Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
What’s New in JSR 340,
Servlet 3.1?
Shing Wai Chan
Rajiv Mordani
Session ID: CON 4854
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general pro...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
§  Servlet 3.1 Overview
§  Non-bloc...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Servlet 3.1 Overview
§  FINAL: Part of Java EE 7
§...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Program Agenda
§  Servlet 3.1 Overview
§  Non-bloc...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Non-blocking IO
public class TestServlet extends Htt...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Non Blocking IO
§  Add two new interfaces: ReadList...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Non-blocking IO
public interface ReadListener extend...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Non-blocking IO
public interface WriteListener exte...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Non-blocking IO
§  javax.servlet.ServletInputStrea...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Non-blocking IO
public class TestServlet extends Ht...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Non-blocking IO
public class ReadListenerImpl imple...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Non-blocking IO
public class ReadListenerImpl imple...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Non-blocking IO
public class TestServlet2 extends H...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Non-blocking IO
public class WriteListenerImpl impl...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Program Agenda
§  Servlet 3.1 Overview
§  Non-blo...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Protocol Upgrade
§  HTTP 1.1 (RFC 2616)
§  Connec...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Protocol Upgrade
§  Originally proposed as part of...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Client
GET /chat HTTP/1.1
Host: server.example.com
...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Protocol Upgrade
§  Add API to HttpServletRequest
...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Protocol Upgrade
§  New interface javax.servlet.ht...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Protocol Upgrade
§  Add a method to HttpServletReq...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Protocol Upgrade
HttpServlet /
Filter
req.upgrade(…...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Protocol Upgrade
public class UpgradeServlet extend...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Protocol Upgrade
public class EchoHttpUpgradeHandle...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Protocol Upgrade
TyrusServletFilter
req.upgrade(…)
...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
DEMO
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Agenda
§  Servlet 3.1 Overview
§  Non-blocking IO...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Security Enhancements
§  Emails or web pages from ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Security Enhancements
User Group Role /foo (“*”) /b...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
Security Enhancements
§  Role “*” means any define...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
Security Enhancements
§  Roles “**”, any authentic...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
Security Enhancements
§  deny-uncovered-http-metho...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
Security Enhancements
§  Clarification on run-as
–...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36
Security Enhancements
§  Java EE 7, not in Servlet...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
Agenda
§  Servlet 3.1 Overview
§  Non-blocking IO...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38
Miscellaneous
§  ServletResponse#reset
–  Clears a...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39
Miscellaneous
public class TestServlet extends Http...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40
Miscellaneous
public class TestServlet extends Http...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41
Miscellaneous
§  Character encoding setting after ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42
Miscellaneous
public class TestServlet extends Http...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43
Miscellaneous
§  HttpServletResponse.sendRedirect
...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44
Miscellaneous
§  Clarification for HttpServletRequ...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.45
Miscellaneous
§  Clarification for ServletContaine...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46
Miscellaneous
§  ServletRequestWrapper#isWrapperFo...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47
Miscellaneous
§  Add method ServletContext#getVirt...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48
Agenda
§  Servlet 3.1 Overview
§  Non-blocking IO...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49
Resources
§  Spec and Javadoc
–  http://jcp.org/en...
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.50
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.51
Upcoming SlideShare
Loading in …5
×

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

2,214 views

Published on

JavaOne San Francisco 2013 presentation CON4854
What's New in JSR 340, Servlet 3.1?

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,214
On SlideShare
0
From Embeds
0
Number of Embeds
13
Actions
Shares
0
Downloads
44
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

