This book is not for readers who have no experience with Java and have never written or compiled Javabased applications. If you have no prior Java experience, you will likely find it difficult to understand the text and examples in this book. This is because this book does not cover the Java language syntax or the specifics of the Java SE platform. It is assumed the reader is comfortable writing, compiling, and debugging Java code and is familiar with the standard platform. Very few explanations are given about standard Java features and tools, except where those features were added in Java SE 8.
ffirs.indd 11-02-2014 09:02:59 Professional Java® for Web Applications Nicholas S Williams ffirs.indd 19-02-2014 12:20:41 Professional Java® for Web Applications Published by John Wiley & Sons, Inc 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2014 by John Wiley & Sons, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-1-118-65646-4 ISBN: 978-1-118-65651-8 (ebk) ISBN: 978-1-118-90931-7 (ebk) Manufactured in the United States of America 10 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600 Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose No warranty may be created or extended by sales or promotional materials The advice and strategies contained herein may not be suitable for every situation This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services If professional assistance is required, the services of a competent professional person should be sought Neither the publisher nor the author shall be liable for damages arising herefrom The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read For general information on our other products and services please contact our Customer Care Department within the United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002 Wiley publishes in a variety of print and electronic formats and by print-on-demand Some material included with standard print versions of this book may not be included in e-books or in print-on-demand If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com For more information about Wiley products, visit www.wiley.com Library of Congress Control Number: 2013958292 Trademarks: Wiley, Wrox, the Wrox logo, Programmer to Programmer, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc and/or its affiliates, in the United States and other countries, and may not be used without written permission Java is a registered trademark of Oracle America, Inc All other trademarks are the property of their respective owners John Wiley & Sons, Inc., is not associated with any product or vendor mentioned in this book ffirs.indd 24-02-2014 12:36:52 About the Author Nick Williams is a Software Engineer for UL Workplace Health and Safety in Franklin, Tennessee A computer science graduate from Belmont University, he has been active in commercial and open source software projects for more than years He is the founder of DNSCrawler.com, a site for free DNS and IP troubleshooting tools, and NWTS Java Code, an open source community that specializes in obscure Java libraries that meet niche needs In 2010, the Nashville Technology Council named him the Software Engineer of the Year for Middle Tennessee Nick is a committer for Apache Logging (including Log4j) and Jackson Data Processor JSR 310 Data Types He has also contributed new features to Apache Tomcat 8.0, Spring Framework 4.0, Spring Security 3.2, Spring Data Commons 1.6, Spring Data JPA 1.4, and JBoss Logging 3.2; serves as a contributor on several other projects, including OpenJDK; and is a member of the Java Community Process (JCP) Nick currently lives in Tennessee with his wife Allison You can find him on Twitter @Java_Nick About the Technical Editors Jake Radakovich joined UL Workplace Health and Safety in 2009, and currently serves as Software Developer on the Occupational Health Manager product Prior to that, he was a research assistant at Middle Tennessee State University working on AlgoTutor, a web-based algorithm development tutoring system He holds a BS in Computer Science and Mathematics from Middle Tennessee State University You can follow Jake on Twitter @JakeRadakovich Manuel Jordan Elera is an autodidactic developer and researcher who enjoys learning new technologies for his own experiments and creating new integrations He won the 2010 Springy Award and was a Community Champion and Spring Champion in 2013 In his little free time, he reads the Bible and composes music on his guitar Manuel is a Senior Member in the Spring Community Forums known as dr_pompeii You can read about him and contact him through his blog and you can follow him on his Twitter account, @dr_pompeii ffirs.indd 24-02-2014 12:36:53 Credits Acquisitions Editor Marketing Manager Mary James Ashley Zurcher Project Editor Business Manager Maureen Spears Tullis Amy Knies Technical Editors Vice President and Executive Group Publisher Michael Jordan Elera Jake Radakovich Richard Swadley Technical Proofreader Associate Publisher Jonathan Giles Jim Minatel Senior Production Editor Project Coordinator, Cover Kathleen Wisor Todd Klemme Copy Editor Proofreaders Apostrophe Editing Services Nancy Carrasco Josh Chase, Word One Editorial Manager Mary Beth Wakefield Indexer Robert Swanson Freelancer Editorial Manager Rosemarie Graham Cover Designer Wiley Associate Director of Marketing David Mayhew Cover Image iStockphoto.com/ElementalImaging ffirs.indd 24-02-2014 12:36:53 Acknowledgments Thanks to My wife Allison, whose unwavering support and persistent reminders about deadlines during this stressful year made this book possible My parents and siblings, who told me that I could anything I put my mind to Drs Joyce Blair Crowell and William Hooper, whose dedicated instruction and mentoring made my