users@servlet-spec.java.net

[servlet-spec users] Suggestions for the spec

From: Christian Beikov <christian.beikov_at_gmail.com>
Date: Fri, 31 Aug 2012 18:37:59 +0200

Hello!

I posted a question on the ee-spec mailing list about some servlet
specific stuff and Antonio Goncalves suggested me to directly write
that question to this mailing list. Related to the following
dialoge(http://java.net/projects/javaee-spec/lists/users/archive/2012-08/message/20),
I will summarize my questions/proposals.

My main question was about whether there is a way to retrieve the https
port of the EE6/Servlet Container in a standard way? If not maybe a
method to convert an URL in a standard way to use https?

Seems like there is no standard way for doing this kind of task. My use
case would be, to allow users to choose if they want to use https or
not. I could do that with container specific configuration at deployment
time too, but that would be error-prone. Antonio Goncalves also asked
for a Servlet/Web-Container API which I also would like to ask for, at
least I would request an API to be able to access some information of
the underlying network and management specific stuff.

I have some more things on my wishlist which I would like you to take a
look at.

 1. The fact that only one session config per webapp can be configured
    is very limiting. In the cookie config someone could configure the
    path of the cookie, which is somehow useless IMO since you can only
    use one session config. I think it would be nice to return the
    session based on the current servlet path when calling
    HttpServletRequest.getSession()
 2. Regenerating a session id is somehow painful and there should be a
    method like regenerateId() in the HttpSession interface. Especially
    after a login, someone might want to regenerate the session id for
    security reasons. Current approaches(like the one ESAPI offers[1])
    for regenerating that id are somehow inefficient due to the lack of
    better access to the underlying session management.

What do you think about that?

Regards,
Christian

[1]
http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java#281 
-- 
Mit freundlichen Grüßen,
------------------------------------------------------------------------
*Christian Beikov*
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.