core S ERVLETS AND J S P AVA ERVER AGES V 2–A T OLUME DVANCED ECHNOLOGIES S E ECOND DITION This page intentionally left blank core S ERVLETS AND J S P AVA ERVER AGES V 2–A T OLUME DVANCED ECHNOLOGIES S E ECOND DITION MARTY HALL LARRY BROWN YAAKOV CHAIKIN Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or spe- cial sales, which may include electronic versions and/or custom covers and content particular to your busi- ness, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales (800) 382-3419 [email protected] For sales outside the United States please contact: International Sales [email protected] This Book Is Safari Enabled The Safari® Enabled icon on the cover of your favorite technology book means the book is available through Safari Bookshelf. When you buy this book, you get free access to the online edition for 45 days. Safari Bookshelf is an electronic reference library that lets you easily search thousands of technical books, find code samples, download chapters, and access technical information whenever and wherever you need it. To gain 45-day Safari Enabled access to this book: • Go to http://www.prenhallprofessional.com/safarienabled • Complete the brief registration form • Enter the coupon code HLJ5-S0UK-WUI6-TPLD-DC7K If you have difficulty registering on Safari Bookshelf or accessing the online edition, please e-mail [email protected]. Visit us on the Web: www.prenhallprofessional.com Library of Congress Control Number: 2003058100 Copyright © 2008 Pearson Education, Inc. All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, write to: Pearson Education, Inc Rights and Contracts Department 501 Boylston Street, Suite 900 Boston, MA 02116 Fax (617) 671 3447 ISBN-13: 978-0-13-148260-9 ISBN-10: 0-13-148260-2 Text printed in the United States on recycled paper at Courier in Stoughton, Massachusetts. First printing, December 2007 CCoonntteenntt ss INTRODUCTION xvii Who Should Read This Book xviii Conventions xix About the Web Site xx ACKNOWLEDGMENTS xxi ABOUT THE AUTHORS xxii 1 USING AND DEPLOYING WEB APPLICATIONS 2 1.1 Purpose of Web Applications 3 Organization 4 Portability 4 Separation 4 1.2 Structure of Web Applications 5 Locations for Various File Types 5 v vi Contents 1.3 Registering Web Applications with the Server 9 Registering a Web Application with Tomcat 10 Registering a Web Application with Other Servers 12 1.4 Development and Deployment Strategies 14 Copying to a Shortcut or Symbolic Link 15 Using IDE-Specific Deployment Features 16 Using Ant, Maven, or a Similar Tool 16 Using an IDE in Combination with Ant 17 1.5 The Art of WAR: Bundling Web Applications into WAR Files 17 1.6 Building a Simple Web Application 18 Download and Rename app-blank to testApp 18 Download test.html, test.jsp, and TestServlet.java 19 Add test.html, test.jsp to the testApp Web Application 19 Place TestServlet.java into the testApp/WEB-INF/classes/coreservlets Directory 20 Compile TestServlet.java 20 Declare TestServlet.class and the URL That Will Invoke It in web.xml 21 Copy testApp to tomcat_dir/webapps 23 Start Tomcat 23 Access testApp with the URL of the Form http://localhost/testApp/someResource 23 1.7 Sharing Data Among Web Applications 25 2 CONTROLLING WEB APPLICATION BEHAVIOR WITH WEB.XML 34 2.1 Purpose of the Deployment Descriptor 35 2.2 Defining the Header and the Root Element 36 2.3 The Elements of web.xml 37 Version 2.4 38 Version 2.3 40 2.4 Assigning Names and Custom URLs 42 Assigning Names 42 Contents vii Defining Custom URLs 44 Naming JSP Pages 50 2.5 Disabling the Invoker Servlet 52 Remapping the /servlet/ URL Pattern 53 Globally Disabling the Invoker: Tomcat 55 2.6 Initializing and Preloading Servlets and JSP Pages 56 Assigning Servlet Initialization Parameters 56 Assigning JSP Initialization Parameters 60 Supplying Application-Wide Initialization Parameters 63 Loading Servlets When the Server Starts 64 2.7 Declaring Filters 68 2.8 Specifying Welcome Pages 71 2.9 Designating Pages to Handle Errors 72 The error-code Element 73 The exception-type Element 75 2.10 Providing Security 78 Designating the Authentication Method 78 Restricting Access to Web Resources 80 Assigning Role Names 83 2.11 Controlling Session Timeouts 83 2.12 Documenting Web Applications 84 2.13 Associating Files with MIME Types 85 2.14 Configuring JSP Pages 86 Locating Tag Library Descriptors 86 Configuring JSP Page Properties 87 2.15 Configuring Character Encoding 93 2.16 Designating Application Event Listeners 93 2.17 Developing for the Clustered Environment 95 2.18 J2EE Elements 97 viii Contents 3 DECLARATIVE SECURITY 104 3.1 Form-Based Authentication 106 Setting Up Usernames, Passwords, and Roles 108 Telling the Server You Are Using Form-Based Authentication; Designating Locations of Login and Login-Failure Pages 110 Creating the Login Page 111 Creating the Page to Report Failed Login Attempts 114 Specifying URLs That Should Be Password Protected 115 Listing All Possible Abstract Roles 118 Specifying URLs That Should Be Available Only with SSL 119 Turning Off the Invoker Servlet 120 3.2 Example: Form-Based Authentication 122 The Home Page 122 The Deployment Descriptor 123 The Password File 127 The Login and Login-Failure Pages 128 The investing Directory 129 The ssl Directory 132 The admin Directory 138 The NoInvoker Servlet 140 Unprotected Pages 141 3.3 BASIC Authentication 143 Setting Up Usernames, Passwords, and Roles 145 Telling the Server You Are Using BASIC Authentication; Designating Realm 145 Specifying URLs That Should Be Password Protected 146 Listing All Possible Abstract Roles 146 Specifying URLs That Should Be Available Only with SSL 147 3.4 Example: BASIC Authentication 147 The Home Page 147 Contents ix The Deployment Descriptor 149 The Password File 151 The Financial Plan 152 The Business Plan 154 The NoInvoker Servlet 156 3.5 Configuring Tomcat to Use SSL 156 3.6 WebClient: Talking to Web Servers Interactively 164 3.7 Signing a Server Certificate 167 Exporting the CA Certificate 170 Using WebClient with Tomcat and SSL 175 4 PROGRAMMATIC SECURITY 178 4.1 Combining Container-Managed and Programmatic Security 180 Security Role References 182 4.2 Example: Combining Container-Managed and Programmatic Security 183 4.3 Handling All Security Programmatically 188 4.4 Example: Handling All Security Programmatically 190 4.5 Using Programmatic Security with SSL 195 Determining If SSL Is in Use 195 Redirecting Non-SSL Requests 195 Discovering the Number of Bits in the Key 196 Looking Up the Encryption Algorithm 196 Accessing Client X.509 Certificates 197 4.6 Example: Programmatic Security and SSL 197 5 SERVLET AND JSP FILTERS 202 5.1 Creating Basic Filters 204 Create a Class That Implements the Filter Interface 205 Put the Filtering Behavior in the doFilter Method 206 Call the doFilter Method of the FilterChain Object 206