career possible Dr Sarah Ann Stewart, who believed in me when I thought surely calculus and proofs spelled doom for my education Mrs Lockhart, who inspired me to write Jay, for introducing me to Mary, and to Mary and Maureen for making this book a reality Jake, for being absurd Oh, and for agreeing to be my technical editor ffirs.indd 24-02-2014 12:36:53 ffirs.indd 24-02-2014 12:36:53 Contents Introduction xxiii Part I: Creating Enterprise Applications Chapter 1: Introducing Java Platform, Enterprise Edition A Timeline of Java Platforms In the Beginning The Birth of Enterprise Java Java SE and Java EE Evolving Together Understanding the Most Recent Platform Features A Continuing Evolution Understanding the Basic Web Application Structure Servlets, Filters, Listeners, and JSPs Directory Structure and WAR Files The Deployment Descriptor Class Loader Architecture Enterprise Archives 13 13 13 14 15 16 17 Summary 18 Chapter 2: Using Web Containers Choosing a Web Container 19 19 Apache Tomcat 20 GlassFish 21 JBoss and WildFly 22 Other Containers and Application Servers 22 Why You’ll Use Tomcat in This Book 23 Installing Tomcat on Your Machine Installing as a Windows Service Installing as a Command-Line Application Configuring a Custom JSP Compiler Deploying and Undeploying Applications in Tomcat Performing a Manual Deploy and Undeploy Using the Tomcat Manager ftoc.indd 23 24 24 26 27 28 28 11-02-2014 08:39:54 CONTENTS Debugging Tomcat from Your IDE Using IntelliJ IDEA Using Eclipse 30 30 35 Summary 39 Chapter 3: Writing Your First Servlet Creating a Servlet Class What to Extend Using the Initializer and Destroyer 41 42 42 45 Configuring a Servlet for Deployment 46 Adding the Servlet to the Descriptor Mapping the Servlet to a URL Running and Debugging Your Servlet 46 47 49 Understanding doGet(), doPost(), and Other Methods What Should Happen during the service Method Execution? Using HttpServletRequest Using HttpServletResponse Using Parameters and Accepting Form Submissions Configuring your Application Using Init Parameters Using Context Init Parameters Using Servlet Init Parameters Uploading Files from a Form Introducing the Customer Support Project Configuring the Servlet for File Uploads Accepting a File Upload Making Your Application Safe for Multithreading Understanding Requests, Threads, and Method Execution Protecting Shared Resources 51 51 52 55 56 61 61 62 64 65 65 68 69 69 70 Summary 71 Chapter 4: Using JSPs to Display Content 73 Is Easier Than output.println(“”) 74 Why JSPs Are Better What Happens to a JSP at Run Time Creating Your First JSP Understanding the File Structure Directives, Declarations, Scriptlets, and Expressions Commenting Your Code Adding Imports to Your JSP 75 76 78 78 79 81 82 viii ftoc.indd 11-02-2014 08:39:54 OAuth 2.0 – pageContext OAuth 2.0, 818–862 authorization grants, 826–831 Authorization Code Grant, 827–829, 836, 837, 839 Client Credentials Grant, 828, 834, 837, 839, 840 Implicit Grants, 828, 836, 837, 839 Resource Owner Password Credentials Grant, 828–829, 837, 839 client application, 838–840, 856–862 controversy, 831–832 introduction, 818–819 key players, 819 Maven dependencies, 815–816 provider authorization server implementation, 834–836 configure code and token services, 834–836 manage client details, 833–834 OAuth security expressions, 837 resource server implementation, 836–837 standards documents, 819 terminology, 826 web service security, 816–818 XML Schema URI, 836 OAuth security expressions, 837 OAuth2RestOperations, 838 OAuth2RestTemplate, 838–840, 856, 857, 860, 861, 862 OAuthAccessToken_Scope, 847 oauth_callback, 821 OAuth-Client project, 856–862 oauth_consumer_key, 821 oauth_nonce, 821 oauth_signature, 821 oauth_signature_method, 821 oauth_timestamp, 821 object databases, 546 Object People, 550 object-oriented database management systems (OODBMSs), 546 object-oriented programming, 325, 546, 670, 703 object-relational mappers See O/RMs one-to-many relationships, 705–708 one-to-one relationships, 703–704 OODBMSs See object-oriented database management systems Open Web Application Security Project See OWASP OpenID authentication, 762–764, 819 OpenJDK project, 5, 300 Opera, 267 Opera Mobile, 267 operator precedence, EL, 148–150 operators arithmetic operators, 149, 152 assignment operator (=), 148, 149, 172 comma operator (,), 149 comparison relational operators, 149, 150 dot (.) operator, 149, 150, 158 empty operator, 148, 149, 150 eq operator, 148, 149, 150 equality relational operators, 149, 150 ge operator, 148, 149, 150 gt operator, 148, 149, 150 lambda expression operator (->), 149 le operator, 148, 149, 150 logical operators, 148, 149, 640, 666 lt operator, 148, 149, 150 ne operator, 148, 149, 150 not operator, 148, 149, 150 semicolon operator (;), 149, 150, 172 string concatenation operator (+=), 149, 150 optimistic locking, 710 OPTIONS doOptions(), 43 HTTP method, 43, 52, 359 OAuth client, 838 RESTful web services, 477, 478–479, 480–481, 488, 492–493, 498 or keyword, 148 or method, 675 Oracle J2EE evolution, 8–9 Sun Microsystem purchase, 5, O’Reilly, Head First Design Patterns, 370 O/RMs (object-relational mappers) defined, 547 described, 547–552 orm.xml XSD, 566–567 OS X, Mac, 24, 559, 665, 736, 798, 819 out variable, 89, 92 output.println(""), 74–75 OWASP (Open Web Application Security Project), 112, 114 P page directive, 75, 78, 80, 82, 83–86, 94, 102 page scope, 160–161, 167, 184, 189, 196, 198 page variable, 90 PageContext, 89, 161, 165 pageContext, 89–90, 160, 165, 214 888 bindex.indd 888 11-02-2014 08:34:54 – protected resources , 96, 97, 336 pageEncoding attribute, 83, 96, 218 pageScope, 165, 166 PagingAndSortingRepository, 644, 646, 656 PagingAndSortingRepository, 638–639 param, 165, 166 parameter restrictions, @RequestMapping, 