Friday May 29, 2009

New sorting options for directory listings in GlassFish v3

New sorting options for directory listings in GlassFish v3

New sorting options for directory listings in GlassFish v3

The section in the Servlet specification that talks about Welcome Files has this:

If no matching welcome file is found in the manner described, the container may handle the request in a manner it finds suitable. For some configurations this may mean returning a directory listing or for others returning a 404 response.

GlassFish may be configured to return a directory listing if a request fails to be mapped to any welcome page, by setting the listings init parameter in the DefaultServlet declaration of the domain's default-web.xml to true, as follows:

  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
    </init-param>
  </servlet>

Up until now, the directory listings were always sorted in alphabetical order.

The latest GlassFish v3 provides additional sorting options by last-modified date and size, by introducing a new init parameter with name sortedBy for the DefaultServlet, whose value may be set to one of NAME (the default), LAST_MODIFIED, or SIZE, as follows:

  <servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
      <param-name>listings</param-name>
      <param-value>true</param-value>
    </init-param>
    <init-param>
      <param-name>sortedBy</param-name>
      <param-value>[NAME|LAST_MODIFIED|SIZE]</param-value>
    </init-param>
  </servlet>

Please send any questions or comments you may have to the GlassFish webtier alias, or post them to the GlassFish webtier forum.

Thursday Dec 11, 2008

Changes to Servlet and Filter Registration APIs in Servlet 3.0

Changes to Servlet and Filter Registration APIs in Servlet 3.0

Changes to Servlet and Filter Registration APIs in Servlet 3.0

Right after the Public Review draft of the Servlet 3.0 specification had been handed off to the JCP for publication, the Servlet EG changed the signature of the addServlet and addFilter APIs on javax.servlet.ServletContext. These APIs are new in Servlet 3.0, and allow servlets and filters to be registered at runtime, without having to be declared in a web.xml deployment descriptor.

It was felt that the previous method signatures:

  addServlet(String servletName, String description, String className, Map initParameters, int loadOnStartup, boolean isAsyncSupported)

and

  addFilter(String filterName, String description, String className, Map initParameters, boolean isAsyncSupported)

had too many parameters, and there was concern that these methods would have to be overloaded every time a new parameter was added in the future.

Therefore, the Servlet EG decided to change addServlet to take just servletName and className parameters, and to change addFilter to take just filterName and className parameters, and to have these methods return ServletRegistration and FilterRegistration objects, respectively, on which any further configuration would occur.

For example, the following ServletContextListener registers one servlet and one filter when invoked at its contextInitialized method, and then further configures the registered servlet and filter through their respective ServletRegistration and FilterRegistration objects:

  public void contextInitialized(ServletContextEvent sce) {
      ServletContext sc = sce.getServletContext();

      /\*
       \* Register servlet
       \*/
      ServletRegistration sr = sc.addServlet("NewServlet", "test.NewServlet");
      sr.setInitParameter("servletInitName", "servletInitValue");
      sc.addServletMapping("NewServlet", new String[] {"/newServlet"});

      /\*
       \* Register filter that is going to intercept any requests to the
       \* servlet
       \*/
      FilterRegistration fr = sc.addFilter("NewFilter", "test.NewFilter");
      fr.setInitParameter("filterInitName", "filterInitValue");
      sc.addFilterMappingForServletNames("NewFilter",
          EnumSet.of(DispatcherType.REQUEST), true, "NewServlet");
  }

While these changes are not reflected in the Public Review draft of the Servlet 3.0 specification, they have already been implemented in the trunk version of GlassFish v3, which is going to be the reference implementation of the Servlet 3.0 specification.

Please send any questions or comments to the GlassFish webtier alias, or post them to the GlassFish webtier forum.

Thursday Oct 16, 2008

How to configure the security of HTTP session and Single-Sign-On cookies in GlassFish

How to configure the security of HTTP session and Single-Sign-On cookies in GlassFish

How to configure the security of HTTP session and Single-Sign-On cookies in GlassFish

Overview

The javax.servlet.http.Cookie API allows servlets to mark application specific cookies as secure by calling setSecure. However, there is no programmtic support for marking container-generated cookies, such as HTTP session (aka JSESSIONID) and Single-Sign-On (aka JSESSIONIDSSO) related cookies, as secure. This blog explains how the security aspects of these types of cookies may be configured in the upcoming GlassFish v2.1 and GlassFish v3 Prelude releases.

Motivation

The syntax for cookies, as given by the cookie specification, defines a Secure attribute (with no value). This attribute serves as an indication by the server to the client that the cookie contents require protection.

The client may determine what level of security it considers appropriate for cookies marked as secure. In most cases, it will send a secure cookie back to the server only if the connection is protected with SSL.

By default, a JSESSIONID cookie inherits the security setting of the request that initiated the corresponding HTTP session: If the HTTP session has been initiated by an HTTPS request, the secure attribute of its JSESSIONID cookie will be set to true, and will remain false if the session was initiated by a plain HTTP request.

