1. issues when configuring secure cookies
  2. There are two main recommendations to protect your cookies against various threats. In both cases you need to configure some properties in your web.xml file, inside the <session-config> element. The properties are:

    E.g. a sample section from a web.xml file that sets both properties would be the following:


    I've never encountered any problems with http-only but secure can lead to hard to diagnose problems if the server doesn't provide https or if there's something wrong with the certificates. In one particular case the server's refusal to send a cookie over an unsecure connection caused my filter code to enter into an infinite loop and I encountered the following (not helpful at all) message at my browser:

    Setting <secure>false</secure> or simply removing the secure element altogether fixed that problem.

  3. Behavior of getContextPath, getServletPath and getPathInfo
  4. The HttpServletRequest class includes the following related methods:

    The following image shows their usage:

  5. Path mappings and extension mappings in sevlets
  6. In a nuthshell: path mappings take precedence over extension mappings.

    A request may match more than one servlet-mapping in a given context. The servlet container uses a straightforward matching procedure to determine the best match. The matching procedure has four simple rules. First, the container prefers an exact path match over a wildcard path match. Second, the container prefers to match the longest pattern. Third, the container prefers path matches over filetype matches. Finally, the pattern "/" always matches any request that no other pattern matches.

    See more: here and SO question
  7. Servlet accessing init parameters
  8. There's two kinds of inti parameters: