学了一段时间的Java Web,很早也知道tomcat,但是每每开始进行开发时,总是遇到很多陌生名词和概念。不得已,重新把xml、DTD、Schema、Tomcat官网教程……翻了翻,一段时间下来稍微能把Java Web的学习曲线“拉平缓些”。
以下是学了一段时间xml后,对Tomcat的conf\
下web.xml文件的结构解读,所用版本是9.0.0.M8,希望对己对人能有所帮助。
从结构上看,web.xml由前至后分为以下七个部分:
- Built In Servlet Definitions(内建Servlet定义)
- Built In Servlet Mappings(对servlet映射,包括对默认servlet、JSP编译执行servlet、SSI处理servlet和CGI处理servlet)
- Built In Filter Definitions()
- Built In Filter Mappings()
- Default Session Configuration()
- Default MIME Type Mappings()
- Default Welcome File List()
下面逐句逐部分解读下其中的含义:
导引
<?xml version="1.0" encoding="UTF-8">
这是xml文件的"标配抬头"。
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
这是一堆阿帕奇的许可证和法律声明,学习开发的童鞋可暂时略去.
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0">
web-app
是web.xml文档的根元素;xmlns
是XML NameSpace的缩写,有的书翻译为XML名称空间,也有的翻译为命名空间,没什么太大区别,可以把它理解为根元素“web-app”的一个名为xmlns
的属性;紧接着,
...
xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
...
这两句形式上略有不同,但仔细观察会发现两者还是有个固定格式,即:
xmlns(:xxx)="yyy"
实际上,这是XML文档引入名称空间的语法格式。式中,“xxx”表示引入名称空间的前缀名,可以指定(如“xsi”),也可不指定(使用默认);“yyy”表示该名称空间的名称,形式上为一个URI,如“http://xmlns.jcp.org/xml/ns/javaee” 或 “http://www.w3.org/2001/XMLSchema-instance”。
再往下:
...
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
...
xsi
名称空间下有很多较为重要的属性,其中一个就是xsi:schemaLocation
,它的作用是引入XML Schema文档,对XML文档的元素进行内容约束。它包含了两个URI,这两个URI之间用空白符或换行符分隔。第一个URI是名称空间的名称,第二个URI是文档的位置。那么,这两句的作用是引入一个名称空间为http://xmlns.jcp.org/xml/ns/javaee
、文档位置为http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd
的XML Schema文档。也可参阅Eclipse XML文件模板中给出的的XML文件引入Schema文档的语法格式:
xsi:schemaLocation=“{namespace} {location}”
可能刚接触时这种名称空间的表示和引入方式有些陌生和抵触,但看的XML文档多了至后就慢慢能适应。
继续:
<!-- ======================== Introduction ============================== -->
<!-- This document defines default values for *all* web applications -->
<!-- loaded into this instance of Tomcat. As each application is -->
<!-- deployed, this file is processed, followed by the -->
<!-- "/WEB-INF/web.xml" deployment descriptor from your own -->
<!-- applications. -->
<!-- -->
<!-- WARNING: Do not configure application-specific resources here! -->
<!-- They should go in the "/WEB-INF/web.xml" file in your application. -->
这是web.xml文档的总体介绍。考虑到其内容的重要性,有必要译下它的意思:“本文档为加载入本Tomcat实例的所有web应用定义了默认值。每当任意一个应用进行部署时,本文件都会被执行,紧跟着你的应用的部署描述器/WEB-INF/web.xml
之后。警告:不要在此配置特定应用的资源!它们应当配置在你的应用的/WEB-INF/web.xml
文件中。”
以上就是导引部分的全部内容,下面进入web.xml的7个部分实质内容。
1. Built In Servlet Definitions
<!-- ================== Built In Servlet Definitions ==================== -->
“Built In Servlet Definition”,我的理解是“内建Servlet定义”。它主要是对该Tomcat实例上所有web应用共用的servlet进行初始化(如果不是,建议还是放置在自己应用的/WEB-INF/web.xml
中),如指定servlet名、指定类名、指定初始化参数及其值、指定启动多长时间后调用等。它可进一步分为以下4部分:
- 默认servlet、
- JSP页面编译执行servlet、
- SSI处理servlet
- CGI处理servlet
下面分别来看。
1.1 Default servlet
默认servlet(Default servlet)是该Tomcat实例下为所有web应用配置的默认的servlet。它主要有两个作用:①为服务器处理静态资源服务;②对所有未被映射的servlet的请求进行处理*。代码如下:
<!-- The default servlet for all web applications, that serves static -->
<!-- resources. It processes all requests that are not mapped to other -->
<!-- servlets with servlet mappings (defined either here or in your own -->
<!-- web.xml file). This servlet supports the following initialization -->
<!-- parameters (default values are in square brackets): -->
<!-- -->
<!-- debug Debugging detail level for messages logged -->
<!-- by this servlet. Useful values are 0, 1, and -->
