• Specify a value in the range of 0x00 to 0xFF in the argument of the print(char c) method of the ServletOutputStream class. If you specify a value outside the range, java.io.CharConversionException is thrown.
• In the ServletInputStream class, the mark method and reset method are not supported. Also, the markSupported method always returns false.
• If data is read from the ServletInputStream class and then forwarded, the data read from the forwarded ServletInputStream class is treated as the data that was read before forwarded. Also, if all the data is read from the ServletInputStream class before forwarded, the request parameter becomes null at the forwarded destination.

If Locale.JAPANESE is specified in the setLocale method of the ServletResponse class, charset of Content-Type header becomes Shift_JIS.

In the getRequestURI method of the HttpServletRequest class, the optimized URI is returned. For example, xxx//yyy/zzz is converted to xxx/yyy/zzz and xxx/yyy/../zzz is converted to xxx/zzz.

If a Web server fails to read the POST data, the servlets operating in the Web container generate an IllegalStateException exception when invoking the following ServletRequest class methods:

• getParameter method
• getParameterNames method
• getParameterValues method
• getParameterMap method

Also, when a system receives form data having Content-Type as multipart/form-data, the KDJE39336-E message is output and an IllegalStateException exception occurs, at the time of invoking the above-mentioned methods or the following methods of the HttpServletRequest class. At this time, check whether the size of the received form data is correct and if the size is correct, revise the setup value of webserver.connector.limit.max_post_form_data.

• getPart method
• getParts method

In the ServletContextAttributeListener interface, HttpSessionAttributeListener interface, and ServletRequestAttributeListener interface, events might be reported even when the attributes used internally by the Web container are added, deleted, and updated. Reference the attribute names of the reported events and ignore them if the attribute name is not used in the Web application.

• java.util.Set obtained by the getResourcePaths method of the ServletContext interface is used for the reference. Do not add or delete elements for java.util.Set. If the add, addAll, clear, remove, and removeAll methods are used, the IllegalStateException exception might be thrown.
• In the argument of the getContext method of the ServletContext interface, specify the URL that uses the existing context root name. If a URL that uses a non-existent context root name is used, the operations might not function properly.
• In the getResource method and the getResourceAsStream method of the ServletContext interface, specify the resources included in the relevant Web application. If resources outside the relevant Web application are specified, the operations might not function properly.

When accessing the directory included in the Web application, do not specify the query string and POST data since you might not be able to acquire them from the redirect destination resource.

• The getRemoteHost method of the ServletRequest interface returns the host name of the client that sends the request, but if the settings are such that the Web server cannot resolve or does not resolve the host name, the IP address is returned.
  In the default settings, the Web server settings are not specified, so the IP address is returned. To acquire the host name, you must change the Web server settings. However, if you change the settings, the response might be delayed for resolving the host name. For details on how to change the Web server settings, see the uCosminexus Application Server HTTP Server User Guide.
  

If processing that should not be executed multiple times in one process is described in a servlet, specify settings such that the execution of the servlet and the processing is not parallel. Especially, in the initialization process for starting the communication with OTM, resident threads that do not exit even after the instance is deleted might be generated. For example, every time the ORB.init method that is the initialization function of Cosminexus TPBroker is invoked, a resident thread for monitoring is generated for the garbage collection and this thread lasts until the process ends. Therefore, if the ORB.init method is executed more number of times than necessary in one process, there might be adverse effects such as the unnecessary garbage collection processes increase and the performance of the entire system declines greatly.

To prevent such events, when you describe processing that you want to execute only once in one process in the servlet, you must first determine whether that processing is already executed in the process. Specifically, in an optional class, prepare a static variable as a condition flag that stores the status of whether certain processing is already executed. By executing the processing only if the value of the static variable means 'Not Executed' and changing the value to one that means 'Executed', you can limit the execution frequency of that processing to only once in one process. However, note the following two points:

• When using the static variable in the optional class, do not specify the following settings in usrconf.properties or hitachi_web.properties:
  - webserver.context.reloadable=true
  - webserver.jsp.recompilable=true
  If the above settings are specified, the instance of that class is automatically destroyed and re-generated, and therefore, the value of the static variable is also initialized along with this setting. For details on the settings of usrconf.properties and hitachi_web.properties, see the uCosminexus Application Server Definition Reference Guide.
  