359 parameter validation, 462–463 params attribute, 359 paramValues, 165, 166 parent-first class loader delegation model, 16, 17 parent-last class loader delegation model, 16, 17 password authentication, 731–732 PATCH CSRF token, 775, 776 RESTful web services, 483 , 117 performance Log4j 2, 308 logging frameworks, 306 permissions authorization, 741–743 checking, in method code, 780–782 declare, with annotations, 786–794 permitAll, 753, 775, 783 persistence defined, 543–544 flat-file entity storage, 544 key-value pairs, 715–716 O/RMs, 547–552 structured file storage, 544–545 persistence API See JPA persistence logic Controller-Service-Repository pattern, 392 logic layer separation to WebSockets, 409–415 repositories, 392 separation business logic-persistence logic, 391–392 business logic-user interface logic, 390–391 persistence unit configuring in code, 603–607 creating and using, 581–590 injecting, 610–611 PersistenceExceptionTranslators, 601 PersistenceUnitTranslator, 602 persistence.xml, 15, 583–587, 596, 603–606, 632, 634, 680, 693 pessimistic locking, 710 PHP, 94, 110, 147, 151, 519 PHPSESSID, 110 Pike, Rob, 299 pings, 266, 413, 414 pipeline source, 168 plain old Java objects See POJOs PlatformTransactionManager, 598–600, 609, 620, 648 Pluggable Authentication Module, 744 pointcuts, AspectJ, 607–608, 794, 796 POJOs (plain old Java objects) Attachment class, 65 Contact, 190 embedded in entities, 699–703 Employee, 452–454 Ticket class, 65 polling See also WebSockets frequent polling, 259–260 long polling, 70, 260–261, 262 pongs, 266, 272, 413, 414 POST CSRF token, 775, 776 doPost(), 43, 51, 57–58, 59, 67, 78 HTTP method, 43, 52–53, 57, 65, 67, 359 OAuth client, 838 online information, 43 RESTful web services, 482 post variables, 52–53, 54 post-execution annotations, 788–791 PostgreSQL, 559, 571, 593, 606, 799 PostSecurityLoggingFilter, 767–769 pre- and post-execution annotations, 788–791 predicate argument, 168 prefix attribute, 86, 179 PreSecurityLoggingFilter, 767–769 presentation layer, 94, 98–101, 203, 318 prices, Internationalization and Formatting tag library, 193 primitive literals, 153 principals, authorization, 740–741 PrintWriter, 13, 44, 55, 57, 67, 74, 249 processAttachment(), 68 program logic types, 391–393 See also business logic; persistence logic; user interface logic programmatic configuration, filters, 238–239 programmatic triggers, 717–720 programming by contract paradigm, 444, 458 property expressions, 640 protected resources defined, 819 OAuth 2.0, 826–862 OAuth1.0a, 819–825 889 bindex.indd 889 11-02-2014 08:34:54 protocol parameters – resource bundles protocol parameters, 821 public clients, 826, 827 Publisher.java, 580–581 publishing application events, 342, 523–524 publish-subscribe messaging (pub/sub) introduction, 326 roles, 511 social networking, 511 understanding, 510–511 PUT CSRF token, 775, 776 doPut(), 43, 51 RESTful web services, 482 Python, 5, 685 Q query methods for finding entities, 639–642 query parameters, 52–53 Querydsl, 642, 645 QueryDslJpaRepository, 645 Queues, 158, 159 R RabbitMQ, 536–540 RDBMSs See relational database management systems realm names, 821 receiving and transmitting binary messages, WebSocket cluster, 286–287 Recordon, David, 818, 831 recursive validation, 454–455, 459, 470 RedirectView, 369, 371, 372 Redis, 325, 425, 547 refactoring Customer Support project, 656–661 reference implementation, 6, 20, 21, 22, 444, 552, 564 refresh tokens, 827–830, 835, 836, 842, 848 regular expression, 363, 442, 451, 453, 467, 640, 642 relational database management systems (RDBMSs), 303, 545–546 relational databases See also JDBC; NoSQL databases ACID-compliant, 303 described, 545–546 NoSQL compared to, 302 preparing, 559–563 Spring Data project, 325 SQL tag library, 203–204, 205 triggers, 717 relationships See entities ReloadableResourceBundleMessageSource, 421, 422, 424, 425, 448 remember-me authentication, 752, 761, 765–766, 773, 783, 784 Remote Method Invocation, 510 Remote Procedure Call (RPC), 6, 510, 511, 518 RemoteAuthenticationProvider, 766 removeAttribute(), 123–124, 133 remusername cookie, 110 replay attacks, 733, 734, 735, 821, 840 repositories, 389–416 See also controllers Controller-Service-Repository pattern MVC pattern, 390–391, 416 program logic types, 391–393 for data storage, 399–404 JPA repositories, 610–624 base repository, 613–618 CRUD operations, 611–612 injecting persistence unit, 610–611 Maven dependencies, 389–390 persistence logic, 392 repository interfaces, 638–639 Repository, 638, 644 request attributes, 52, 89, 97, 99–100, 120, 130 request dispatcher, 97–98, 230, 236–237 request handling, asynchronous, 237, 243–247, 249, 255, 370 request parameters, HttpServletRequest, 52–53 request scope, 160, 184, 189, 860 request threads, 69–70, 71, 243, 370 request variable, 89 RequestLogFilter.java, 248–249 content type restrictions, 360 controller methods parameters, 360–368 valid return types, 368–370 header restrictions, 359–360 HTTP request method restrictions, 358–359 introduction, 338–339 parameter restrictions, 359 URL restrictions, 356–358 value attribute, 356–358 requestScope, 165, 166 RequestToViewNameTranslator, 369, 371, 373–374, 394 reserved keywords, EL, 148 Resin, 22 resource bundles i18n tags, 194, 195, 196, 197, 201 understanding, 419–421 890 bindex.indd 890 11-02-2014 08:34:55 Resource Owner Password Credentials Grant – scopes Resource Owner Password Credentials Grant, 828–829, 837, 839 resource owners defined, 819 OAuth 2.0, 826–855 OAuth1.0a, 819–825 resource server implementation, 836–837 ResourceBundleMessageSource, 421, 422, 425, 429 ResourceLoader, 338 /resource/stylesheet/login.css, 228, 229, 230 /resource/stylesheet/main.css, 228, 230 response codes See HTTP status codes response