<!-- 11 where higher values mean more detail. [0] -->
<!-- -->
<!-- fileEncoding Encoding to be used to read static resources -->
<!-- [platform default] -->
<!-- -->
<!-- input Input buffer size (in bytes) when reading -->
<!-- resources to be served. [2048] -->
<!-- -->
<!-- listings Should directory listings be produced if there -->
<!-- is no welcome file in this directory? [false] -->
<!-- WARNING: Listings for directories with many -->
<!-- entries can be slow and may consume -->
<!-- significant proportions of server resources. -->
<!-- -->
<!-- output Output buffer size (in bytes) when writing -->
<!-- resources to be served. [2048] -->
<!-- -->
<!-- readonly Is this context "read only", so HTTP -->
<!-- commands like PUT and DELETE are -->
<!-- rejected? [true] -->
<!-- -->
<!-- readmeFile File to display together with the directory -->
<!-- contents. [null] -->
<!-- -->
<!-- sendfileSize If the connector used supports sendfile, this -->
<!-- represents the minimal file size in KB for -->
<!-- which sendfile will be used. Use a negative -->
<!-- value to always disable sendfile. [48] -->
<!-- -->
<!-- useAcceptRanges Should the Accept-Ranges header be included -->
<!-- in responses where appropriate? [true] -->
<!-- -->
<!-- For directory listing customization. Checks localXsltFile, then -->
<!-- globalXsltFile, then defaults to original behavior. -->
<!-- -->
<!-- localXsltFile Make directory listings an XML doc and -->
<!-- pass the result to this style sheet residing -->
<!-- in that directory. This overrides -->
<!-- contextXsltFile and globalXsltFile[null] -->
<!-- -->
<!-- contextXsltFile Make directory listings an XML doc and -->
<!-- pass the result to this style sheet which is -->
<!-- relative to the context root. This overrides -->
<!-- globalXsltFile[null] -->
<!-- -->
<!-- globalXsltFile Site wide configuration version of -->
<!-- localXsltFile. This argument must either be an -->
<!-- absolute or relative (to either -->
<!-- $CATALINA_BASE/conf or $CATALINA_HOME/conf) -->
<!-- path that points to a location below either -->
<!-- $CATALINA_BASE/conf (checked first) or -->
<!-- $CATALINA_HOME/conf (checked second).[null] -->
<!-- -->
<!-- showServerInfo Should server information be presented in the -->
<!-- response sent to clients when directory -->
<!-- listings is enabled? [true] -->
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>0</param-value>
</init-param>
<init-param>
<param-name>listings</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
码中,注释内容属于介绍性内容。正如英文所述,它主要支持9个初始化参数,分别是:
debug[0]
fileEncode[platform default]
input[2048]
listings[false]
output[2048]
readonly[true]
readmeFile[null]
sendfileSize[48]
useAcceptRanges[true]
方括号内是其默认值。当启用“目录列表(directory listings)”功能后,另外有4个初始化参数需要设置,暂时用不上,不再赘述。
配置部分是对该Tomcat实例默认servlet的配置操作。web.xml中对所有servlet的配置操作都具有基本相同的模式,即:在<servlet>
元素下分别指定待配置servlet的<servlet-name>
、<servlet-class>
、<init-param>
和<load-on-startup>
属性,其代表的含义分别对应servlet名、servlet类名、初始参数和启动多长时间(单位:秒)后加载。
据此,此处Tomcat实例对默认servlet指定如下配置:servlet-name
为default
;servlet-class
为org.apache.catalina.servlets.DefaultServlet
;初始化参数为2个,分别为debug
和listings
,其初始值分别为0
和false
;启动1
秒后加载。
1.2 JSP page compiler and execution servlet
JSP页面编译执行servlet(JSP page compiler and execution servlet),顾名思义,是用于支持JSP页面编译和处理的servlet。通常情况下,它映射“.jsp”*URL格式的文件。
<!-- The JSP page compiler and execution servlet, which is the mechanism -->
