How do I use listeners like ServletContextListener for lifecycle management?

In Jakarta EE (formerly Java EE), you can use listeners like ServletContextListener to manage the lifecycle of a web application’s ServletContext. It provides hooks to execute logic during the initialization and destruction stages of the application. This can be useful for resource initialization, cleanup, or logging purposes.

Here’s how you can use ServletContextListener:


1. Implementing ServletContextListener

Create a class that implements the ServletContextListener interface. There are two main methods you can override:

  • contextInitialized(): This method is triggered when the ServletContext is initialized (before the web application starts serving requests).
  • contextDestroyed(): This method is triggered when the ServletContext is about to be destroyed (e.g., when the server shuts down or the application is undeployed).

Example

package org.kodejava.servlet;

import jakarta.servlet.ServletContextEvent;
import jakarta.servlet.ServletContextListener;
import jakarta.servlet.annotation.WebListener;

@WebListener
public class AppLifecycleListener implements ServletContextListener {

    @Override
    public void contextInitialized(ServletContextEvent sce) {
        // Code to execute during application startup
        System.out.println("Web application starting up...");
        // Example: Initialize resources, setup logging, load configuration, etc.
    }

    @Override
    public void contextDestroyed(ServletContextEvent sce) {
        // Code to execute during application shutdown
        System.out.println("Web application shutting down...");
        // Example: Release resources, close connections, etc.
    }
}

2. Registering the Listener

There are two ways to associate the listener with your web application:

a) Using the @WebListener Annotation

The simplest way is to annotate the class with @WebListener. This automatically registers the listener in your application without requiring any additional configuration.

@WebListener
public class AppLifecycleListener implements ServletContextListener {
    // Implementation as shown previously
}

b) Declaring in web.xml

Alternatively, you can declare the listener in the web.xml deployment descriptor:

<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
         version="6.0">
    <listener>
        <listener-class>com.example.AppLifecycleListener</listener-class>
    </listener>
</web-app>

3. Common Use Cases

Here are a few common scenarios where you might use ServletContextListener:

  1. Loading Configuration Files: Load configuration settings from a file or database when the application starts.
    @Override
    public void contextInitialized(ServletContextEvent sce) {
       ServletContext context = sce.getServletContext();
       context.setAttribute("config", "some config value or object");
    }
    
  2. Resource Initialization and Cleanup: Initialize shared resources (e.g., database connections, thread pools) in contextInitialized() and close them in contextDestroyed().
    @Override
    public void contextInitialized(ServletContextEvent sce) {
       System.out.println("Initializing database connection...");
       // Initialize DB connection pool
    }
    
    @Override
    public void contextDestroyed(ServletContextEvent sce) {
       System.out.println("Closing database connection...");
       // Close DB connection pool
    }
    
  3. Setting Context Attributes: Use ServletContext object to set attributes accessible by the entire application.
    sce.getServletContext().setAttribute("appName", "My Application");
    
  4. Third-Party Integrations: Initialize third-party libraries or services during startup and dispose of them during shutdown.


Key Points to Remember

  • The contextInitialized() method is invoked before the application starts serving requests.
  • The contextDestroyed() method ensures proper cleanup when the application is shutting down.
  • Use the @WebListener annotation for easy configuration or declare the listener in web.xml for manual control.
  • Avoid long-running or blocking operations inside lifecycle methods as it might delay the application startup or shutdown process.

By efficiently using ServletContextListener, you can centralize important application lifecycle tasks and manage resources effectively.


Maven dependencies

<dependency>
    <groupId>jakarta.servlet</groupId>
    <artifactId>jakarta.servlet-api</artifactId>
    <version>6.1.0</version>
    <scope>provided</scope>
</dependency>

Maven Central

How do I handle exceptions and errors in Jakarta Servlets?

Handling exceptions and errors in Jakarta Servlets involves several approaches, ranging from defining error-handling configurations in the deployment descriptor (web.xml) to using annotations and specific coding practices. Below are the typical ways to handle errors and exceptions in Jakarta Servlets:


1. Using web.xml for Declarative Exception Handling

In the web.xml file, you can define error pages that are mapped to specific exceptions or HTTP status codes. When an error or exception occurs, the corresponding error page is displayed.