compression filters, 234–235, 247–253, 255 response entities, 328, 369–370, 375–380 REST controllers, 478, 484 RESTClient browser add-on, 497–498, 507 RestExceptionHandler, 490–491, 498, 500 RESTful web services, 476–499 See also OAuth Bean Validation, 488–489 configuration, 484–496 CRUD operations, 476 DELETE, 476, 483 discoverability, 477–479 error handling, 488–491 GET, 481–482 HEAD, 481–482 HTTP status codes, 479–480 Maven dependencies, 473 OPTIONS, 477, 478–479, 480–481, 488, 492–493, 498 PATCH, 483 POST, 482 PUT, 482 SOAP compared to, 476–477 Spring MVC controllers, 484–496 mapping RESTful requests to controller methods, 491–495 segregating, with stereotype annotations, 484–485 separate web and REST application contexts, 485–488 testing, 496–500 URIs, 479–480 web service security, 816–818 WSDL, 477 RestServletContextConfiguration, 486–488, 490, 500, 653, 656 RestTemplate, 838–840, 859–862 return first value, Streams, 171 returning collections, 170 revisions, versioning entities, 709–710 RFC 2026, 826 RFC 2246, 115 RFC 2616, 43, 264 RFC 2822, 442 RFC 3986, 363 RFC 5849, 819, 820 RFC 6455, 265, 269 RFC 6749, 819, 826 RFC 6750, 819, 830 Rhino, roles, authorization, 741–743 rolling files, 302, 314 root application context, 394–404 business logic moved to services, 396–399 multiple user interfaces, 394–395 RootContextConfiguration, 348, 371, 376, 394, 395, 405, 424, 426, 446, 448, 504, 528, 604, 607, 608, 651, 656, 688, 699, 724, 750, 751, 754, 771, 792, 804, 852, 858 RSA-SHA1, 821 RTA protocol, 264 Ruby, 5, 551, 685 run time, JSP at, 76–77 RunAsImplAuthenticationProvider, 766 S Safari, 267, 283 SAML, 738 Sample-Debug-Eclipse project, 38–39 Sample-Debug-IntelliJ project, 32, 34–35 sample-deployment.war, 27–30 Scala, scheduled method execution, 404–409 schedulers, 404–406 schema-less database systems, 546 See also NoSQL databases scope.jsp, 166–167 scopes application scope, 160, 161, 167 class scope, 88 EL expressions, 160–164 implicit EL scope, 161–164 method scope, 80, 88 page scope, 160–161, 167, 184, 189, 196, 198 request scope, 160, 184, 189, 860 session scope, 160, 839, 860 token scope, 827 transaction scope, 598–599 891 bindex.indd 891 11-02-2014 08:34:55 scripting languages – session events scripting languages, JSP, 79, 90, 94, 218 tag, 95, 96, 97, 219, 227 scriptlets, JSPs, 80, 102 Search-Engine project, 685–692 searching, 663–692 approaches, 666 basics, 664–666 complex criteria queries, 666–676 adding custom search method, 668–670 Advanced-Criteria project, 667–676 creating from search input, 670–674 indexes, 676 and method, 675 or method, 675 full-text indexes with JPA, 676–684 MySQL tables, 677–678 portable, 684 searchable repository, 678–684 full-text searching, Apache Lucene and Hibernate Search, 684–692 non-indexed, 664 second hash, 734 Secure attribute, 109, 118 Secure cookie flag, 115, 118 security See also attacks; authentication; authorization; OAuth Bean Definition Profiles, 353 session vulnerabilities, 112–116, 748 security expressions, OAuth, 837 , 813, 814 , 813 , 813–814 , 813 SecurityManager, 353 See Other (303 status code), 371, 736 segregating controllers, 484–485 self-signed SSL certificate, 118 semicolon operator (;), 149, 150, 172 sendError, 56 sendRedirect, 56, 112 separation business logic-persistence logic, 391–392 business logic-user interface logic, 390–391 serialization, Java, 286, 510, 529, 539, 576 server API, Java WebSocket API, 272–273 server endpoint Chat, 291–294 tic-tac-toe game, 274–278 server nonce, 733, 734 service(), 42–43, 51–52, 70, 77, 78 services, 389–416 See also controllers business logic, 392 business logic moved to services, 396–399 Controller-Service-Repository pattern MVC pattern, 390–391, 416 program logic types, 391–393 Maven dependencies, 389–390 Servlet API library, 44 Servlet containers See Tomcat; web containers Servlet init parameters, 25, 61, 62–64, 89, 352 Servlet interface, 42, 45, 71, 90 ServletConfig, 45, 62, 89, 165, 328, 329, 342 ServletConfigAware, 342 ServletContainerInitializer, 62, 118, 133, 238, 330, 332, 333, 335, 418, 749 ServletContext, 45, 62, 88, 89, 118, 161, 165, 234 ServletContextAware, 342 ServletContextConfiguration, 348, 371, 372, 374, 375, 378, 385, 394, 395, 424, 426, 427, 450, 485 ServletContextListener, 62, 118, 133, 212, 238, 247, 331, 332, 335, 384, 410, 418, 768 ServletInputStream, 54 ServletOutputStream, 55, 67, 74, 249 ServletRequest, 52, 55 ServletResponse, 55 Servlets See also controllers; JSPs configuring for deployment, 46–51 converted to controllers, 385–386 creating, 42–46 debugging, 49–51 defined, 13, 42 in deployment descriptor, 46–47 file uploads to, 64–69 filters compared to, 234 GenericServlet, 42–43, 45, 71 history, JSPs, 76 JSPs-Servlets combination, 94–101 mapping Servlet to URL, 47–49 URL pattern mapping vs Servlet name mapping, 239–241, 243 Maven dependencies, 41–42 running, 49 sessions in, 119–121 Tomcat versions, 21, 181 WebSocket cluster, 284–286 Session API, Hibernate ORM, 554–556 session attribute, 84 session cookies See cookies session events, 133 892 bindex.indd 892 11-02-2014 08:34:55 session failover – social networking session failover, 142 session fixation attacks, 113–114, 748, 754–755, 816, 820, 823 session hijacking, 114 session ID cookies, 110, 114–117, 166, 817, 825 session IDs transmission session cookies, 108–110 session IDs in URL, 110–112, 183, 188 session migration, 113, 515, 517, 773 session replication, 139, 141–142 session scope, 160, 839, 860 session variable, 83, 89, 122 , 116–118, 129, 160 Session-Activity example project, 125–128 SessionFactorys, 556–559 SessionLocaleResolver, 426, 428, 487 SessionRegistry.java, 135–138 sessions, 105–142 application workflow, 107, 108 clustering, 139–141, 514–515 Customer Support project list of active sessions, 