<!-- used by Tomcat to support JSP pages. Traditionally, this servlet -->
<!-- is mapped to the URL pattern "*.jsp". This servlet supports the -->
<!-- following initialization parameters (default values are in square -->
<!-- brackets): -->
<!-- -->
<!-- checkInterval If development is false and checkInterval is -->
<!-- greater than zero, background compilations are -->
<!-- enabled. checkInterval is the time in seconds -->
<!-- between checks to see if a JSP page (and its -->
<!-- dependent files) needs to be recompiled. [0] -->
<!-- -->
<!-- classdebuginfo Should the class file be compiled with -->
<!-- debugging information? [true] -->
<!-- -->
<!-- classpath What class path should I use while compiling -->
<!-- generated servlets? [Created dynamically -->
<!-- based on the current web application] -->
<!-- -->
<!-- compiler Which compiler Ant should use to compile JSP -->
<!-- pages. See the jasper documentation for more -->
<!-- information. -->
<!-- -->
<!-- compilerSourceVM Compiler source VM. [1.8] -->
<!-- -->
<!-- compilerTargetVM Compiler target VM. [1.8] -->
<!-- -->
<!-- development Is Jasper used in development mode? If true, -->
<!-- the frequency at which JSPs are checked for -->
<!-- modification may be specified via the -->
<!-- modificationTestInterval parameter. [true] -->
<!-- -->
<!-- displaySourceFragment -->
<!-- Should a source fragment be included in -->
<!-- exception messages? [true] -->
<!-- -->
<!-- dumpSmap Should the SMAP info for JSR45 debugging be -->
<!-- dumped to a file? [false] -->
<!-- False if suppressSmap is true -->
<!-- -->
<!-- enablePooling Determines whether tag handler pooling is -->
<!-- enabled. This is a compilation option. It will -->
<!-- not alter the behaviour of JSPs that have -->
<!-- already been compiled. [true] -->
<!-- -->
<!-- engineOptionsClass Allows specifying the Options class used to -->
<!-- configure Jasper. If not present, the default -->
<!-- EmbeddedServletOptions will be used. -->
<!-- -->
<!-- errorOnUseBeanInvalidClassAttribute -->
<!-- Should Jasper issue an error when the value of -->
<!-- the class attribute in an useBean action is -->
<!-- not a valid bean class? [true] -->
<!-- -->
<!-- fork Tell Ant to fork compiles of JSP pages so that -->
<!-- a separate JVM is used for JSP page compiles -->
<!-- from the one Tomcat is running in. [true] -->
<!-- -->
<!-- genStringAsCharArray -->
<!-- Should text strings be generated as char -->
<!-- arrays, to improve performance in some cases? -->
<!-- [false] -->
<!-- -->
<!-- ieClassId The class-id value to be sent to Internet -->
<!-- Explorer when using <jsp:plugin> tags. -->
<!-- [clsid:8AD9C840-044E-11D1-B3E9-00805F499D93] -->
<!-- -->
<!-- javaEncoding Java file encoding to use for generating java -->
<!-- source files. [UTF8] -->
<!-- -->
<!-- keepgenerated Should we keep the generated Java source code -->
<!-- for each page instead of deleting it? [true] -->
<!-- -->
<!-- mappedfile Should we generate static content with one -->
<!-- print statement per input line, to ease -->
<!-- debugging? [true] -->
<!-- -->
<!-- maxLoadedJsps The maximum number of JSPs that will be loaded -->
<!-- for a web application. If more than this -->
<!-- number of JSPs are loaded, the least recently -->
<!-- used JSPs will be unloaded so that the number -->