• Specify the keyword synchronized in the method for executing this processing so that while a certain thread references the value of the static variable that is a condition flag and then changes the value, another thread will not execute similar processing. The following is an coding example in which this method is used such that the initialization function ORB.init method of Cosminexus TPBroker is invoked only once:
  

  static org.omg.CORBA.ORB _orb=null; public static synchronized org.omg.CORBA.ORB getORB(String[] args, Properties props) { if(_orb==null) { _orb=org.omg.CORBA.ORB.init(args, props) ; } return _orb; }

You can use the gateway specification functionality that reports the gateway information to the Web container and correctly redirects the information to the welcome file and FORM authentication window. For details on the gateway specification functionality, see 4.10 Notification of gateway information to a Web container.

If you use the gateway specification functionality, some servlet API functions behave differently. For each used method, the following points describe the precautions for servlet API functions in the gateway specification functionality:

• sendRedirect method of the javax.servlet.http.HttpServletResponse interface
  If relative URL is specified in the argument and the request is without the Host header, the host name and port number of the redirect destination URL is the value specified in the gateway specification functionality. If relative URL is specified in the argument and if the scheme is considered as https in the gateway specification functionality, the scheme of the redirect destination URL is always https.
  
• getRequestURL method of the javax.servlet.ServletRequest interface
  If you specify the settings for scheme to be considered as https in the gateway specification functionality, the return value is always a URL beginning with https://.
  
• getServerName method of the javax.servlet.ServletRequest interface
  If the host name of the redirect destination URL is specified in the gateway specification functionality and if the request does not have a Host header, the return value is the specified value.
  
• getServerPort method of the javax.servlet.ServletRequest interface
  If the port number of the redirect destination URL is specified in the gateway specification functionality and if the request does not have a Host header, the return value is the specified value. If the host name of the redirect destination URL is specified in the gateway specification functionality and if the port number is omitted, the return value is 80 if the request scheme is http and 443 if the request scheme is https.
  
• getScheme method of the javax.servlet.ServletRequest interface
  If the scheme is considered as https in the gateway specification functionality, the return value is always https.
  
• isSecure method of the javax.servlet.ServletRequest interface
  If the scheme is considered as https in the gateway specification functionality, the return value is always true.
  
• getAttribute method of the javax.servlet.ServletRequest interface
  Even if the scheme is considered as https in the gateway specification functionality, the following attributes cannot be acquired:
  
  • javax.servlet.request.cipher_suite (if Microsoft IIS is used as the Web server, regardless of the use of the gateway specification functionality, this attribute cannot be acquired)
  • javax.servlet.request.key_size
  • javax.servlet.request.X509Certificate

When gateways such as SSL accelerator and load balancer are used, the return value of the following servlet API functions is the IP address and host name of the gateway instead of the IP address and host name of the client.

• getRemoteAddr method of the javax.servlet.ServletRequest interface
• getRemoteHost method of the javax.servlet.ServletRequest interface

The Web container registers the information required for controlling the Web application in the attributes of the javax.servlet.ServletContext object. The attribute names acquired by the getAttributeNames method of the ServletContext interface in the Web application also include the attribute names registered by the Web container.

When you register the attributes in the ServletContext object in the Web application, do not use the key names starting with the following strings:

• org.apache.catalina
• com.hitachi.software.web
• jspx

Also, attributes defined in the Java EE specifications are also added in ServletContext, so do not register the attributes with same key names.

The following methods of the javax.servlet.ServletRequest interface are the methods for acquiring the information about the client who sent the request or the proxy passed last, but in an environment where the reverse proxy is used, the information to be acquired is the reverse proxy information.

• getRemoteAddr method
• getRemoteHost method
• getRemotePort method

After executing the getWriter method of the javax.servlet.ServletResponse interface, if the reset method is executed, for the character encoding specified in the Content-Type of the HTTP response, specify the same character encoding once again by using one of the following API functions (all from the javax.servlet.ServletResponse interface):

• setContentType method
• setLocale method
• setCharacterEncoding method^#

#

A method added in the Servlet 2.4 specifications.

In Servlet 2.4 and later specifications, when you set the character encoding by using these API functions, the API functions must be invoked before executing the getWriter method. However, only when the reset method is executed after executing the getWriter method, you can set the character encoding using these API functions until the getWriter method is invoked once again.

If you specify 0 in the argument of the setMaxInactiveInterval method of javax.servlet.http.HttpSession interface, the session does not timeout.

When you use the in-process HTTP server functionality, java.io.BufferedReader obtained with the getReader method of javax.servlet.ServletRequest does not support mark operations. The markSupported method returns false.

If you specify 1 in the argument of the setVersion method of javax.servlet.http.Cookie class, the Set-Cookie2 header is added to the response when the Web server integration functionality is used, but the Set-Cookie header is added when the in-process HTTP server functionality is used.