135–139 listeners, 133–135 login capability, 129–132 data storage, 116–128 complex data, 125–128 configure sessions in deployment descriptor, 116–118 removing data, 123–125 storing and retrieving data, 119–123 importance, 106–107 in JSPs, 121–122 limit number of sessions, 755–758 maintaining state, 106–107 in Servlets, 119–121 session IDs transmission session cookies, 108–110 session IDs in URL, 110–112, 183, 188 shopping cart example, 106–107 Shopping-Cart example project, 116–141 sticky, 139–142, 515, 835 vulnerabilities, 112–116, 748 web sessions theory, 107–108 sessionScope, 165, 166 sessions.jsp, 138, 174, 232 sessionWillPassivate(), 142, 514 Set literal, 153–154 setCharacterEncoding(), 55, 76, 79, 83 setContentLength(), 56 setContentLengthLong(), 56 setContentType(), 55, 76, 79 Set-Cookie headers, 108, 109, 110 setDateHeader(), 56 setHeader(), 56 setIntHeader(), 56 setMaxInactiveInterval, 124 Sets, 153, 154, 158, 159, 723 setStatus, 56 setter methods See mutators setTimeZone method, 223 SEVERE logging level, 304 SHA, 266, 629, 821, 841 shared resources, 70–71 Shirt class, 154 shopping cart example, 106–107 Shopping-Cart example project, 116–141 short, 153 , 211, 213, 222 Simple and Protected GSSAPI Negotiation Mechanism, 737 Simple Object Access Protocol See SOAP Simplest Possible Expression Language, 144 See also EL SimpleTag, 210, 213, 224, 225 SimpleTagSupport, 225 SimpleUrlHandlerMapping, 340 Simulated-Cluster project, 284–286 simulating cluster, with multiple deployments, 533–534 single value parameters, 53, 61 SiteMesh, 75 SLF4J, 307, 308, 309, 319 SMALLINT, 576 smart cards, 737–738, 739, 818 SmartLifecycle interface, 343 SMS logging method, 302 SMTP logging method, 302 SOAP, 475–476 characteristics, 475 Maven dependencies, 473 RESTful web services compared to, 476–477 Simple Object Access Protocol, 475 Spring Web Services, 336, 477, 500–508 testing, 496–500 web service security, 816–818 SOAP Body element, 475 SOAP endpoints, 504–508 SOAP envelope, 475, 505, 507 SOAP Fault element, 475 SOAP Header element, 475 SoapServletContextConfiguration, 503–504 social networking, 511 893 bindex.indd 893 11-02-2014 08:34:55 sockets – static method access sockets, 302 soft deletes, 483 sorted operation, 169 SpEL See Spring Framework Expression Language splitting logging filter, 767–768 Spotlight, 664, 665 Spring Data described, 636–638 unified data access, 634–647 duplication of code, 634–638 query methods for finding entities, 639–642 repository interfaces, 638–639 Spring Data Commons API documentation, 638 described, 637 Spring Data JPA, 633–662 Spring Data JPA repositories creating, 646–655 Java configuration, 650–652 Spring MVC support, 652–654 XML namespace configuration, 647–650 custom behavior added to, 642–646 enabling auto-generation, 647–654 interfaces, 654–655 Spring Data NoSQL, 349–350, 601 Spring Data-JPA project, 646–655 Spring Framework AOP support, 325 aspect-oriented programming, 325, 347, 353, 410, 745 Bean Validation configuration, 445–450 bootstrapping, 329–336 deployment descriptor, 330–332 programmatically in initializer, 332–336 configuration, 336–349 @Configuration, 345–349 hybrid, 340–345 XML, 338–340 data access tools, 325 defined, 324 Dependency Injection, 325, 353, 445 EJB compared to, 324 evolution, 324 features, 324–326 internationalization, 417–440 introduction, 323–353 IoC, 325, 353, 743 learning, 863 logical code groupings, 326–327 Maven dependencies, 323–324 reasons for using, 326–327 summary, 353 Spring Framework Expression Language (SpEL), 784, 785, 788, 790, 791, 794, 813, 837 See also EL Spring MVC controllers See controllers Spring Security See also authentication; authorization; OAuth configuring, 745–746 filters, 749–750 HTTP security headers, 777–778 reasons for using, 743–745 tag library, 813–814 Spring Validator, 446, 450, 487 Spring Web Services, 336, 477, 500–508 , 423, 429, 431–433 SpringConfigurator, 411–412 Spring-Hybrid-Config project, 336–349 Spring-Java-Config project, 336–349 Spring-JPA project, 602–624, 634, 646–655 Spring-managed beans, 326, 327, 328, 341, 395, 407, 410, 427, 445, 485, 489, 512, 608, 787 Spring-One-Context-XML-Config project, 336–349 SpringValidatorAdapter, 446, 450, 486 Spring-XML-Config project, 336–349 SQL (Structured Query Language), 545 SQL tag library (Database Access tag library), 203–204, 205 , 203, 204 , 203, 204 , 203, 204 , 203, 204 SSL certificate, self-signed, 118 SSL Session IDs, 115–116, 117, 118, 140, 141, 142, 750 SSL/TLS, 115, 265, 267 standard event multicaster, 527 startAsync(), 70, 244, 245 statefulness See also sessions maintaining state, sessions, 106–107 OAuth, 825 SOAP, 817 statelessness See also RESTful web services HTTP requests, 106 REST, 484, 817, 825 RestTemplate, 838–840, 859–862 SOAP, 817 StatelessSessions, 557 static code analyzer, 460 static field access, EL, 156–157 static HTML document, 74–75 static method access, EL, 156–157 894 bindex.indd 894 11-02-2014 08:34:55 status codes – System.out.println() status codes 101 Switching Protocols, 264, 265, 267 204 No Content, 482, 483, 494, 498 302 Moved Temporarily Location, 109, 110, 111, 371, 736 303 See Other, 371, 736 307 Temporary Redirect, 736 400 Bad Request, 264, 265, 479, 490, 498, 822 401 Unauthorized, 480, 481, 732, 733, 734, 735, 822, 824, 830 403 Forbidden, 480, 481, 785, 787 404 Not Found, 179, 237, 480, 481, 483, 488, 493, 498 405 406 415 426 500 Method Not Allowed, 44, 480, 482 Not Acceptable, 480 Unsupported Media Type, 480 Upgrade Required, 264 Internal Server Error, 235, 237, 480, 488 RESTful web services, 479–480 StAX See Streaming API for XML stereotype annotations, 484–485 sticky sessions, 139–142, 515, 835 Stock Ticker, 266, 268 Store.Servlet, 119 Stream API, 167–172 Stream class, 167–168 Streaming API for