1 / 46

What is new in JSR 340, Servlet 3.1?

What is new in JSR 340, Servlet 3.1?. Shing Wai Chan ( 陳成威 ) Servlet 3.1 Specification Lead java.net /blog/swchan2. Session ID: CON1387.

ishana
Download Presentation

What is new in JSR 340, Servlet 3.1?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What is new in JSR 340, Servlet 3.1? Shing Wai Chan (陳成威) Servlet 3.1 Specification Lead java.net/blog/swchan2 Session ID: CON1387

  2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract.It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  3. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security enhancements • Miscellaneous features • Resources

  4. Servlet 3.1 Overview • FINAL: Part of Java EE 7 • Upgrade from Servlet 3.0 • Scale • Expose Non-blocking IO API • Support newer technologies that leverage HTTP protocol for the initial handshake • Support general upgrade mechanism for protocols like WebSocket • Security enhancements

  5. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security enhancements • Miscellaneous features • Resources

  6. Non-blocking IO Traditional IO Example public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024];intlen = -1; while ((len = input.read(b)) != -1) { … } } }

  7. Non Blocking IO Overview • Add two new interfaces: ReadListener, WriteListener • Add APIs to ServletInputStream, ServletOutputStream • For asynchronous and upgrade only

  8. Non-blocking IO javax.servlet.ReadListener public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); }

  9. Non-blocking IO javax.servlet.WriteListener public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); }

  10. Non-blocking IO ServletInputStream, ServletOutputStream • javax.servlet.ServletInputStream • public abstract booleanisFinished() • public abstract booleanisReady() • public abstract void setReadListener(ReadListener listener) • javax.servlet.ServletOutputStream • public abstract booleanisReady() • public abstract setWriteListener(WriteListener listener)

  11. Non-blocking IO Example public class TestServletextends HttpServlet { protected void doPost(HttpServletRequestreq, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListenerreadListener= new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } }

  12. Non-blocking IO Example (cont’d) public class ReadListenerImplimplements ReadListener{ … public void onDataAvailable() throws IOException { … intlen = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } }

  13. Non-blocking IO Example 2 public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequestreq, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output= req.getOutputStream(); WriteListenerwriteListener= new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } }

  14. Non-blocking IO Example 2 (cont’d) public class WriteListenerImplimplements WriteListener{ … public void onWritePossible() throws IOException { … intlen = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } }

  15. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  16. Protocol Upgrade HTTP Upgrade • HTTP 1.1 (RFC 2616) • Connection • Transition to some other, incompatible protocol • For examples, IRC/6.9, Web Socket

  17. Protocol Upgrade Example: WebSocket • Protocol: IETF • API: W3C • Bi-directional, full-duplex / TCP

  18. Protocol Upgrade WebSocket Example

  19. Protocol Upgrade Overview • Add API to HttpServletRequest • Add two new interfaces • javax.servlet.http.HttpUpgradeHandler • javax.servlet.http.WebConnection • Can use non-blocking IO API in upgrade

  20. Protocol Upgrade HttpUpgradeHandler, WebConnection • New interface javax.servlet.http.HttpUpgradeHandler • void init(WebConnectionwc) • void destroy() • New interface javax.servlet.http.WebConnectionextendsAutoClosable • ServletInputStreamgetInputStream() throws IOException • ServletOutputStreamgetOutputStream() throws IOException

  21. Protocol Upgrade HttpServletRequest • Add a method to HttpServletRequest • <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException

  22. Protocol Upgrade HttpServlet/ Filter HTTP Request HttpUpgradeHandler req.upgrade(…) init upgraded protocol requests / responses destroy

  23. Protocol Upgrade Example public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) {EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } }

  24. Protocol Upgrade Example (cont’d) public class EchoProtocolHandler implements HttpUpgradeHandler { public void init(WebConnectionwc) { try {ServletInputStream input = wc.getInputStream();ServletOutputStream output = wc.getOutputStream();ReadListenerreadListener = …;input.setReadListener(readListener); … } public void destroy() { … } }

  25. DEMO

  26. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  27. Security Enhancements Session Fixation Attack • Emails or web pages from hackers containing • http://abank.com?SID=ABCDEFGHIJ • Change Session id on authentication • Add to interface HttpServletRequest • public String changeSessionId() • New interface javax.servlet.http.HttpSessionIdListener • void sessionIdChanged(HttpSessionEvent se, String oldSessionId)

  28. Security Enhancements Any authenticated users • Roles “**”, any authenticated users • For example, • @WebServlet(“/foo”)@ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))

  29. Security Enhancements Deny-uncovered-http-methods • deny-uncovered-http-methodsin web.xml • For example, • <web-app …> … <deny-uncovered-http-methods/> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint></web-app>

  30. Security Enhancements Run as • Clarification on run-as • Servlet#init, Servlet#destroy

  31. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  32. Miscellaneous ServletResponse#reset and #setCharacterEncoding • ServletResponse#reset • Clears any data that exists in the buffer as well as the status code and headers • ServletResponse#setCharacterEncoding • Sets the character encoding (MIME charset) of the response being sent to the client, for example, to UTF-8.

  33. Miscellaneous ServletResponse#reset and setCharacterEncoding (cont’d)Quiz in Servlet 3.0 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer= response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5");response.getOutputStream().println("Done"); } }

  34. Miscellaneous ServletResponse#reset and setCharacterEncoding (cont’d 2)Answer to Quiz in Servlet 3.0 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer= response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effectresponse.getOutputStream().println("Done"); // IllegalStateException } }

  35. Miscellaneous ServletResponse#reset and #setCharacterEncoding (cont’d 3) • Character encoding setting after ServletResponse#reset • Only #getServletOutputStream or #getWriter • #setCharacterEncoding has no effect after calling #getWriter • Servlet 3.0 • #reset clears http headers, status code, data in buffer • Servlet 3.1 • #reset clears • http headers, status code, data in buffer • state of calling #getServletOutputStream or #getWriter

  36. Miscellaneous ServletResponse#reset and #setCharacterEncoding (cont’d 4)Example public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer= response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encodingresponse.getOutputStream().println("Done"); // print } }

  37. Miscellaneous Relative Protocol URL • HttpServletResponse.sendRedirect • a.jsp • /b/a.jsp • http://anotherhost.com/b/a.jsp • //anotherhost.com/b/a.jsp (Network Path Reference)

  38. Miscellaneous Multi-part • Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration • throw IllegalStateException • Add method javax.servlet.http.Part#getSubmittedFileName()

  39. Miscellaneous ServletContainerInitializer • Clarification for ServletContainerInitiailizer • independent of metadata-complete • instance per web application

  40. Miscellaneous Generic • ServletRequestWrapper#isWrapperFor(Class<?> c) • ServletResponseWrapper#isWrapperFor(Class<?> c) • HandlesTypes#value return Class<?>[ ]

  41. Miscellaneous Others • Add method ServletContext#getVirtualServerName() • Add method ServletRequest#getContentLengthLong() • Add method ServletResponse#setContentLengthLong(long len)

  42. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security • Miscellaneous • Resources

  43. Resources • Spec and Javadoc • http://jcp.org/en/jsr/detail?id=340 • http://servlet-spec.java.net • GlassFish 4.0 • http://glassfish.java.net • webtier@glassfish.java.net • My blog • http://www.java.net/blog/swchan2

  44. Graphic Section Divider

More Related