Example:

<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="https://jakarta.ee/xml/ns/jakartaee https://jakarta.ee/xml/ns/jakartaee/web-app_6_0.xsd"
         version="6.0">
    <!-- Define an error page for a specific HTTP status code -->
    <error-page>
        <error-code>404</error-code>
        <location>/error-404.jsp</location>
    </error-page>

    <!-- Define an error page for a specific exception -->
    <error-page>
        <exception-type>java.lang.Exception</exception-type>
        <location>/error-exception.jsp</location>
    </error-page>
</web-app>
  • error-code: Maps a specific HTTP status code (e.g., 404) to an error page.
  • exception-type: Maps a specific Java exception to an error page.
  • location: Specifies the location of the JSP or HTML page to display.

2. Using @WebServlet and Exception Handling in Code

In your custom servlet, you can explicitly handle exceptions using try-catch blocks or override the service or doGet/doPost methods.

Example:

package org.kodejava.servlet;

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;

@WebServlet(urlPatterns = "/exceptionServlet", asyncSupported = true)
public class ExceptionServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        try {
            // Servlet logic that may throw an exception
            int result = 10 / 0;  // This will throw an ArithmeticException
        } catch (ArithmeticException e) {
            // Handle specific exceptions
            request.setAttribute("errorMessage", "An error occurred: " + e.getMessage());
            request.getRequestDispatcher("/error.jsp").forward(request, response);
        } catch (Exception e) {
            // Handle generic exceptions
            throw new ServletException("An unexpected error occurred", e);
        }
    }
}

3. Custom Error Pages in JSP

Error pages can be written as JSPs (.jsp). To make use of the exception details, JSPs have access to the exception and other implicit objects such as request and response.

Example: error-exception.jsp

<%@ page isErrorPage="true" %>
<html>
<head><title>Error Page</title></head>
<body>
    <h1>An error occurred</h1>
    <p>Error message: ${exception.message}</p>
    <p>Exception type: ${exception.class.name}</p>
</body>
</html>
  • The attribute isErrorPage="true" makes the JSP aware of the exception object.

4. Defining an Error Filter

You can define a Jakarta Servlet filter that intercepts all requests and handles errors more generically before they reach the targeted servlet or after they are processed.

Example:

package org.kodejava.servlet;

import jakarta.servlet.Filter;
import jakarta.servlet.FilterChain;
import jakarta.servlet.FilterConfig;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.annotation.WebFilter;

import java.io.IOException;

@WebFilter("/*")
public class ErrorHandlingFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        try {
            chain.doFilter(request, response); // Pass request and response to the next filter or servlet
        } catch (Exception e) {
            request.setAttribute("errorMessage", e.getMessage());
            request.getRequestDispatcher("/error.jsp").forward(request, response);
        }
    }

    @Override
    public void init(FilterConfig filterConfig) {
    }

    @Override
    public void destroy() {
    }
}

This filter catches any unhandled exceptions and forwards the request to an error page.


5. Logging Exceptions

It is a best practice to log exceptions for debugging and monitoring purposes. You can use logging frameworks like Java’s java.util.logging, Log4j, or SLF4J to capture exceptions.

Example with java.util.logging:

package org.kodejava.servlet;

import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;
import java.util.logging.Logger;

@WebServlet(urlPatterns = "/loggingServlet", asyncSupported = true)
public class LoggingServlet extends HttpServlet {
    private static final Logger logger = Logger.getLogger(LoggingServlet.class.getName());

    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        try {
            // Code that might throw exceptions
        } catch (Exception e) {
            logger.severe("An unexpected error occurred: " + e.getMessage());
            throw new ServletException("Internal server error", e);
        }
    }
}

6. Using HTTP Status Codes

Always set appropriate HTTP status codes when handling errors, so clients are aware of the issue.

Example:

response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid input provided");

Best Practices:

  1. Consistent Error Pages: Create a unified style for error pages to provide a better user experience.
  2. Avoid Revealing Sensitive Data: Never display stack traces or sensitive information to the user.
  3. Use Centralized Logging: Implement a centralized mechanism to log and monitor exceptions.
  4. Handle Specific Errors: Provide user-friendly error messages for known and predictable failures (e.g., 404 Not Found, 403 Forbidden).
  5. Fallback Handling: Ensure a fallback mechanism is in place for uncaught exceptions (e.g., generic error page).