XML (StAX), 7, 8, 500, 505 Streams aggregating terminal operations, 170 chained pipeline of operations, 168 distinct operation, 168 filter operation, 168 findFirst operation, 171 forEach operation, 169 intermediate operations, 168–169 limit operation, 169 manipulating values, 169 map operation, 169 returning first value, 171 size limit, 169 sorted operation, 169 substream operation, 169 terminal operations, 170–171 toArray operation, 170 toList operation, 170 transforming, 169 string concatenation operator (+=), 149, 150 string literal values, 151–152 strings EL function to abbreviate strings, 226–227 fn:contains(String, String), 155, 217 fn:escapeXml(String), 155, 164, 182 fn:join(String[], String), 156 fn:length(Object), 156, 164 fn:toLowerCase(String), 156 fn:toUpperCase(String), 156 fn:trim(String), 156 JSTL EL functions, 155–156 StringUtils, 223, 226 structured file storage, 544–545 Structured Query Language See SQL style sheets chat.css style sheet, 289 configure(WebSecurity) method, 752 EL expressions, 147 main.css style sheet, 289 /resource/stylesheet/login.css, 228, 229, 230 /resource/stylesheet/main.css, 228, 230 Spring Framework themes, 429 tic-tac-toe game, 273, 278 subelements s, 214–215 element, 648 element, 213–214 submitted form data, 383–384 subscriber, 511 See also publish-subscribe messaging subscribing to application events, 522–523 substream operation, 169 sum operation, 170 Sun Microsystems, 3, 8, 20, 550 support chat, 288–296 chat.css style sheet, 289 ChatEndpoint.java, 292–294 ChatMessageCodec.java, 290–291 encoders and decoders, 289–291 JavaScript chat application, 294–296 server endpoint, 291–294 support.xsd, 502–503 surrogate keys composite IDs, 574–575 defined, 544 simple IDs, 570–574 Switching Protocols (101 status code), 264, 265, 267 syslog, 302, 305, 311 System.err.println(), 299 System.out.println(), 299 895 bindex.indd 895 11-02-2014 08:34:55 tag file directives – tags T tag file directives, 217–219 tag files, 210–217 tag files, 210 tag handlers date formatting tag handler, 221–224 types, 224–225 Tag interface, 224, 225 tag libraries See also JSTL Core tag library (C namespace), 182–192 Address-Book project, 190–192 , 185, 191, 206 , 186–187, 191, 206, 213, 220, 380 , 187–188 , 184–185, 191, 205, 206, 232 , 188–189, 212, 213 , 185, 191, 206 , 182, 191, 206, 220, 221, 232 , 189 , 189 , 112, 121, 178, 183–184, 188, 206, 212, 219 , 185, 191, 192, 206 custom tag and function libraries date formatting tag handler, 221–224 EL function to abbreviate strings, 226–227 Java code replaced with custom JSP tags, 227–232 Maven dependencies, 209–210 tag file directives, 217–219 Template-Tags project, 219–228 Functions library, 155–156, 172, 175, 178 ${fn:contains(String, String)}, 155, 217 ${fn:escapeXml(String)}, 155, 164, 182 ${fn:join(String[], String)}, 156 ${fn:length(Object)}, 156, 164 ${fn:toLowerCase(String)}, 156 ${fn:toUpperCase(String)}, 156 ${fn:trim(String)}, 156 Internationalization and Formatting tag library (FMT namespace), 193–203 Address-Book i18n project, 200–203 complaints, 194 components, 193 currency conversion, 193 , 196–197, 198 , 198–199, 201, 202, 221, 222 , 199–200, 420, 430 , 194–195, 196, 197, 201, 423, 430, 431, 432, 437, 440 , 198–199, 200, 204 , 199–200 , 197 , 194, 196–197, 198 , 196, 197 , 197–198 , 197–198 formatting tags, 194, 196, 197 i18n tags, 194–196 introduction, 193–194 JSP tag library, 14, 79, 179, 180 for logging within JSPs, 309 XSD, 211 Log4j 2, 319 Spring Security tag library, 813–814 SQL tag library (Database Access tag library), 203–204, 205 XML Processing tag library (X Namespace), 205 Tag Library Descriptors (TLDs), 210–217 Core TLD c.tld file, 209, 211, 216 document root, 211–212 functions, 216–217 initial declaration, 211 listeners, 212 location, 211 tag files, 216 tag library extensions, 217 tags, 212–216 validators, 212 defined, 210 EL functions, 155 URIs, 179 element, 212–216 TagExtraInfo, 213, 214, 219 taglib directives, 86, 97, 102, 155, 178–180, 182, 190, 194, 201, 203, 205, 210, 216, 218, 219, 223, 319 , 217 TagLibraryValidator, 212 tagname, 180 tags (JSP tags), 178–181 actions, 178 defining, 212–216 HTML tags, 75, 87, 147, 182, 183, 207, 215, 220, 382 Java code replaced with JSP tags, 205–207 896 bindex.indd 896 11-02-2014 08:34:56 TagSupport – Tomcat syntax, 178–179 XML tags, 24, 102, 155, 178, 794 TagSupport, 222, 225 tagx files, 210, 218 TaskExecutor, 405 TaskScheduler, 405, 406, 409 TCP communications, 264 See also HTTP/1.1 Upgrade feature , 213, 219 template engines, 75, 371 See also JSPs Template-Tags project, 219–228 temporary credentials, 820–824, 829 Temporary Redirect (307 status code), 736 terminal operations, Streams, 170–171 test-driven development, 475 testing clustering, 533–534 RESTful web services, 496–500 SOAP, 496–500 WebSocket cluster application, 287–288 TestNG, 497 text, Internationalization and Formatting tag library, 193 text direction, in non-western locales, 430, 440 themes, internationalization (i18n), 429–430 this.getServletName(), 45, 48 ThreadContext, 314, 315, 316, 749, 767, 768 ThreadFactory, 405 threads thread pools, 69–70, 245, 404, 405, 603 for transactions and entity managers, 599–600 Three-Legged OAuth, 825, 827, 828 Tickers, WebSockets, 266, 268 Ticket, 65, 68 TicketRestEndpoint, 500, 501, 505, 809, 856 TicketServlet, 65, 68–69, 70, 97, 98, 101, 131, 230, 254, 385 TicketSoapEndpoint, 505–508, 856 tic-tac-toe game, 273–283 game.jsp, 279–282 implementing algorithm, 274 JavaScript game console, 278–282 playing, 283 server endpoint, 274–278 ticTacToe.css style sheet, 278 TicTacToeServer.java, 274–278 tightly coupled, 3, 4, 305, 511 Tiles template engine, 75, 371 time See also Date and Time API , 197–198 , 197–198 getLastAccessedTime(), 124 getTimeZone(), 223 IANA Time