Entering content frame

Function documentation Default Implementation of HTTP PUT Method Locate the document in its SAP Library structure

Use

The SAP J2EE Engine Web Container provides default implementation of the PUT method of HTTP 1.1 in a servlet called PutServlet. It is defined in the global-web.xml global descriptor. The Web Container provides default protection of this method using a filter class called PutProtectionFilter.

Features

The PutServlet implements the requirements for uploading files using the HTTP 1.1 PUT method. This is the case when the value of the Upload Enabledinitialization parameter defined in the global-web.xml for the servlet is true. If the value of the parameter is false, then the PutServlet is initialized in a way that it does not perform file upload and returns error message that the PUT method is not allowed. You can use the Upload Enabled parameter to switch off the default PUT implementation.

By default, the PutServlet is invoked by the Web Container when a client requests resource that has no other Web component mapped to it. Web applications can provide their own PUT implementation. If the corresponding servlet that performs the PUT method is mapped to a certain Web application resource, it is invoked instead of the default PutServlet. If the Web application provides its own implementation of the PUT method, it is the responsibility of the application developer to provide protection of it using the Web application’s deployment descriptors. For more information about setting security constraints, see Specifying Security Constraints.

Protecting the PutServlet

The Web Container provides protection of the default PUT implementation provided by the PutServlet. The protection is implemented in a filter class that is mapped to the PutServlet. The PutProtectionFilter class first checks whether the client is logged in and is authorized to perform PUT requests before it passes the request and response objects to the PutServlet.

To be able to perform PUT requests, users must be added to a security role called $SAP_J2EE_Engine_Upload. The PutProtectionFilter creates this role (if it does not already exist). By default, only the Administrator group of users is mapped to this role using the global-web.xml descriptor. You can add users to this group using the Security Service. For more information, see Managing Users and Managing Groups in the Administration Manual.

For the user authentication, the PutProtectionFilter uses the authentication scheme configured for the Web application (that is the authentication method you have specified in the web.xml descriptor or the login module stack you have configured in the web-j2ee-engine.xml). If you have not configured any authentication scheme for the application, a default scheme configured in the global-web.xml is used. If there is no such default login configuration in the global-web.xml, the PutProtectionFilter returns an error and no PUT requests can be processed by the PutServlet.

When you upload a file using the PutServlet, the result is that the corresponding Web application is updated (using the deployment APIs) in the database and that change is replicated in the whole cluster.

Activities

To manage the usage of the default PUT implementation that the Web Container provides, you must manually edit the global-web.xml descriptor that is located in the \cluster\server\persistent\servlet_jsp subdirectory of the directory where your SAP J2EE Engine instance is installed. You can do the following:

·        Disable the default PUT implementation by changing the value of the Upload Enabled initialization parameter of the PutServlet to false.

·        To remove the default protection of the PutServlet, you must remove the mapping of the PutProtectionFilter to it.

·        To affect the number of users that are authorized to perform files upload, you must add or remove the association of users (or groups of users) to or from the $SAP_J2EE_Engine_Upload security role.

Leaving content frame