1 / 50

What’s New in JSR 340, Servlet 3.1?

What’s New in JSR 340, Servlet 3.1?. Shing Wai Chan Rajiv Mordani. Session ID: CON 4854.

shiloh
Download Presentation

What’s New in JSR 340, Servlet 3.1?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s New in JSR 340, Servlet 3.1? Shing Wai ChanRajiv Mordani Session ID: CON 4854

  2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

  3. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security enhancements • Miscellaneous features • Resources

  4. Servlet 3.1 Overview • FINAL: Part of Java EE 7 • Upgrade from Servlet 3.0 • Scalability • Expose Non-blocking IO API • Support newer technologies that leverage HTTP protocol for the initial handshake • Support general upgrade mechanism for protocols like WebSocket • Security enhancements

  5. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security enhancements • Miscellaneous features • Resources

  6. Non-blocking IO Traditional IO Example public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024];intlen = -1; while ((len = input.read(b)) != -1) { … } } }

  7. Non Blocking IO Overview • Add two new interfaces: ReadListener, WriteListener • Add APIs to ServletInputStream, ServletOutputStream • For asynchronous and upgrade only

  8. Non-blocking IO javax.servlet.ReadListener public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); }

  9. Non-blocking IO javax.servlet.WriteListener public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); }

  10. Non-blocking IO ServletInputStream, ServletOutputStream • javax.servlet.ServletInputStream • public abstract booleanisFinished() • public abstract booleanisReady() • public abstract void setReadListener(ReadListener listener) • javax.servlet.ServletOutputStream • public abstract booleanisReady() • public abstract setWriteListener(WriteListener listener)

  11. Non-blocking IO Example public class TestServletextends HttpServlet { protected void doPost(HttpServletRequestreq, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListenerreadListener= new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } }

  12. Non-blocking IO Example (cont’d): Quiz public class ReadListenerImplimplements ReadListener{ … public void onDataAvailable() throws IOException { … intlen = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } }

  13. Non-blocking IO Example (cont’d 2): Answer public class ReadListenerImplimplements ReadListener{ … public void onDataAvailable() throws IOException { … intlen = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException{ ac.complete(); } public void onError(final Throwable t) { … } }

  14. Non-blocking IO Example 2 public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequestreq, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output= req.getOutputStream(); WriteListenerwriteListener= new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } }

  15. Non-blocking IO Example 2 (cont’d) public class WriteListenerImplimplements WriteListener{ … public void onWritePossible() throws IOException { … intlen = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } }

  16. Program Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  17. Protocol Upgrade HTTP Upgrade • HTTP 1.1 (RFC 2616) • Connection • Transition to some other, incompatible protocol • For examples, IRC/6.9, Web Socket

  18. Protocol Upgrade Example: WebSocket • Originally proposed as part of HTML5 • IETF-defined Protocol: RFC 6455 • Handshake • Data Transfer • W3C defined JavaScript API • Candidate Recommendation, 2012-09-20 • Bi-directional, full-duplex / TCP

  19. Protocol Upgrade WebSocket Example

  20. Protocol Upgrade Overview • Add API to HttpServletRequest • Add two new interfaces • javax.servlet.http.HttpUpgradeHandler • javax.servlet.http.WebConnection • Can use non-blocking IO API in upgrade

  21. Protocol Upgrade HttpUpgradeHandler, WebConnection • New interface javax.servlet.http.HttpUpgradeHandler • void init(WebConnectionwc) • void destroy() • New interface javax.servlet.http.WebConnectionextendsAutoClosable • ServletInputStreamgetInputStream() throws IOException • ServletOutputStreamgetOutputStream() throws IOException

  22. Protocol Upgrade HttpServletRequest • Add a method to HttpServletRequest • <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException

  23. Protocol Upgrade HttpServlet/ Filter HTTP Request HttpUpgradeHandler req.upgrade(…) init upgraded protocol requests / responses destroy

  24. Protocol Upgrade Example public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) {EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } }

  25. Protocol Upgrade Example (cont’d) public class EchoProtocolHandler implements HttpUpgradeHandler { public void init(WebConnectionwc) { try {ServletInputStream input = wc.getInputStream();ServletOutputStream output = wc.getOutputStream();ReadListenerreadListener = …;input.setReadListener(readListener); … } public void destroy() { … } }