<!-- of JSPs loaded at any one time does not exceed -->
<!-- this limit. A value of zero or less indicates -->
<!-- no limit. [-1] -->
<!-- -->
<!-- jspIdleTimeout The amount of time in seconds a JSP can be -->
<!-- idle before it is unloaded. A value of zero -->
<!-- or less indicates never unload. [-1] -->
<!-- -->
<!-- modificationTestInterval -->
<!-- Causes a JSP (and its dependent files) to not -->
<!-- be checked for modification during the -->
<!-- specified time interval (in seconds) from the -->
<!-- last time the JSP was checked for -->
<!-- modification. A value of 0 will cause the JSP -->
<!-- to be checked on every access. -->
<!-- Used in development mode only. [4] -->
<!-- -->
<!-- recompileOnFail If a JSP compilation fails should the -->
<!-- modificationTestInterval be ignored and the -->
<!-- next access trigger a re-compilation attempt? -->
<!-- Used in development mode only and is disabled -->
<!-- by default as compilation may be expensive and -->
<!-- could lead to excessive resource usage. -->
<!-- [false] -->
<!-- -->
<!-- scratchdir What scratch directory should we use when -->
<!-- compiling JSP pages? [default work directory -->
<!-- for the current web application] -->
<!-- -->
<!-- suppressSmap Should the generation of SMAP info for JSR45 -->
<!-- debugging be suppressed? [false] -->
<!-- -->
<!-- trimSpaces Should white spaces in template text between -->
<!-- actions or directives be trimmed? [false] -->
<!-- -->
<!-- xpoweredBy Determines whether X-Powered-By response -->
<!-- header is added by generated servlet. [false] -->
<!-- -->
<!-- strictQuoteEscaping When scriptlet expressions are used for -->
<!-- attribute values, should the rules in JSP.1.6 -->
<!-- for the escaping of quote characters be -->
<!-- strictly applied? [true] -->
<!-- -->
<!-- quoteAttributeEL When EL is used in an attribute value on a -->
<!-- JSP page should the rules for quoting of -->
<!-- attributes described in JSP.1.6 be applied to -->
<!-- the expression? [true] -->
<servlet>
<servlet-name>jsp</servlet-name>
<servlet-class>org.apache.jasper.servlet.JspServlet</servlet-class>
<init-param>
<param-name>fork</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>xpoweredBy</param-name>
<param-value>false</param-value>
</init-param>
<load-on-startup>3</load-on-startup>
</servlet>
JSP页面编译执行servlet支持以下若干初始化参数:
checkInterval[0]
classdebuginfo[true]
classpath[基于当前web应用动态建立]
compiler[未指定]
development[true]
displaySourceFragment[true]
dumpSmap[false]
enablePooling[true]
engineOptionsClass[]
errorOnUseBeanInvalidClassAttribute[true]
fork[true]
genStringAsCharArray[false]
ieClassId[clsid:8AD9C840-044E-11D1-B3E9-00805F499D93]
javaEncoding[UTF8]
keepgenerated[true]
mappedfile[true]
maxLoadedJsps[-1]
jspIdleTimeout[-1]
modificationTestInterval[4]
recompileOnFail[false]
scratchdir[当前web应用的默认工作目录]
suppressSmap[false]
trimSpaces[false]
xpoweredBy[false]
strictQuoteEscaping[true]
quoteAttributeEL[true]
方括号内为其默认初始值。
注意,JSP页面本身不能在Tomcat及其他Servlet容器中直接使用,它们都需要被某个特定的JSP编译执行Servlet处理后才能在本容器上运行的。
配置部分给出了JSP编译执行servlet的servlet-name
为jsp
;servlet-class
为org.apache.jasper.servlet.JspServlet
;初始化参数为2个,分别是fork
和xpoweredBy
,其初始值分别为false
和false
;启动3
秒后加载。
1.3 Server Side Includes (SSI) processing servlet
首先解释下什么是Server Side Includes。它直译过来是服务器包含,从网上找到的博客资料显示,SSI技术主要是通过html文件中加入SSI指令,让服务器在输出html之前解释SSI指令,并把解释完的结果和html代码一同输出给客户端。之所以使用SSI的主要考虑是通用性和效率。通用性可简单理解为跨平台,而效率主要体现在服务器解释SSI指令比解释JSP的效率更高。