If a relative path that does not start with a forward slash (/) is specified in the argument of the getRequestDispatcher method of javax.servlet.ServletRequest interface, the path becomes the relative path from the URL pattern specified in the servlet mapping of this servlet. If the URL pattern ends with a forward slash (/), the path becomes the relative path from the parent directory.

For example, if you execute the getRequestDispatcher method by specifying "hello.html" from the servlet where the servlet mapping is specified in "/a/b/", "/a/hello.html" is obtained.

The servlet buffer used for sending a response is maintained for each request processing thread. If you execute the setBufferSize method of javax.servlet.ServletResponse interface to change the buffer size, the changed buffer size is applied to all the requests processed by the relevant thread containing the other Web applications on the same J2EE server. When you use the setBufferSize method of javax.servlet.ServletResponse to change the buffer size, estimate the memory usage after considering that the memory-of-buffer-size number-of-request-processing-thread is secured. Note that the buffer that has been acquired once is valid until update is performed by the setBufferSize method from the Web application for each processing thread.

If the Content-Type is not explicitly specified in a servlet with the setContentType method of the javax.servlet.ServletResponse interface, the Content-Type header is not created. Therefore, you cannot check the character encoding of the HTTP response from the "charset=" field of the Content-Type header.

In the Web applications compliant with specifications prior to Servlet 2.4 version, the operations when the getId method of the disabled javax.servlet.http.HttpSession object is invoked differ in the Servlet specifications and the Application Server. The operations to be performed in these cases are as follows:

Servlet specifications

The java.lang.IllegalStateException exception is thrown.

Application server

Null is returned.

When the information acquired with the methods listed in the following table is output in the response, the information must be sanitized:

Table 6-13 Methods that require the acquired information to be sanitized

Interface name	Method name
javax.servlet.ServletRequest	getCharacterEncoding()
	getContentType()
	getInputStream()
	getParameter(java.lang.String name)
	getParameterMap()
	getParameterNames()
	getParameterValues(java.lang.String name)
	getProtocol()
	getReader()
	getServerName()
javax.servlet.http.HttpServletRequest	getCookies()
	getHeader(java.lang.String name)
	getHeaderNames()
	getHeaders(java.lang.String name)
	getMethod()
	getPathInfo()
	getPathTranslated()
	getQueryString()
	getRequestedSessionId()
	getRequestURI()
	getRequestURL()
	getServletPath()

The java.util.Locale object that can be obtained with the getLocale method or getLocales method of the javax.servlet.ServletRequest interface is created from the value of the Accept-Language header of the HTTP request.

The Web Container checks if the locale of the Accept-Language header value (ISO language code, ISO country code, or variants) contains characters other than alphabetic characters. If the locale contains non-alphabetic characters, the locale is determined to be invalid, the KDJE39546-W message is output in the message log for each invalid locale, and the locale is ignored.

If an Accept-Language header containing an invalid locale is received, the getLocale method or getLocales method returns only the java.util.Locale object with the correct locale. If all the locales specified in the Accept-Language header are invalid, it is considered that the Accept-Language header does not exist and the default server locale is returned.

The return value of the getServerName method of the javax.servlet.http.HttpServletRequest interface differs from the value of the Host header set by the HTTP client, when the Host header is rewritten by uCosminexus Application Server HTTP Server User Guide and reverse proxy.

In Servlet 2.4 or earlier versions, the settings of all response headers in the include destination servlet are ignored according to the specifications. However, in Application Server, the settings of the response header in getSession are enabled even when Servlet 2.4 is used.

For static contents without MIME mapping, Content-Type is not assigned.

When a request to which a session ID is added is sent to the Web container, the HTTP session access time is refreshed to the current time. However, this update is not carried out when a session timeout has already occurred or the session has been disabled.

The HTTP session time is used for the following cases:

• The return value of the getLastAccessedTime() method of the javax.servlet.http.HttpSession interface
  The getLastAccessedTime() method of the javax.servlet.http.HttpSession interface returns the timing of accessing the HTTP session at the time of previous update.
  
• HTTP session timeout
  When the difference between the current time and the time of accessing the HTTP session exceeds the timeout value, a timeout occurs for the HTTP session. As the timeout monitoring for the HTTP session is executed at an interval of 30 seconds, a timeout does not always occur at the correct timeout time.
  

When an HTTP request does not include the Content-Length header, the return value of the getContentLength() method of javax.servlet.ServletRequest and the return value when "Content-Length" is specified in the argument, in the getIntHeader() method of javax.servlet.http.HttpServletRequest differ in the Servlet specifications and Application Server. The respective return values are as follows:

Servlet specification

Returns -1.

Application Server

Returns 0.