By combining these mechanisms, you can effectively handle exceptions and errors in Jakarta Servlets while ensuring robust error handling and user-friendly responses.


Maven dependencies

<dependency>
    <groupId>jakarta.servlet</groupId>
    <artifactId>jakarta.servlet-api</artifactId>
    <version>6.1.0</version>
    <scope>provided</scope>
</dependency>

Maven Central

How do I use AsyncContext for asynchronous processing in servlets?

Using AsyncContext in servlets allows you to perform asynchronous request processing. This can improve scalability in situations where a request might involve long-running operations, such as external API calls or database queries, by freeing up server threads while those tasks are performed.

Here’s how you can use AsyncContext for asynchronous processing in a servlet:


1. Mark the Servlet to Support Asynchronous Processing

You need to mark the servlet explicitly as supporting asynchronous processing using the @WebServlet annotation or by defining it in web.xml.

package org.kodejava.servlet;

import jakarta.servlet.AsyncContext;
import jakarta.servlet.ServletException;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;

@WebServlet(urlPatterns = "/asyncServlet", asyncSupported = true)
// Enable async processing
public class AsyncServlet extends HttpServlet {

   // Create a thread pool for processing
   private final ExecutorService executor = Executors.newFixedThreadPool(10);

   @Override
   protected void doGet(HttpServletRequest request, HttpServletResponse response)
           throws ServletException, IOException {

      // Start async processing
      AsyncContext asyncContext = request.startAsync();

      // Add a timeout if needed
      asyncContext.setTimeout(10000); // 10 seconds

      // Submit async task to executor
      executor.submit(() -> {
         try {
            // Simulate a long task
            Thread.sleep(2000);

            // Write response
            response.getWriter().write("Asynchronous processing completed!");
         } catch (Exception e) {
            asyncContext.complete();
            e.printStackTrace();
         } finally {
            // Mark the async context complete
            asyncContext.complete();
         }
      });
   }

   @Override
   public void destroy() {
      executor.shutdown(); // Shut down the executor when the servlet is destroyed
   }
}

Key Steps in the Code:

  1. Enable Asynchronous Processing:
    Use the @WebServlet annotation’s asyncSupported = true or explicitly configure it in web.xml.

  2. Start Asynchronous Context:
    Call request.startAsync() to start asynchronous processing. This detaches the request and response from the servlet’s typical request-response lifecycle.

  3. Set Timeout (Optional):
    Call asyncContext.setTimeout() to define a maximum time for asynchronous processing. If processing exceeds this time, the AsyncListener.onTimeout method will be triggered, which can be useful for handling timeouts.

  4. Perform Asynchronous Task:
    Use a dedicated thread, thread pool (ExecutorService), or an external resource to perform long-running tasks. This prevents blocking the server’s thread.

  5. Complete the Request:
    Once processing is completed, call asyncContext.complete() to end the asynchronous context, signaling the server to finalize the response.

  6. Handle Exceptions:
    Wrap asynchronous operations in a try-catch block to handle any errors properly and ensure asyncContext.complete() is always called.


2. Advanced Use: Integrate with AsyncListener

With the AsyncListener, you can listen to lifecycle events of asynchronous operations, such as completion, timeouts, errors, etc.

package org.kodejava.servlet;

import jakarta.servlet.AsyncContext;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

@WebServlet(urlPatterns = "/asyncWithListener", asyncSupported = true)
public class AsyncServletWithListener extends HttpServlet {

   @Override
   protected void doGet(HttpServletRequest request, HttpServletResponse response) {
      AsyncContext asyncContext = request.startAsync();

      asyncContext.addListener(new AsyncListener() {

         @Override
         public void onComplete(AsyncEvent event) {
            System.out.println("Async operation completed");
         }

         @Override
         public void onTimeout(AsyncEvent event) {
            System.out.println("Async operation timed out");
         }

         @Override
         public void onError(AsyncEvent event) {
            System.out.println("Async operation error occurred");
         }

         @Override
         public void onStartAsync(AsyncEvent event) {
            System.out.println("Async operation started");
         }
      });

      asyncContext.start(() -> {
         try {
            // Simulate task
            Thread.sleep(2000);

            response.getWriter().write("Task processed with listener!");
         } catch (Exception e) {
            e.printStackTrace();
         } finally {
            asyncContext.complete();
         }
      });
   }
}

3. Important Notes

  • Thread Safety: Request/Response objects are shared among multiple threads in asynchronous processing. Avoid modifying shared data in a non-thread-safe way.
  • Clean-up Resources: Always ensure you complete the AsyncContext and close any resources used during async processing.
  • Timeouts: It’s a good practice to handle timeouts using AsyncListener to notify the client of any delays.