有了SSI的概念,再回头看Server Side Includes process servlet的中文意思,它可译为服务器端包含处理servlet或处理服务器端包含servlet,但我觉得要么翻译词组太冗杂,不精练;要么容易歧义,不知所云。所以,对这个词,在没找到更好译文之前,请分清它的层次含义,即:它首先是个servlet,其次是具备处理能力,最后它的处理对象是SSI(服务器端包含)。
回到web.xml代码中,此处先明确声明:
<!-- NOTE: An SSI Filter is also available as an alternative SSI -->
<!-- implementation. Use either the Servlet or the Filter but NOT both. -->
意思是说:注意,SSI过滤器也是一种可选的SSI实现方法。之所以说是“也”,因为SSI过滤器和这里介绍的服务器端包含处理Servlet都是一种SSI实现,只不过采用的技术基础不同,前者用的是过滤器(filter),后者用的是servlet。
紧接着是服务器端包含处理servlet的代码部分:
<!-- Server Side Includes processing servlet, which processes SSI -->
<!-- directives in HTML pages consistent with similar support in web -->
<!-- servers like Apache. Traditionally, this servlet is mapped to the -->
<!-- URL pattern "*.shtml". This servlet supports the following -->
<!-- initialization parameters (default values are in square brackets): -->
<!-- -->
<!-- buffered Should output from this servlet be buffered? -->
<!-- (0=false, 1=true) [0] -->
<!-- -->
<!-- debug Debugging detail level for messages logged -->
<!-- by this servlet. [0] -->
<!-- -->
<!-- expires The number of seconds before a page with SSI -->
<!-- directives will expire. [No default] -->
<!-- -->
<!-- isVirtualWebappRelative -->
<!-- Should "virtual" paths be interpreted as -->
<!-- relative to the context root, instead of -->
<!-- the server root? [false] -->
<!-- -->
<!-- inputEncoding The encoding to assume for SSI resources if -->
<!-- one is not available from the resource. -->
<!-- [Platform default] -->
<!-- -->
<!-- outputEncoding The encoding to use for the page that results -->
<!-- from the SSI processing. [UTF-8] -->
<!-- -->
<!-- allowExec Is use of the exec command enabled? [false] -->
<!--
<servlet>
<servlet-name>ssi</servlet-name>
<servlet-class>
org.apache.catalina.ssi.SSIServlet
</servlet-class>
<init-param>
<param-name>buffered</param-name>
<param-value>1</param-value>
服务器端包含处理servlet对HTML页面中SSI指令(SSI directives)的支持方式与Apache等网络服务器是一致的。通常情况下,该servlet与URL格式为“*.shtml”的文件映射。它支持如下7个初始化参数:
-
buffered[0]
:本servlet的输出是否应该缓存?(0=false,1=true)。 -
debug[0]
:本servlet调试日志的细节记录级别。 -
expires[No default]
:一个包含SSI指令的页面会在多少秒后失效。 -
isVirtualWebappRelative[false]
:解释“虚拟”路径是否应该采用上下文(context)根目录,从而替代服务器根目录? -
inputEncoding[Platform default]
:当无法获知SSI资源的编码方式时,所假定的编码方式。 -
outputEncoding[UTF-8]
:SSI处理结果的页面编码方式。 -
allowExec[false]
:是否启用exec命令?。
此处,配置部分被注释,故当需要本Tomcat实例支持SSI功能时,需要把该配置部分去掉注释。与前面servlet配置模式相同,该配置部分指定了servlet-name
为ssi
,servlet-class
为org.apache.catalina.ssi.SSIServlet
,初始化参数为4个,分别为buffered
,debug
,expires
,isVirtualWebappRelative
,其初始值分别为1
,0
,666
,false
;启动后4
秒加载。
1.4 Common Gateway Includes (CGI) processing servlet
关于缩写词“CGI”,网上随便查一下,基本都是指的通用网关接口(Common Gateway Interface),它是提供了一种服务器与外部程序交互的方法,该外部程序最重要的功能在于根据客户端请求信息不同而输出一些动态结果,从而用于构建动态网页返回给客户端。该类程序也通常称为CGI脚本程序(CGI script)或CGIs。
与SSI处理servlet类似,这里Common Gateway Includes processing servlet的中文意思是CGI处理servlet,它主要是Tomcat服务器用于处理本服务器上web应用中的CGI脚本程序或CGIs。通常情况下,该servlet与URL格式为“/cgi-bin/*”的文件映射。它支持如下6个初始化参数:
-
cgiPathPrefix[]
:web应用存放CGI脚本程序的路径(部分),推荐值为:“WEB-INF/cgi”。 -
debug[0]
:本servlet调试日志的细节记录级别。 -
executable[perl]
:运行该CGI脚本程序的编译器名,默认为prel。 -
parameterEncoding[System.getProperty("file.encoding","UTF-8")]
:本servlet使用的参数编码方式。 -
passShellEnviroment[false]
:是否允许命令解析器(shell)将参数传递给CGI脚本程序,默认为false。 -