  26. Protocol Upgrade Example 2: Reference Implementation of JSR 356, Java API for WebSocket HTTP Request TyrusServletFilter req.upgrade(…) TyrusHttpUpgradeHandler init WebSocket requests / responses destroy

  27. DEMO

  28. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  29. Security Enhancements Session Fixation Attack • Emails or web pages from hackers containing • http://abank.com?SID=ABCDEFGHIJ • Change Session id on authentication • Add to interface HttpServletRequest • public String changeSessionId() • New interface javax.servlet.http.HttpSessionIdListener • void sessionIdChanged(HttpSessionEvent se, String oldSessionId)

  30. Security Enhancements Any authenticated usersQuiz

  31. Security Enhancements Any authenticated usersAnswer to the Quiz • Role “*” means any defined roles

  32. Security Enhancements Any authenticated users • Roles “**”, any authenticated users • For example, • @WebServlet(“/foo”)@ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))

  33. Security Enhancements deny-uncovered-http-methods • deny-uncovered-http-methodsin web.xml • For example, • <web-app …> … <deny-uncovered-http-methods/> <security-constraint> <web-resource-collection> <web-resource-name>protected</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>manager</role-name> </auth-constraint> </security-constraint></web-app>

  34. Security Enhancements Run as • Clarification on run-as • Servlet#init, Servlet#destroy

  35. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security Enhancements • Miscellaneous • Resources

  36. Miscellaneous ServletResponse#reset and #setCharacterEncodingServlet 3.0 • ServletResponse#reset • Clears any data that exists in the buffer as well as the status code and headers • ServletResponse#setCharacterEncoding • Sets the character encoding (MIME charset) of the response being sent to the client, for example, to UTF-8. • …

  37. Miscellaneous ServletResponse#reset and setCharacterEncoding (cont’d)Quiz in Servlet 3.0 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer = response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5");response.getOutputStream().println("Done"); } }

  38. Miscellaneous ServletResponse#reset and setCharacterEncoding (cont’d 2)Answer to Quiz in Servlet 3.0 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer = response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effectresponse.getOutputStream().println("Done"); // IllegalStateException } }

  39. Miscellaneous ServletResponse#reset and #setCharacterEncoding (cont’d 3) • Character encoding setting after ServletResponse#reset • Only #getServletOutputStream or #getWriter • #setCharacterEncoding has no effect after calling #getWriter • Servlet 3.0 • #reset clears HTTP headers, status code, data in buffer • Servlet 3.1 • #reset clears • HTTP headers, status code, data in buffer • state of calling #getServletOutputStream or #getWriter

  40. Miscellaneous ServletResponse#reset and #setCharacterEncoding (cont’d 4)Example public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {response.setContentType("text/html");response.setCharacterEncoding("ISO-8859-1");PrintWriter writer = response.getWriter(); …response.reset();response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encodingresponse.getOutputStream().println("Done"); // print } }

  41. Miscellaneous Relative Protocol URL • HttpServletResponse.sendRedirect • a.jsp • /b/a.jsp • http://anotherhost.com/b/a.jsp • //anotherhost.com/b/a.jsp (Network Path Reference)

  42. Miscellaneous Multi-part • Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration • throw IllegalStateException • Add method javax.servlet.http.Part#getSubmittedFileName()

  43. Miscellaneous ServletContainerInitializer • Clarification for ServletContainerInitiailizer • independent of metadata-complete • instance per web application

  44. Miscellaneous Generic • ServletRequestWrapper#isWrapperFor(Class<?> c) • ServletResponseWrapper#isWrapperFor(Class<?> c) • HandlesTypes#value return Class<?>[ ]

  45. Miscellaneous Others • Add method ServletContext#getVirtualServerName() • Add method ServletRequest#getContentLengthLong() • Add method ServletResponse#setContentLengthLong(long len)

  46. Agenda • Servlet 3.1 Overview • Non-blocking IO • Protocol Upgrade • Security • Miscellaneous • Resources

  47. Resources • Spec and Javadoc • http://jcp.org/en/jsr/detail?id=340 • http://servlet-spec.java.net • GlassFish 4.0 • http://glassfish.java.net • webtier@glassfish.java.net • blog • http://www.java.net/blog/swchan2

  48. Graphic Section Divider

More Related