web.xml configuration details

Posted by env3rt on Mon, 31 Jan 2022 21:57:57 +0100

web.xml configuration

Root label

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
		xmlns="http://java.sun.com/xml/ns/javaee" 
		xmlns:jsp="http://java.sun.com/xml/ns/javaee/jsp" 
		xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" 
		version="3.0">

	<!-- Other contents -->

</web-app>

Safety certification label

elementexplain
web-resource-collectionThe web resource collection element identifies the subset of resources that need to be restricted. In the web resource collection element, you can define URL patterns and HTTP methods. If HTTP methods do not exist, security constraints are applied to all methods.
web-resource-nameIs the name associated with the protected resource
auth-constraintThe auth constraint element is used to specify the user roles that can access the resource collection. If the auth constraint element is not specified, the security constraint is applied to all roles.
role-nameContains the name of the security role
	<security-constraint>
        <display-name>Description name</display-name>
        <web-resource-collection>
            <web-resource-name>test</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>PUT</http-method>
      		<http-method>DELETE</http-method>
      		<http-method>HEAD</http-method>
      		<http-method>OPTIONS</http-method>
      		<http-method>TRACE</http-method>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>
    
	<login-config>
    	<auth-method>BASIC</auth-method>
	</login-config>
<!-- Four types of certification -->
    <!-- BASIC: HTTP standard, Base64 This method is considered the most insecure authentication because it does not provide strong encryption measures -->
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
    
    <!-- DIGEST: HTTP Specification, data integrity is stronger, but not SSL Compared to BASIC Authentication, which is a relatively safe authentication. It will request data to pass during authentication MD5 Authentication by encryption -->
    <login-config>
        <auth-method>DIGEST</auth-method>
    </login-config>
    
    <!-- CLIENT-CERT: J2EE Specification, strong data integrity, public key(PKC) This is an authentication method based on client certificate, which is more secure. However, the defect is that it cannot be used on clients without security certificates -->
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>
    
    <!-- FORM: J2EE Specification, data integrity is very weak, there is no encryption, and a customized login interface is allowed. This is a basic user-defined form authentication. You can specify the verification form when logging in -->
    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
	</login-config>
parameterexplain
BASICAccording to the HTTP specification, Base64 is considered the most insecure authentication because it does not provide strong encryption measures
DIGESTHTTP specification has stronger data integrity, but it is not SSL. Compared with BASIC authentication, it is a relatively secure authentication. During authentication, it authenticates the requested data through MD5 encryption
CLIENT-CERTJ2EE specification, strong data integrity, public key (PKC), which is an authentication method based on client certificate, is relatively safe. However, the defect is that it cannot be used on clients without security certificates
FORMJ2EE specification, data integrity is very weak, there is no encryption, and a customized login interface is allowed. This is a basic user-defined form authentication. You can specify the verification form when logging in

Web application icon, name and description

	<!-- .gif perhaps .jpg format -->
	<!-- point out IDE and GUI Tools are used to represent Web Large and small icons for apps -->
	<icon> 
	  <!-- (16x16 (pixels) -->
	  <small-icon>/images/app_small.gif</small-icon> 
	  <!-- (32x32 (pixels) -->
	  <large-icon>/images/app_large.gif</large-icon> 
	</icon>
	
	<!-- appoint Web The display name of the application, i.e GUI Abbreviations that the tool can display -->
	<display-name>Tomcat Example</display-name>
	
	<!-- Give the relevant explanatory text -->
	<disciption>Tomcat Example servlets and JSP pages.</disciption> 

Initialization process

  • When you start a Web project, a container, such as tomcat, reads the Web Two nodes in the XML configuration file < listener > and < context param >

  • Then the container will create a ServletContext (context), which can be used by the whole WEB project

  • Then the container will convert the read < context param > into a key value pair and give it to ServletContext

  • The container creates a class instance in < listener >, that is, it creates a listener

    Note: the class defined by listener can be customized, but it must inherit ServletContextListener

  • There will be a contextInitialized(ServletContextEvent event) initialization method in the listening class. In this method, you can use event getServletContext(). Getinitparameter ("contextConfigName") to get the value set by context param

  • There must also be a contextDestroyed(ServletContextEvent event) destruction method in this class, which is used to release resources before closing applications, such as closing database connections
    After you get the value of context param, you can do some operations

    Note that your WEB project has not been fully started and completed at this time. This action will be earlier than all servlets

  • Container for web The loading process of XML is context param > > listener > > filer > > servlet

Context param

Parameters within the scope of application are stored in servletcontext

<context-param>
	<param-name>contextConfigName</param-name>
	<param-value>contextConfigValue></param-value>
</context-param>

effect

  • This element is used to declare context initialization parameters within the application scope (the whole WEB project)