stderrTimeout[200]
:在结束CGI脚本进程前,等待读取标准错误流 (stderr)的时间(毫秒)。
同样,此处配置部分也是被注释,故当需要本Tomcat实例支持CGI脚本程序时,需要把该配置部分去掉注释,并在context.xml文件中设置属性privilege=true
。详细内容可参考《Tomcat 9.0配置CGI processing servlet备忘》。
2. Built In Servlet Mappings
Servlet映射,就是把上面定义好的servlet类与特定格式的URL“绑定”起来,让服务器知道遇到哪些格式的URL该送给哪些servlet类去处理,如果查到了,就去调用该servlet类,交由其进行后续处理;如果未查到,该抛出异常就抛异常。
比较简单,直接上代码:
<!-- The mapping for the default servlet -->
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- The mappings for the JSP servlet -->
<servlet-mapping>
<servlet-name>jsp</servlet-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspx</url-pattern>
</servlet-mapping>
<!-- The mapping for the SSI servlet -->
<!--
<servlet-mapping>
<servlet-name>ssi</servlet-name>
<url-pattern>*.shtml</url-pattern>
</servlet-mapping>
-->
<!-- The mapping for the CGI Gateway servlet -->
<!--
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/cgi-bin/*</url-pattern>
</servlet-mapping>
-->
特别说明,对于CGI和SSI的servlet启用默认是不映射的,如果要映射,要么在本文件中取消注释,要么在自己应用中的web.xml添加。
3. Built In Filter Definitions
这部分包含多种过滤器(filter),每个过滤器的注释部分给出了其功能说明和参数说明,有的仅有功能说明。
3.1 HttpHeaderSecurityFilter
该过滤器对各类有关HTTP响应头(headers)的安全设置。它的初始化参数包括:
-
hstsEnabled[true]
:是否HTTP严传输安全(HTTP Strict Transport Security,HSTS)头信息添加到响应中? hastsMaxAgeSeconds[0]
antiClickJackingEnabled[true]
antiClickJackingOption[DENY]
antiClickJackingUri[]
blockContentTypeSniffingEnabled[true]
3.2 SetCharacterEncodingFilter
设置字符编码方式的过滤器,该编码方式用于解码。
3.3 FailedRequestFilter
该过滤器触发请求参数解析,并拒绝由于解析错误或请求大小限制引起的参数丢失的请求。
3.4 Server Side Includes (SSI) processing filter
SSI处理过滤器,处理HTML页面中的SSI指令,与web服务器Apache的支持相似。通常,该过滤器与格式为“.shtml”的URL映射,但也可以与“”的URL格式映射,因为它会基于mime类型有选择地启用或不启用SSI处理。要想如此,需要取消文档末尾的.shtml类型定义。
初始化参数contentType允许将SSI处理应用到JSP页面,javascript或任何你期望的内容。该过滤器支持如下初始化参数:
-
contentType[text/x-server-parsed-html(;.*)?]
:只有匹配了这个正则表达式格式,才会应用SSI处理 debug[0]
-
expires[No default]
:带有SSI指令的页面多久失效。 isVirtualWebappRelative[false]
allowExec[false]
4. Built In Filter Mappings
分别对HTTP header security Filter、Set Character Encoding Filter、Failed Request Filter和SSI Filter映射,都为注释状态。代码如下:
<!-- The mapping for the HTTP header security Filter -->
<!--
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
-->
<!-- The mapping for the Set Character Encoding Filter -->
<!--
<filter-mapping>
<filter-name>setCharacterEncodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- The mapping for the Failed Request Filter -->
<!--
<filter-mapping>
<filter-name>failedRequestFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
<!-- The mapping for the SSI Filter -->
<!--
<filter-mapping>
<filter-name>ssi</filter-name>
<url-pattern>*.shtml</url-pattern>
</filter-mapping>
-->
5. Default Session Configuration
对所有新建会话设置默认会话超时的时间(分钟)
<!-- You can set the default session timeout (in minutes) for all newly -->
<!-- created sessions by modifying the value below. -->
<session-config>
<session-timeout>30</session-timeout>
</session-config>
6. Default MIME Type Mappings
当需要提供静态资源,Tomcat会基于资源文件名后缀,自动生成“Content-Type”头信息,所依赖的映射关系即为这部分的配置内容。也可以根据需要在这里添加(这将对本Tomcat实例所有应用有效),或者放置到你的web应用部署描述器中。注意:文件后缀名是大小写敏感的。
这部分代码非常长,占了web.xml文件的90%,可自己打开看。基本涵盖了能看到的文件类型。
7. Default Welcome File List
当一个请求URI指向一个目录,默认servlet会在该目录下寻找一个“欢迎页面”,如果存在,就作为显示,响应该请求。
如果没有欢迎文件,默认servlet要么提供一个目录列表(查看默认servlet配置的配置)或者返回一个404状态,这都取决于列表设置。
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
end of text