Servlet 3.1 Specification (JSR 340) and Java Authorization Contract for Containers (JSR 115) MR3 are almost ready for release. Besides "*", the role-name "**" is introduced in the above two specifications.
In a nutshell, "*" means any role defined in web.xml and "**" means any authenticated user.
Prior to Servlet 3.1, web containers use proprietary mechanisms to add security-constraints for any...
Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.
In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.
Let us take a look at a simple security-constraint in web.xml as follows:
<web-app xmlns="http://www.w3.org/2001/XMLSchema" ...
Servlet 3.1 was in Public Review in Janurary 2013. And it is in Proposed Final Draft now. Most of the new features are related to security.
In this following, I will highlight features since Servlet 3.1 Public Review:
add new API javax.servlet.http.Part#getSubmittedFileName
add new API javax.servlet.ServletContext#getVirtualServerNameThis API allows a JASPIC module to be registered in a Servlet...
Cross-site request forgery (CSRF)
is a malicious attack exploiting the trust of a site from a user's browser.
As an example, an user may be tricked to invoke a url to do a bank transaction
by either clicking on the url or accessing the url through <img>.
In GlassFish 3.1.1, there is a
CSRF prevention filter,
which is based on Tomcat 7.
Single Sign On allows web applications to share the same authentication state.
GlassFish v2 supports virtual server level Single Sign On (SSO). Web applications with the same authentication realm in a given virtual server can share the authentication state in GlassFish v2.
GlassFish 3.1 supports SSO failover at cluster level. So one has high availability for Single Sign On in a virtual server of...