Zone Database, 198 Joda Time, 12, 454, 551, 649, 651, 695 mapping entities to tables (annotation-based), 592–594 setTimeZone method, 223 time zone support, internationalization (i18n), 429 time interval formatter, 207, 208, 227 timeout issues, 260, 262, 263 timestamps, versioning entities, 709 Tiny, 22 TLDs See Tag Library Descriptors , 211, 222 TLS OAuth, 822, 823, 825, 831 SSL/TLS, 115, 265, 267 toArray operation, 170 token credentials, 820–824, 830 token scope, 827 tokens bearer tokens, 819, 830–831, 832, 833, 835, 842, 850, 853, 857, 861 , 187–188 CSRF token, 775, 776 limitations, 818 MAC, 832 OAuthAccessToken_Scope, 847 refresh tokens, 827–830, 835, 836, 842, 848 toList operation, 170 Tomcat advantages, 20–21, 23 clustered applications, 515–517 custom JSP compiler, 26–27 debugging web applications Eclipse, 35–39 IntelliJ IDEA, 30–35 deploy and undeploy web applications manual, 28 Tomcat manager, 28–30 EAR files, 17 EL expressions, 21, 181 installation, 23–27 Java EE, 21 Java SE, 21 JSPs, 21, 181 MySQL connection, 563 reasons for using, 23 Servlets, 21, 181 versions, 21 WebSockets, 21, 181, 255 897 bindex.indd 897 11-02-2014 08:34:56 TomEE – validation support TomEE, 20–21 TopLink, 550–551, 552 TRACE doTrace(), 43 HTTP method, 43, 52, 359 logging level, 310, 317, 319 Trace Level 1, 304 Trace Level 2, 304 , 116, 117, 118 transactions, 598–601 management AOP support, 325 setting up, 607–610 PlatformTransactionManager, 598–600, 609, 620, 648 scope, 598–599 threads, 599–600 transforming Streams, 169 transmitting and receiving binary messages, WebSocket cluster, 286–287 triggers entity listeners, 719–720 programmatic, 717–720 relational database, 717 , 95, 96, 97, 336 true keyword, 148, 151 try-with-resources, 10 T-SQL, 545 Two-Legged OAuth, 825, 828 two-letter language codes, 193 type-safe, 157, 394 U UnanimousBased, 797 unary negative sign (-), 149, 150 Unauthorized (401 status code), 480, 481, 732, 733, 734, 735, 822, 824, 830 underscores, EL expressions, 153 unified data access, Spring Data, 634–647 duplication of code, 634–638 query methods for finding entities, 639–642 repository interfaces, 638–639 Unified Expression Language See EL expressions uniqueConstraints, 568, 569 Unsupported Media Type (415 status code), 480 Upgrade header, 264, 265, 266 Upgrade Required (426 status code), 264 uppercase two-letter language code, 193 uri attribute, 86, 179, 180 URI path parameters, 363 URI template variables, 362–363, 375 , 211–212 URIs callback, 823 getRequestURI(), 54 https URI scheme, 264 RESTful web services, 479–480 TLDs, 179 URI parameters, 52–53 , 95 URLs copy-and-paste mistake, 113 mapping filters to URLs, 236 Servlet to URL, 47–49 URL pattern mapping vs Servlet name mapping, 239–241, 243 path parameters, 326 restrictions, @RequestMapping, 356–358 security, 745, 783–786 session fixation attack, 113–114 session IDs in URL, 110–112, 183, 188 user database, Customer Support project, 129–131 user details providers, 748–759 InMemoryUserDetailsManager, 749, 752, 753, 758 JdbcUserDetailsManager, 758–759 LdapUserDetailsService, 759, 761 UserDetailsService, 748–759, 764, 765, 805, 807, 833, 853 user forums, 107, 765, 798 user interface logic controllers, 393 Controller-Service-Repository pattern, 393 logic layer separation to WebSockets, 409–415 separation, 416 business logic-persistence logic, 391–392 business logic-user interface logic, 390–391 user interfaces, root application context, 394–395 user profile locale setting, 428–429 UserDetailsService, 748–759, 764, 765, 805, 807, 833, 853 UserManagementController, 380 username-password authentication, 107, 732, 737 User-Profile project, 160–172 UserRegistrationForm, 364 V validation errors, displaying, 463–465 validation groups, 452, 455–456, 460 validation support See Bean Validation 898 bindex.indd 898 11-02-2014 08:34:56 Validator – WebSockets Validator See also Hibernate Validator javax.validation.Validator, 446, 447 Spring Validator, 446, 450, 487 , 212 value attribute, @RequestMapping, 356–358 VARBINARY, 576 VARCHAR, 576 elements, 213–213 Velocity template engine, 75, 371 VelocityView, 371 versioning entities, 709–710 video streaming, HD, 268 view name translation, 374 view names, 371–373 view resolution, 372–373 view types, 369 ViewSessionActivity.jsp, 127–128 viewTicket.jsp, 98, 173, 206, 231 vulnerabilities, sessions, 112–116, 748 W W3C See World Wide Web Consortium WAMP See WebSocket Application Messaging Protocol; Windows-Apache-MySQL-PHP WAR files (web application archives) directory structure, 14–15 EAR files, 17, 583–584 JAR files compared to, 14–15 Warning, logging level, 304 WARNING logging level, 304 web application archives See WAR files web application context, 342, 374, 394, 485–488 See also root application context web application servers See application servers Web Application Technologies, 6, web applications See also Tomcat distributable Java EE web applications, 513–514 life cycle, 13 structure, 13 web containers (Servlet containers) See also Tomcat application servers compared to, 19–20, 180– 181 described, 19–23 JBoss, 22, 445, 724 Jetty, 22, 23, 324 web GUI security, web service security, 816–817 web service endpoints RESTful, 485, 493, 496–500 testing, 496–500 web service security, 816–818 See also OAuth , , web services See also RESTful web services; SOAP authentication mechanism for, 817–818 defined, 474 security, 816–818 Spring Web Services for SOAP, 336, 477, 500–508 testing, 496–500 Web Services Addressing standard, 505 Web Services Descriptive Language (WSDL), 474, 475, 476, 477, 501–503, 507 web sessions theory, 107–108 See also sessions WebApplicationInitializer, 333, 335, 348, 349, 371, 384, 749, 768 WEB-INF/jsp/base.jspf, 97 WebLogic, 22, 23, 141, 600, 724 WebSecurityConfigurerAdapter, 752, 