Using AsyncContext allows your servlet to better handle high concurrency and long-running tasks, improving the application’s scalability and performance.

Maven dependencies

<dependency>
    <groupId>jakarta.servlet</groupId>
    <artifactId>jakarta.servlet-api</artifactId>
    <version>6.1.0</version>
    <scope>provided</scope>
</dependency>

Maven Central

How do I log from a servlet using ServletContext.log()?

In Java servlets, you can use the ServletContext.log() method to log messages, exceptions, or context-specific information. The ServletContext object is available in your servlet and allows you to log messages to the server’s log file.

Here are the common ways you can log using ServletContext.log():

1. Logging a simple message:

You can log plain text messages with ServletContext.log(String message).

package org.kodejava.servlet;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletContext;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;

@WebServlet("/logMessage")
public class MyLogServlet extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        ServletContext context = getServletContext();
        context.log("This is a simple log message.");
        response.getWriter().println("Message logged.");
    }
}

2. Logging a message with an exception:

If you want to log an exception with additional context, you can use ServletContext.log(String message, Throwable throwable).

package org.kodejava.servlet;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletContext;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;

@WebServlet("/logException")
public class MyLogServlet2 extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        ServletContext context = getServletContext();
        try {
            // Simulate an exception
            int result = 10 / 0;
        } catch (Exception e) {
            context.log("An exception occurred: ", e);
        }
        response.getWriter().println("Exception logged.");
    }
}

3. Including dynamic information:

You can include dynamic content in the log messages to make your logs more informative.

package org.kodejava.servlet;

import jakarta.servlet.ServletException;
import jakarta.servlet.ServletContext;
import jakarta.servlet.annotation.WebServlet;
import jakarta.servlet.http.HttpServlet;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;

import java.io.IOException;

@WebServlet("/logAccess")
public class MyLogServlet3 extends HttpServlet {
    @Override
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        ServletContext context = getServletContext();
        String userIP = request.getRemoteAddr();
        context.log("Access from IP: " + userIP);
        response.getWriter().println("Access logged.");
    }
}

Points to Remember

  1. Where the logs are written: The ServletContext.log() messages are typically written to the application server’s log file (e.g., catalina.out for Tomcat). This location depends on the server configuration.
  2. Severity levels: The ServletContext.log() does not natively support different log levels like INFO, WARN, or ERROR. If you need more advanced logging capabilities, consider using a logging framework such as SLF4J, Log4j, or java.util.logging.
  3. Thread Safety: The logging methods of ServletContext are thread-safe.

This is how you can log using ServletContext.log() in your servlet-based application.

Maven dependencies

<dependency>
    <groupId>jakarta.servlet</groupId>
    <artifactId>jakarta.servlet-api</artifactId>
    <version>6.1.0</version>
    <scope>provided</scope>
</dependency>

Maven Central

How do I secure servlets with declarative security in web.xml

Securing servlets with declarative security in the web.xml deployment descriptor is an essential practice in Java web applications. It allows you to define security constraints without writing specific code, instead leveraging the standard configuration mechanism in web.xml. Here’s how you can do it step-by-step:


1. Define a Security Constraint

The <security-constraint> element is used to define access rules (restrictions) for specific URL patterns or resources.

<security-constraint>
    <display-name>Protected Area</display-name>
    <web-resource-collection>
        <web-resource-name>ProtectedServlet</web-resource-name>
        <url-pattern>/protected/*</url-pattern>
        <http-method>GET</http-method>
        <!-- You can specify other methods like POST, PUT, DELETE, etc. -->
    </web-resource-collection>
    <auth-constraint>
        <!-- Specify user roles allowed to access these resources -->
        <role-name>ADMIN</role-name>
    </auth-constraint>
</security-constraint>
  • <web-resource-collection>: Defines which resources (e.g., servlet paths or URL patterns) are protected.
    • Include one or more <url-pattern> sub-elements for specific paths.
    • Use <http-method> if you want to secure specific HTTP methods (e.g., GET or POST).
  • <auth-constraint>: Specifies the roles allowed access to the protected URL patterns. Define roles in the <role-name> tag.


