Appendix D
Web Annotations
Servlet 3.0 added a set of annotation types to the API. These annotation types belong in the javax.servlet.annotation package and are used to annotate web objects such as servlets, filters, and listeners. This Appendix lists the annotation types.
HandlesTypes
This annotation type is used to declare the class types that a ServletContainerInitializer can handle. It has one attribute, value, that is used to declare the class types. For example, the following ServletContainerInitializer is annotated with @HandleTypes that declares that the initializer can handle UsefulServlet.
@HandlesTypes({UsefulServlet.class})public class MyInitializer implements ServletContainerInitializer {...}
HttpConstraint
The HttpConstraint annotation type represents the security constraints applied to all HTTP protocol methods for which a corresponding HttpMethodConstraint element is not present. This annotation type must reside within the ServletSecurity annotation.
The attributes of HttpConstraint are given in Table D.1.
|
Attribute |
Description |
|
rolesAllowed |
A string array representing the authorized roles. |
|
transportGuarantee |
Indicates whether or not there is a data protection requirement that must be met. The valid value is a member of the ServletSecurity.TransportGuarantee enum (CONFIDENTIAL or NONE). |
|
value |
The default authorization semantic. |
Table D.1: HttpConstraint attributes
For example, the following HttpConstraint annotation declares that the annotated servlet can only be accessed by users that are part of the manager role. Since no HttpMethodConstraint annotation is present, the constraint applies to all HTTP methods.
@ServletSecurity(@HttpConstraint(rolesAllowed = "manager"))
HttpMethodConstraint
This annotation type represents a security constraint on a specific HTTP method. The HttpMethodConstraint annotation can only appear within the ServletSecurity annotation.
The attributes for HttpMethodConstraint are given in Table D.2.
|
Attribute |
Description |
|
emptyRoleSemantic |
The default authorization semantic. The value must be one of the members of the ServletSecurity.EmptyRoleSemantic enum (DENY or PERMIT). |
|
rolesAllowed |
A string array representing the authorized roles. |
|
transportGuarantee |
Indicates whether or not there is a data protection requirement that must be met. The valid value is a member of the ServletSecurity.TransportGuarantee enum (CONFIDENTIAL or NONE). |
|
value |
The HTTP method affected. |
Table D.2: HttpMethodConstraint attributes
For example, the following ServletSecurity annotation employs both the value and httpMethodConstraints attributes. The HttpConstraint annotation defines roles that can access the annotated servlet and the HttpMethodConstraint annotation, which is written without the rolesAllowed attribute, overrides the constraint for the Get method. As such, the servlet can be accessed via Get by any user. On the other hand, access via all other HTTP methods can only be granted to users in the manager role.
@ServletSecurity(value = @HttpConstraint(rolesAllowed = "manager"),httpMethodConstraints = {@HttpMethodConstraint("GET")})
However, if the emptyRoleSemantic attribute of the HttpMethodConstraint annotation type is assigned EmptyRoleSemantic.DENY, then the method is restricted for all users. For example, the servlet annotated with the following ServletSecurity annotation prevents access via the Get method but allows access to all users in the member role via other HTTP methods.
@ServletSecurity(value = @HttpConstraint(rolesAllowed = "member"),httpMethodConstraints = {@HttpMethodConstraint(value = "GET",emptyRoleSemantic = EmptyRoleSemantic.DENY)})
MultipartConfig
The MultipartConfig annotation type is used to annotate a servlet to indicate that instances of the servlet is capable of handling the multipart/form-data MIME type, which is commonly used when uploading files.
Table D.3 lists the attributes of MultipartConfig.
|
Attribute |
Description |
|
fileSizeThreshold |
The size threshold after which the uploaded file will be written to disk. |
|
location |
The save location when the uploaded file is saved to disk. |
|
maxFileSize |
The maximum size for uploaded files. Files larger than the specified value will be rejected. By default, the value of maxFileSize is -1, which means unlimited. |
|
maxRequestSize |
The maximum size allowed for multipart HTTP requests. By default, the value is -1, which translates into unlimited. |
Table D.3: MultipartConfig attributes
For example, the following MultipartConfig annotation specifies that the maximum file size that can be uploaded is a million bytes.
@MultipartConfig(maxFileSize = 1000000)
ServletSecurity
The ServletSecurity annotation type is used to annotate a servlet class to apply security constraints on the servlet. The attributes that can appear in the ServletSecurity annotation are given in Table D.4.
|
Attribute |
Description |
|
httpMethodConstrains |
An array of HttpMethodConstraints specifying HTTP method specific constraints. |
|
value |
The HttpConstraint annotation that defines the protection to be applied to all HTTP methods for which a corresponding HttpMethodConstraint is not found. |
Table D.4: ServletSecurity attributes
For example, the following ServletSecurity annotation contains an HttpConstraint annotation that dictates that the annotated servlet can only be accessed by those in the manager role.
@ServletSecurity(value = @HttpConstraint(rolesAllowed = "manager"))
WebFilter
The WebFilter annotation type is used to annotate a filter. Table D.5 shows attributes that may appear in the WebFilter annotation. All attributes are optional.
|
Attribute |
Description |
|
asyncSupported |
Indicates whether the filter supports asynchronous processing. |
|
description |
The filter description. |
|
dispatcherTypes |
An array of DispatcherTypes to which the filter applies. |
|
displayName |
The display name of the filter. |
|
filterName |
The name of the filter. |
|
initParams |
The init parameters of the filter. |
|
largeIcon |
The large icon of the filter |
|
servletNames |
The names of the servlets to which the filter applies. |
|
smallIcon |
The small icon of the filter. |
|
urlPatterns |
The URL patterns to which the filter applies |
|
value |
The URL patterns to which the filter applies |
Table D.5: WebFilter attributes
WebInitParam
This annotation type is used to pass initialization parameters to a servlet or a filter. The attributes that may appear in a WebInitParam annotation are given in Table D.6. The asterisk to the right of the attribute name indicates that the attribute is required.
|
Attribute |
Description |
|
description |
The description of the initialization parameter. |
|
name* |
The name of the initialization parameter. |
|
value* |
The value of the initialization parameter. |
Table D.6: WebInitParam attributes
WebListener
This annotation type is used to annotate a listener. Its only attribute, value, is optional and contains the description of the listener.
WebServlet
This annotation type is used to annotate a servlet. Its attributes are listed in Table D.7. All attributes are optional.
|
Attribute |
Description |
|
asyncSupported |
Indicates whether the servlet supports asynchronous processing. |
|
description |
The servlet description. |
|
displayName |
The display name of the servlet. |
|
initParams |
The init parameters of the servlet. |
|
largeIcon |
The large icon of the servlet. |
|
loadOnStartup |
The loading order for the servlet in an application that consists of multiple servlets. |
|
name |
The name of the servlet. |
|
smallIcon |
The small icon of the servlet |
|
urlPatterns |
The URL patterns to invoke the servlet. |
|
Value |
The URL patterns to invoke the servlet. |
Table D.7: WebServlet attributes