posted 13 years ago
Data integrity is just checking the data is undamaged - right? So a filter could be used to check the data received in the request, and perform a checksum calculation for example, in order to verify the data is the same as when it left the client (assuming they had also done a similar checksum). If not, it aborts the request, while if the checksum passes, it continues processing of the filter chain.
Confidentiality basically means encryption. What sort of encryption is unspecified - this could be symmetric if both the server and client know a secret key. So, let's use that and as soon as the server receives the data (say a POST request where only the main body is encrypted), it decrypts it, wraps it in a new HttpServletRequest and passes that unencrypted data down the filter chain.
Of course in practise you'd be using SSL encryption. Since this encrypts the entire HTTP message, the container needs to decrypt it first before it can create an HttpServletRequest (in order to populate the various fields of that class from the headers). So in this case, a filter would be totally useless - the decryption must be done as soon as the request is received, no later.
You can sort of see what was meant when the question was written - it would have been better if he had provided a "model answer" too so you could see what he was thinking... that's what I did when I wrote the questions for my book.
Charles Lyons (SCJP 1.4, April 2003; SCJP 5, Dec 2006; SCWCD 1.4b, April 2004)
Author of OCEJWCD Study Companion for Oracle Exam 1Z0-899 (ISBN 0955160340 / Amazon Amazon UK )