    Param name sets the parameter name of the context. Must be a unique name
    Param value the value of the parameter name set

use

  • On page
    ${initParam.contextConfigName}
  • In Servlet
    String param = getServletContext().getInitParameter("contextConfigName");

filter

	<filter>
        <filter-name>OutFilter</filter-name>
        <filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
        <init-param>
            <param-name>testName</param-name>
            <param-value>testValue</param-value>
        </init-param>
        <init-param>
        	<param-name>...</param-name>
        	<param-value>...</param-value>
        </init-param>
        <!-- filterConfig.getInitParameter("testName"); -->
    </filter>
    <filter-mapping>
        <filter-name>OutFilter</filter-name>
        <url-pattern>/Check.do</url-pattern>
		<!-- 
			Exact match:/index.jsp 
			Directory matching:/com/*
			Extended matching:*.do
			Match all:/*
		-->
	
        <!-- <dispatcher>REQUEST</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>ERROR</dispatcher> -->
    </filter-mapping>  
elementexplain
<filter><\filter>Set a filter
<filter-name><\filter-name>Used to specify a name for the filter. The content of this element cannot be empty
<filter-class><\filter-class>The fully qualified class name used to specify the filter
<init-param><\init-param>Used to specify initialization parameters for the filter
Its child element < param name > specifies the name of the parameter and < param value > specifies the value of the parameter
In the filter, you can use the FilterConfig interface object to access the initialization parameters
<filter-mapping><\filte-mapping>Element is used to set the resources intercepted by a Filter
< filter name > < \ filter name > child elementThe registration name used to set the filter
The value must be the name of the filter declared in the < Filter > element
< URL pattern > < \ URL pattern > child elementSet the request path intercepted by the filter (URL Style associated with the filter)
<servlet-name><servlet-name>Specifies the name of the Servlet intercepted by the filter
< dispatcher > child elementSpecifies how the resources intercepted by the filter are called by the Servlet container
It can be one of REQUEST, INCLUDE, FORWARD and ERROR. The default is REQUEST
The user can set multiple < dispatcher > sub elements to specify the Filter to intercept multiple calls to resources
  • Values that can be set by < dispatcher > sub elements and their meanings

  • REQUEST: when the user directly accesses the page, the Web container will call the filter. If the target resource is accessed through the include() or forward() method of RequestDispatcher, the filter will not be called

  • INCLUDE: this filter will be called if the target resource is accessed through the include() method of RequestDispatcher. In addition, the filter will not be called

    As long as it is embedded through < jsp: include page = "xxx.jsp" / >, each embedded page will go through the specified filter once

  • FORWARD: if the target resource is accessed through the forward() method of RequestDispatcher, the filter will be called. Otherwise, the filter will not be called

    Only when the current page is forwarded through request forwarding, the specified filter will be taken

  • ERROR: if the target resource is called through the declarative exception handling mechanism, the filter will be called. In addition, the filter is not called

listener

	<listener> 
      <listerner-class>com.listener.MyListener</listener-class> 
	</listener>

servlet

Basic configuration

	<servlet> 
	  <!-- <description>describe</description>
      <display-name>Description name</display-name> -->
      <servlet-name>TestServlet</servlet-name> 
      <servlet-class>com.my.controller.TestServlet</servlet-class> 
   </servlet> 
   <servlet-mapping> 
      <servlet-name>TestServlet</servlet-name> 
      <url-pattern>/testServlet</url-pattern> 
   </servlet-mapping>

Advanced configuration

	<servlet> 
	  <!-- <description>This is a text description about myservlet</description>
  	  <display-name>myServlet</display-name>
  	  <icon>...</icon> -->
      <servlet-name>TestServlet</servlet-name> 
      <servlet-class>com.my.controller.TestServlet</servlet-class> 
      <init-param> 
         <param-name>testName</param-name> 
         <param-value>testValue</param-value> 
      </init-param> 
	  <!-- stay servlet of
	  this.getInitParameter("testName") -->