In some cases, it may be necessary to override this default behaviour. For example, if the GlassFish instance is front-ended by an SSL-offloading loadbalancer (as shown in the image below), all requests received by it will be of type HTTP, whereas the traffic between the client and the loadbalancer is over HTTPS. In this case, any JSESSIONID cookies created by the web container on the GlassFish instance must be marked as secure (even though the corresponding sessions were initiated by HTTP requests), so that their contents (in particular the session ids) will be protected as they travel between the client and the loadbalancer.

Security configuration of HTTP session cookies

The upcoming GlassFish v2.1 and GlassFish v3 Prelude releases add support for configuring a JSESSIONID cookie's secure attribute through a cookie property with name cookieSecure in sun-web.xml, as follows:

  <?xml version="1.0" encoding="UTF-8"?>
  <sun-web-app>
    <session-config>
      <cookie-properties>
        <b><property name="cookieSecure" value="[true|false|dynamic]"/></b>
      </cookie-properties>
    </session-config>
  </sun-web-app>

The semantics of the possible values of the cookieSecure property are as follows.

  • true: Any JSESSIONID cookies created by the container on behalf of the web application will be marked as secure.
  • false: Any JSESSIONID cookies created by the container on behalf of the web application will be marked as non-secure.
  • dynamic: A JSESSIONID cookie created by the container on behalf of the web application will inherit its security setting from the request that initiated the correspoding session: If the session was initiated by an HTTPS request, its JSESSIONID cookie will be marked as secure, and will remain non-secure otherwise. This is the default.

Notice that the next version of the Servlet Specification (Servlet 3.0) is going to provide programmatic configuration support (including security) for JSESSIONID cookies by defining a new javax.servlet.SessionCookieConfig class along with a new setSessionCookieConfig method on javax.servlet.ServletContext which takes an argument of type javax.servlet.SessionCookieConfig. The configuration options provided by javax.servlet.SessionCookieConfig will be equivalent to the cookie-properties in sun-web.xml (with the addition of configuration support for the httpOnly cookie property).

Security configuration of Single-Sign-On cookies

Based on a user request, GlassFish v3 Prelude adds support for configuring the security of JSESSIONIDSSO cookies used in the context of Single-Sign-On (SSO). Since multiple applications may participate in SSO, and since only applications deployed to the same virtual server and belonging to the same security realm may participate in SSO, exposing the configuration of a JSESSIONIDSSO cookie's Secure attribute at the virtual server level seemed appropriate. Therefore, GlassFish v3 Prelude defines a new virtual-server property with name ssoCookieSecure, which may be set to true, false, or dynamic. The semantics are the same as described above for JSESSIONID cookies, except that in the case of dynamic (the default), the security setting of the JSESSIONIDSSO cookie is derived from the first request that initiated a session participating in SSO.

Please send any follow-up questions, or any questions on the GlassFish webtier in general, to webtier@glassfish.dev.java.net, or post them to the webtier forum.

Wednesday Oct 01, 2008

Retain session data during redeployment

Retain session data during redeployment

Retain session data during redeployment

Overview

The just-released GlassFish v3 Prelude provides a new feature that is going to become very popular with developers: the ability to retain HTTP session data across redeploys, which is something Jerome Dochez and I have worked on together.

Motivation

Let me briefly explain what motivated this feature, and why it is so important: When you redeploy a application, the application first gets undeployed, and then its new, updates bits are deployed. During the undeploy, GlassFish is going to remove any and all traces of the application, including its classloader, compiled JSPs, and file-persisted HTTP sessions (in case a file-based persistence mechanism is being used). In addition, any active HTTP sessions will be destroyed. In many cases, a number of HTTP sessions will have been created during each development cycle. After a redeployment, these sessions will have to be recreated from scratch: A tedious and time-consuming task!

How to enable

GlassFish v3 Prelude adds the ability to preserve any active HTTP sessions during a redeploy. A user may request this feature by passing the new keepSessions property (set to true) to the asadmin redeploy command.

Example usage:

  asadmin redeploy --properties keepSessions=true --name myapp myapp.war

The GlassFish admin console also exposes this new feature, which has also been incorporated into the Deploy on change feature of Netbeans, which instantly redeploys a WAR- or EAR-based, directory-exploded application as soon as one of its class files or descriptors has changed. Both Netbeans and the GlassFish Plugin for Eclipse allow developers to enable this feature by clicking on the new Preserve Sessions Across Redeployment checkbox, which can be seen at the bottom of the snapshots taken for NetBeans and GlassFish Plugin for Eclipse.

Implementation details

Behind the scenes, any active sessions will no longer be destroyed during a redeployment if so requested by the user: Instead, they will be stored in memory in serialized form, and restored from memory and deserialized when the redeployment has completed.

If any of the active sessions of the application fail to be serialized or deserialized, a warning will be logged, and the redeployment will continue, but none of the sessions that were active prior to the redeployment will be available following the redeployment.

The new classloader of the redeployed application will be used to deserialize any sessions previously saved. The usual restrictions about serialization and deserilization apply. For example, any application specific classes referenced by a session attribute may evolve only in a backwards compatible way.

Summary

GlassFish v3 Prelude simplifies your development cycles and increases your productivity by allowing you to preserve any active HTTP sessions when you redeploy your applications.

About

jluehe

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today