servlet element) can be retrieved in a servlet or JSP page by calling:

String value = getServletConfig().getInitParameter("foo");


<session-timeout>: The timeout for a session in minutes.


For each servlet in the web application, there is a <servlet> element. The name identifies the servlet (<servlet-name>).


Each servlet in the web application gets a servlet mapping. The url pattern is used to map URI to servlets.

Obviously, the order of the elements matters!

Thread Slivers eBook at Amazon