      <load-on-startup>0</load-on-startup>
      <run-as> 
         <description>Security role for anonymous access</description> 
         <role-name>tomcat</role-name> 
      </run-as> 
      <security-role-ref>
      	<description>...</description>
      	<role-name>...</role-name>
      	<role-link>...</role-link>
      </security-role-ref>
   </servlet> 
   <servlet-mapping> 
      <servlet-name>TestServlet</servlet-name> 
      <url-pattern>/testServlet</url-pattern> 
   </servlet-mapping> 
elementexplain
<servlet><\servlet>Data used to declare a servlet
<servlet-name><\servlet-name>Specifies the name of the servlet
<servlet-class><servlet-class>Specifies the class name of the servlet
<jsp-file></jsp-file>Specify the full path of a JSP page in the web site
Servlet class and JSP file can only exist
<init-param><init-param>
<param-name></param-name>
<param-value></param-value>
Used to define parameters. There can be multiple init params
Parameters within the scope of servlet can only be obtained in the init() method of servlet
In the init() method of the servlet, pass this Getinitparameter ("testName") get
<load-on-startup></load-on-startup>The load on startup element marks whether the container should load the servlet at startup (instantiate and call its init() method).
Its value must be an integer indicating the order in which the servlet should be loaded
Specifies the order in which servlets are loaded when the Web application starts
When the value is negative or undefined: the servlet container will load the servlet the first time a Web client accesses it
When the value is positive or zero: the servlet container loads the servlets with small values first, and then loads other servlets with large values in turn
When the values are the same, the container will choose its own order to load.
<run-as><run-as>Specifies the running identity used to execute the Web application. It contains an optional description and the name of the security role
<security-role-ref><\security-role-ref>Used to link the security role name defined by < security role > to an alternate role name hard coded in servlet logic
This additional layer of abstraction allows the servlet to be configured at deployment time without changing the servlet code
<servlet-mapping></servlet-mapping>It is used to define the URL corresponding to the servlet and contains two sub elements
<servlet-name></servlet-name>Specifies the name of the servlet
<url-pattern></url-pattern>Specify the URL corresponding to the servlet
  • The three tags of description, display name and icon must be in the order from description to display name and then to icon, otherwise an error will be reported

Session timeout configuration (in minutes)

	<session-config> 
      <session-timeout>30</session-timeout> 
	</session-config> 
	<!-- The setting value is-1 Indicates that the session will never time out -->

MIME type configuration

	<mime-mapping> 
      <extension>htm</extension> 
      <mime-type>text/html</mime-type> 
   </mime-mapping>
   <mime-mapping>
    <extension>doc</extension>
    <mime-type>application/msword</mime-type>
  </mime-mapping>

Specify welcome profile page configuration

	<welcome-file-list> 
      	<welcome-file>index.jsp</welcome-file> 
      	<welcome-file>index.html</welcome-file> 
      	<welcome-file>index.htm</welcome-file> 
	</welcome-file-list>

Configuration error page

	<!-- Configure by error code error-page -->
	<error-page> 
      	<error-code>404</error-code> 
     	 <location>/jsp/NotFound.jsp</location> 
	</error-page> 
	<!-- Configure by exception type error-page -->
	<error-page> 
      	 <exception-type>java.lang.NullException</exception-type> 
      	 <location>/jsp/error.jsp</location> 
    </error-page>
    <!-- When the system occurs java.lang.NullException(In case of null pointer exception), jump to the error handling page error.jsp -->

jsp-property-group

	<jsp-config>
		<jsp-property-group>
	    	<!-- Group Import jsp file -->
        	<url-pattern>*.jsp</url-pattern>
        	<!-- set up jsp The header of the web page with the extension.jspf -->
        	<include-prelude>/WEB-INF/jspf/first.jspf</include-prelude>
        	<!-- set up jsp The end of the page with the extension.jspf -->
        	<include-coda>/WEB-INF/jspf/end.jspf</include-coda>
	  	</jsp-property-group>
	</jsp-config>

TLD configuration

	<jsp-config> 
      	<taglib> 
      		<!-- Describe a relative web.xml Document location URI,Used to identify Web Tag libraries used in applications -->
      		<!-- If URI And JSP On page taglib Used in instructions URI Use this if the string matches taglib -->
        	<taglib-uri>http://jakarta.apache.org/tomcat/debug-taglib</taglib-uri> 
        	<!-- be relative to Web The file location of the tag library descriptor in the application root directory -->
        	<taglib-location>/WEB-INF/pager-taglib.tld</taglib-location> 
      	</taglib> 
	</jsp-config>

Get parameters in configuration file

  • servlet
    import javax.servlet.ServletConfig;
	public void init(ServletConfig config) throws ServletException {
		super.init(config);
		// getInitParameter of ServletConfig is used to obtain parameters
		String testName = config.getInitParameter("testName");
	}
  • struts
	try {
		javax.servlet.ServletConfig config = this.getServlet().getServletConfig();
		System.out.println("--" + config.getInitParameter("testName"));
	} catch (Exception e) {
		e.printStackTrace();
	}
  • jsp
String testName = new String(application.getInitParameter("testName"));

Topics: Front-end JavaEE Tomcat xml java web