791 WebSocket Application Messaging Protocol (WAMP), 519, 520, 525, 535, 540 WebSocket object, 269–270 WebSocket-Messaging project, 525–527, 537–539 WebSockets, 257–296 APIs HTML5 (JavaScript) client API, 268–270 Java WebSocket APIs, 270–273 browsers requirements, 267 ClusterMessagingEndpoint, 527, 528, 529–530, 537 clusters, 284–288, 518–519 configurator, 411–412 Customer-Support-v8 project, 289, 295–296 evolution, 258–268 future changes, 296 getting data from server to browser Applets and Adobe Flash, 263–264 chunked encoding, 262 frequent polling, 259–260 HTTP/1.1 Upgrade feature, 264–267 long polling, 70, 260–261 logic layer separation, 409–415 Maven dependencies, 257–258, 272 multiplayer games, 268, 273–283 send and receive events, 529–530 Simulated-Cluster project, 284–286 Spring Framework support, 324 SpringConfigurator, 411–412 summary, 296 tic-tac-toe game, 273–283 game.jsp, 279–282 implementing algorithm, 274 JavaScript game console, 278–282 playing, 283 899 bindex.indd 899 11-02-2014 08:34:56 WebSockets (continued) – XSS WebSockets (continued) server endpoint, 274–278 ticTacToe.css style sheet, 278 TicTacToeServer.java, 274–278 Tomcat, 21, 181, 255 Tomcat Connector, 515 uses, 268 WebSphere, 22, 23, 141, 447, 552, 600, 724 WildFly, 22 Windows Active Directory, 739, 743, 744, 745, 761 Windows Authentication, 736–737 Windows Event Log, 302 Windows service, Tomcat installation, 24 Windows-Apache-MySQL-PHP (WAMP), 519 Wireshark, 109, 266, 366 Workbench See MySQL Workbench workflow, sessions, 107, 108 World Wide Web Consortium (W3C), 268, 474, 475 wrox.tld, 222 ws scheme, 265, 266 WSDL See Web Services Descriptive Language wss scheme, 265, 266, 267 WWW-Authenticate header, 732, 733, 735 X X Namespace See XML Processing tag library XML See also Ajax comments, 81–82, 102 entities, 145, 146, 376 logging, 301 Streaming API for XML, 7, 8, 500, 505 tags, 24, 102, 155, 178, 794 XML namespace configuration, Spring Data JPA repositories, 647–650 XML Processing tag library (X Namespace), 205 XML Schema See XSD XMLHttpRequest, 262, 263, 266, 269 XMLNS, 86, 97, 103, 178, 180 XPath, 144, 154, 205 XSD (XML Schema) contract-first XSD, 501–503 JSP tag library XSD, 211 OAuth 2.0, 836 WSDL, 475 XSS See cross-site scripting 900 bindex.indd 900 11-02-2014 08:34:56 Apache License, Version 2.0 Some of the source code demonstrated in this book or available for download from wrox.com is subject to the terms of the Apache License, Version 2.0 This license is included here in its entirety Source http://www.apache.org/licenses/LICENSE-2.0 Version 2.0, January 2004 Terms and Conditions for Use, Reproduction, and Distribution 1. Definitions “License” shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections through of this document “Licensor” shall mean the copyright owner or entity authorized by the copyright owner that is granting the License “Legal Entity” shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity “You” (or “Your”) shall mean an individual or Legal Entity exercising permissions granted by this License “Source” form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files “Object” form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types “Work” shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided at the end of this page) “Derivative Works” shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof “Contribution” shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner For the purposes of this definition, “submitted” means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as “Not a Contribution.” “Contributor” shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work 2. Grant of Copyright License Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, nonexclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form Grant of Patent License Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed 4. Redistribution You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: Y ou must give any other recipients of the Work or Derivative Works a copy of this License; and You must cause any modified files to carry prominent notices stating that You changed the files; and Y ou must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from bmeddis.indd 901 the Source form of the Work, excluding those notices that not pertain to any part of the Derivative Works; and I f the Work includes a “NOTICE” text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear The contents of the NOTICE file are for informational purposes only and not modify the License You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License 5. Submission of Contributions Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions 6. Trademarks This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file 7. Disclaimer of Warranty Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License 8. Limitation of Liability In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages 9. Accepting Warranty or Additional Liability While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/ or rights consistent with this License However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability How to Apply the Apache License to Your Work To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets “[]” replaced with your own identifying information (Don’t include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format We also recommend that a file or class name and description of purpose be included on the same “printed page” as the copyright notice for easier identification within third-party archives :::text Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied See the License for the specific language governing permissions and limitations under the License 11-02-2014 08:39:25 badvert.indd 902 11-02-2014 08:34:10