Chapter 11 Web Deployment
Web App Folder Structure
/myApp (.jsp , .html ) 
|
/WEB-INF
|
/lib ( jar files) /classes (class files) /tags ( tag files) (TLD files) |
*WAR file (Web Archive) - This is in fact jar file and contains all application files including WEB-INF.
One thing special is WAR has /META-INF/MANIFEST.MF gives you deploy time check for classes & packages that WAR depends on.
*Direct access to files under WEB-INF and META-INF will show 404 error.
* <servet><url-pattern> matching order
- Exact match : /Beer/SelectBeear.do
- Directory match : /Beer/*
- Extension match : *.do
The most specific match always win.
*Welcome files
<welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list>
*Error page
<error-page> <exception-type>java.lang.Throwable</exception> <location>/errorpage.jsp</location> </error-page> <error-page> <exception-code>404</exception> <location>/notFound.jsp</location> </error-page>
*response.sendError(403);// sendError cause error programmatically
*If you want to load servlet at the deploy time (server start & start)
<servlet> <servlet-name>Servlet1</servlet-name> <servlet-class>com.example.Servlet1</servlet-class> <load-on-startup>1</load-on-startup> <!-- note here --> </servlet>
<load-on-startup>: Bigger than zero will load servlet at startup. This value determines the order of preloading if defined with multiple servlets.
* XML JSP Syntax
| Normal JSp | Jsp document syntax |
|---|---|
<%@ page import="java.util.*" %> |
<jsp:directive.page import="java.util.*" %> |
<%! Int y=3; %> |
<jsp:declaration>int y=3;</jsp:declaration> |
<% list.add("Fred"); %> |
<jsp:scriptlet>list.add("Fred");</jsp:scriptlet> |
Text |
<jsp:text>Text</jsp:text> |
<%= it.next() %> |
<jsp:expression>it.next()</jsp:expression> |
* EJB DD tag
-Reference to local bean
<ejb-local-ref> <ejb-ref-name>ejb/Customer</ejb-ref-name> <ejb-ref-type>Entity</ejb-ref-type> <local-home>com.test.TestHome</local-home> <local>com.test.Test</local> </ejb-local-ref>
-Refernce to remote bean
<ejb-ref> <ejb-ref-name>ejb/LocalCustomer</ejb-ref-name> <ejb-ref-type>Entity</ejb-ref-type> <home>com.test.TestHome</home> <remote>com.test.Test</remote> </ejb-ref>
Remote ejb created first and local ref created later. (that is why naming convention is inconsistent)
*JNDI DD tag
<env-entry> <env-entry-name>rates/discountRate</env-entry-name> <env-entry-type>java.lang.Integer</env-entry-type> <!--any type takes Sting as constructor parameter--> <env-entry-value>10</env-entry-value> <!-- Will be passed as a string (or char if entry-type is Character) --> </env-entry>
*Declaring a <mime-mapping>
<mime-mapping> <extension>mpg</extension> <mime-type>video/mpeg</mime-type> </mime-mapping>
Chapter 12 web app security
- Authentication: userid/passwd
- Authorization : role
- Confidentiality : SSL (nobody else is able to see the data along the way)
- Data integrity : SSL (client gets to see what was sent by server)
DD entries
<login-config> <auth-method>BASIC</auth-method> <!-- BASIC, DIGEST,CLIENT-CERT,FORM --> </login-config> <security-role><role-name>Admin</role-name></security-role> <security-role><role-name>Member</role-name></security-role> <security-role><role-name>manager</role-name></security-role> <security-constraint> <!-- Multiple web-resource-collection is allowed --> <web-resource-collection> <web-resource-name>AuthTest</web-resource-name> <url-pattern>/auth/*</url-pattern> <url-pattern>/check/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> <!-- GET & POST method are constrained (checked for access) . If http-method is not defined all methods are constrained --> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint>
<auth-constraint>
- If
<auth-constraint>exists, but no<role-name>defined (or<role-name />) , no one is allowed. <role-name>*</role-name>: all is allowed.- Role names are case sensitive
- If
<auth-constraint>does not exist : all is allowed
When two different non-empty <auth-constraint> elements apply to the same constrained resource, access is granted to the union of all roles from both of the <auth-constraint> elements.
* HttpServletRequest : three methods related security
getUserPrincipal()- EJB relatedgetRemoteUser()- returns user name when user is logged in with BASIC(?)isUserInRole("Manager")- return true or false. The user must be authenticated and mapped to this role
* If role name is hardcoded in the servlet, but you want to dynamically change the role , you can do it in DD (aliasing?)
<security-role-ref> <role-name>Manager</role-name> <!--this role name is hard coded in servlet--> <role-link>Admin</role-link> <!-- Actual role name in our application--> </security-role-ref> <security-role><role-name>Admin</role-name></security-role>
Authentication types
- BASIC : base 64 week security
- DIGEST : J2EE containers not required to implement
- CLIENT-CERT : very secure. client need to have certificates
- FORM : using html form but no encryption at all (should be used with SSL)
*DD
<login-config> <auth-method>FORM</auth-method> <!-- BASIC, DIGEST,CLIENT-CERT,FORM --> <form-login-config> <!-- form login only --> <form-login-page>/loginPage.html</form-login-page> <form-error-page>/errorPage.html</form-error-page> </form-login-config> </login-config>
*loginPage.html : Please remember that these form action and input names are mandatory.
<form method="POST" action="j_security_check" > <input type="text" name="j_username" > <input type="password" name="j_password" > <input type="submit" value="Enter"> </form>
Remember j_security_check, j_username, and j_password
Using SSL
<security-constraints> <web-resource-collection> … </web-resource-collection> <auth-constraint> …</auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraints>
- NONE: default . No protection
- INTEGRAL : data must not be changed along the way
- CONFIDENTIAL: data must not be seen by anybody along the way
Usually both INTEGRAL and CONFIDENTIAL types cause the container to use SSL.
May 15th, 2008 at 1:34 pm
[...] Next: [SCWCD] Cram Sheet 8 - Web Deployment and Security Posted by HanaDaddy Filed in java Tags: java, SCWCD [...]