JavaServer Filters and Servlet Chaining

JavaServer

Filters and Servlet Chaining

Documentation / Developer Docs / Administrator Docs / Index / Features

Filters and Servlet chaining

In the Java Web Server, filtering support is provided by the ability to flexibly chain servlets. Both local and remote servlets can be part of the chain. Filtering is yet another way to load and invoke servlets in the Java Web Server. The sections below describe servlet chaining in more detail.

For information on how to setup servlet chaining using the Administration Tool, see Servlet Aliases.

Enabling Filters and Servlet Chaining

In the basic subsection of the setup section, there is a button to indicate whether or not servlet chaining is enabled. By default, this is disabled - set the button to enable it you want to enable servlet chaining and filtering capabilities in your server.

Servlet Chains

For some requests, a chain of servlets in a particular order can be invoked rather than just one servlet. The input from the browser is sent to the first servlet in the chain and the output from the last servlet in the chain is the response sent back to the browser. Each servlet in between the first and the last servlet, have the inputs and outputs piped to the servlet before and after it in the chain respectively. There are two ways to trigger a chain of servlets for an incoming request. They are:
  1. Using Servlet Aliasing to indicate a chain of servlets for a request.
  2. Using Mime types to trigger the next servlet in the chain.
Each of the above two are explained in more detail below.

How to configure a Servlet Chain via Servlet Aliasing

Using the Servlet Aliasing subsection of the setup section in the admin applet, a list of servlets can be named for a particular URL request. In the servlets table, when adding a new mapping, you are allowed to enter a comma separated list of servlets in the order in which they should be invoked when a request arrives for that particular URI. This configures a servlet chain to be invoked every time a request that matches the URI comes in.

Mime types and Servlets

The JavaServer provides a great deal of flexibility in how Servlets can be invoked. One way of invoking servlets is by associating a Servlet with a particular mime-type such that the servlet so configured is invoked each time a response with the corresponding mime-type is generated.

When a servlet writes to the OutputStream for the first time, the mime-type is checked. If there is a servlet configured for this particular mime-type, then the OutputStream of the response is piped to the InputStream of the Servlet. So the second servlet's request stream is essentially a pipe from the first servlet's response stream. Multiple such servlets can be chained together.

How to configure a servlet chain using mime types

There is no admin GUI support for servlet chaining. So the administrator has to manually edit the mimeservlets.properties file. This file resides in the directory
<server_root>/properties/process/javawebserver/webpageservice/

This file maps mime types to servlet names. Servlet names are mapped to actual classes using the servlets section of the admin tool. This flexible approach means that some of the servlets in the servlet chain can actually be configured to be remote servlets. In the case of remote servlets in the chain, they are brought over before being invoked.

Triggering Filter Chains

When servlets generate responses, they set the mime type of the response. When a particular mime type is configured to invoke another servlet in the mimeservlets.properties file, the filter chain is triggered. The servlets that get invoked in the chain have their request inputs be the outputs of the previous member in the chain.

Security in servlet chains

All servlets in a servlet chain is subjected to the same security constraints when it comes to ACL based protection. So two servlets cannot be protected by two different ACLs and belong in the same chain, since the request is from a single client. If they are configured to be protected by two different ACLs, then a response will not be generated. Also if a particular servlet is protected using an ACL in the chain, then the entire chain becomes protected. That is, if the third servlet in a chain is protected and the first two are not then a response is not generated unless a valid user/password is entered before the chain is invoked.

Servlet sandboxes are preserved as usual for individual servlets. So inidividual servlets can be sandboxed if they are remote and they behave exactly as they would have had they not been in a servlet chain.

Top
java-server-feedback@java.sun.com