2. Configure the Authentication Mechanism

The <login-config> element specifies the type of authentication and the location of the login pages (if required).

<login-config>
    <auth-method>BASIC</auth-method> <!-- Can be BASIC, DIGEST, FORM, CLIENT-CERT -->
    <realm-name>MySecureRealm</realm-name>
</login-config>
  • Auth Methods:
    • BASIC: Uses the browser’s built-in login dialog.
    • FORM: Uses custom login and error pages defined in web.xml.
    • DIGEST: Similar to BASIC, but passwords are hashed.
    • CLIENT-CERT: Authenticates users via client certificates (SSL/TLS).

Example for FORM Authentication:

<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/error.html</form-error-page>
    </form-login-config>
</login-config>

3. Define Security Roles

Use the <security-role> element to list all the roles used in your application.

<security-role>
    <role-name>ADMIN</role-name>
</security-role>
<security-role>
    <role-name>USER</role-name>
</security-role>

These roles correlate with the roles you define in the <auth-constraint> section.


4. Example web.xml Configuration

A complete example with all the above steps:

<web-app xmlns="https://jakarta.ee/xml/ns/jakartaee" version="5.0">
    <security-constraint>
        <display-name>Secure Admin Pages</display-name>
        <web-resource-collection>
            <web-resource-name>Admin Resources</web-resource-name>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ADMIN</role-name>
        </auth-constraint>
       <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/error.html</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>ADMIN</role-name>
    </security-role>
    <security-role>
        <role-name>USER</role-name>
    </security-role>
</web-app>

5. Configuring Realm

a. Tomcat: tomcat-users.xml

In Tomcat, the tomcat-users.xml file (located in the conf folder) is the default User Realm. You can define users and their roles directly in this file.

Example tomcat-users.xml:

<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
    <role rolename="ADMIN"/>
    <role rolename="USER"/>

    <user username="admin" password="admin1234" roles="ADMIN" />
    <user username="user1" password="password" roles="USER,ADMIN" />
    <user username="guest" password="guest" roles="USER" />
</tomcat-users>
  • username: The username the user enters in the form.
  • password: The password used for authentication.
  • roles: The roles granted to this user. These roles must match the ones defined in web.xml (<security-role>).

When a user submits the form with j_security_check, the server matches their credentials against this file and determines whether they have the necessary role(s) to access the resource.

login.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Login</title>
</head>
<body>
<form class="login-form" method="post" action="j_security_check">
    <h2>Login</h2>
    <div class="error">
        <!-- Uncomment this for demonstration -->
        <!-- Invalid username or password -->
    </div>
    <label for="username">Username</label>
    <input type="text" id="username" name="j_username" placeholder="Enter your username" required>
    <label for="password">Password</label>
    <input type="password" id="password" name="j_password" placeholder="Enter your password" required>
    <button type="submit">Login</button>
</form>
</body>
</html>

error.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Access Denied</title>
</head>
<body>
<div class="error-container">
    <h1>Access Denied</h1>
    <p>Sorry, you are not authorized to access this page.</p>
    <a href="login.html">Return to Login</a>
</div>
</body>
</html>

Key Elements Explained:

  1. <security-constraint>:
    • Protects resources (e.g., /admin/* or /protected/*).
    • Specifies roles allowed to access resources.
  2. <auth-constraint>:
    • Specifies authorized roles for the secured resource.
  3. <login-config>:
    • Defines the authentication mechanism (BASIC, FORM, DIGEST, CLIENT-CERT).
  4. <user-data-constraint>:
    • Specifies transport security (e.g., CONFIDENTIAL ensures HTTPS is used).

Notes:

  • The actual user-role mapping is provided by the application server (through deployment descriptors, database configuration, or an external realm). How roles map to users is server-specific.
  • For FORM authentication, form-login-page is a path to your custom login page relative to the application’s context root.

This declarative approach is efficient for servlet security and follows the Jakarta EE standards.