  1. 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
  2. 2. What’s New in JSR 340, Servlet 3.1? Shing Wai Chan Rajiv Mordani Session ID: CON 4854
  3. 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
  4. 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
  5. 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 Servlet 3.1 Overview §  FINAL: Part of Java EE 7 §  Upgrade from Servlet 3.0 §  Scalability –  Expose Non-blocking IO API §  Support newer technologies that leverage HTTP protocol for the initial handshake –  Support general upgrade mechanism for protocols like WebSocket §  Security enhancements
  6. 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
  7. 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 Non-blocking IO public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … } } } Traditional IO Example
  8. 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 Non Blocking IO §  Add two new interfaces: ReadListener, WriteListener §  Add APIs to ServletInputStream, ServletOutputStream §  For asynchronous and upgrade only Overview
  9. 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Non-blocking IO public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); } javax.servlet.ReadListener
  10. 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 Non-blocking IO public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); } javax.servlet.WriteListener
  11. 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 Non-blocking IO §  javax.servlet.ServletInputStream –  public abstract boolean isFinished() –  public abstract boolean isReady() –  public abstract void setReadListener(ReadListener listener) §  javax.servlet.ServletOutputStream –  public abstract boolean isReady() –  public abstract setWriteListener(WriteListener listener) ServletInputStream, ServletOutputStream
  12. 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12 Non-blocking IO public class TestServlet extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListener readListener = new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } } Example
  13. 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } } Example (cont’d): Quiz
  14. 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } } Example (cont’d 2): Answer
  15. 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Non-blocking IO public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output = req.getOutputStream(); WriteListener writeListener = new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } } Example 2
  16. 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } } Example 2 (cont’d)
  17. 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  18. 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18 Protocol Upgrade §  HTTP 1.1 (RFC 2616) §  Connection §  Transition to some other, incompatible protocol –  For examples, IRC/6.9, Web Socket HTTP Upgrade
  19. 19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19 Protocol Upgrade §  Originally proposed as part of HTML5 §  IETF-defined Protocol: RFC 6455 –  Handshake –  Data Transfer §  W3C defined JavaScript API –  Candidate Recommendation, 2012-09-20 §  Bi-directional, full-duplex / TCP Example: WebSocket
  20. 20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20 Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Protocol Upgrade Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat WebSocket Example
  21. 21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21 Protocol Upgrade §  Add API to HttpServletRequest §  Add two new interfaces –  javax.servlet.http.HttpUpgradeHandler –  javax.servlet.http.WebConnection §  Can use non-blocking IO API in upgrade Overview
  22. 22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22 Protocol Upgrade §  New interface javax.servlet.http.HttpUpgradeHandler –  void init(WebConnection wc) –  void destroy() §  New interface javax.servlet.http.WebConnection extends AutoClosable –  ServletInputStream getInputStream() throws IOException –  ServletOutputStream getOutputStream() throws IOException HttpUpgradeHandler, WebConnection
  23. 23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23 Protocol Upgrade §  Add a method to HttpServletRequest –  <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException HttpServletRequest
  24. 24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24 Protocol Upgrade HttpServlet / Filter req.upgrade(…) init destroy HTTP Request upgraded protocol requests / responses HttpUpgradeHandler
  25. 25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25 Protocol Upgrade public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } } Example
  26. 26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26 Protocol Upgrade public class EchoHttpUpgradeHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … } } Example (cont’d)
  27. 27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27 Protocol Upgrade TyrusServletFilter req.upgrade(…) init destroy HTTP Request WebSocket requests / responses TyrusHttpUpgradeHandler Example 2: Reference Implementation of JSR 356, Java API for WebSocket
  28. 28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28 DEMO
  29. 29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  30. 30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30 Security Enhancements §  Emails or web pages from hackers containing –  http://abank.com?SID=ABCDEFGHIJ §  Change Session id on authentication –  Add to interface HttpServletRequest §  public String changeSessionId() –  New interface javax.servlet.http.HttpSessionIdListener §  void sessionIdChanged(HttpSessionEvent se, String oldSessionId) Session Fixation Attack
  31. 31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31 Security Enhancements User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor Any authenticated users Quiz
  32. 32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32 Security Enhancements §  Role “*” means any defined roles Any authenticated users Answer to the Quiz User Group Role /foo (“*”) /bar (“admin”) Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny
  33. 33. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33 Security Enhancements §  Roles “**”, any authenticated users §  For example, –  @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”})) Any authenticated users
  34. 34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34 Security Enhancements §  deny-uncovered-http-methods in web.xml §  For example, –  <web-app …>
 " "…" " " "" " "<deny-uncovered-http-methods/> " "" " "<security-constraint>
 " " "<web-resource-collection>
 " " " "<web-resource-name>protected</web-resource-name>
 " " " "<url-pattern>/*</url-pattern>
 " " " "<http-method>GET</http-method>
 " " "</web-resource-collection>
 " " "<auth-constraint>
 " " " "<role-name>manager</role-name>
 " " "</auth-constraint>
 " "</security-constraint>
 </web-app>" deny-uncovered-http-methods
  35. 35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35 Security Enhancements §  Clarification on run-as –  Servlet#init, Servlet#destroy Run as
  36. 36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36 Security Enhancements §  Java EE 7, not in Servlet 3.1 §  Java security manager §  Declaring permissions required by application components §  META-INF/permission.xml §  See EE.6.2 of Java EE 7 spec for details. Declaring Permissions
  37. 37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  38. 38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38 Miscellaneous §  ServletResponse#reset –  Clears any data that exists in the buffer as well as the status code and headers §  ServletResponse#setCharacterEncoding –  Sets the character encoding (MIME charset) of the response being sent to the client, for example, to UTF-8. –  … ServletResponse#reset and #setCharacterEncoding Servlet 3.0
  39. 39. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); } } ServletResponse#reset and setCharacterEncoding (cont’d) Quiz in Servlet 3.0
  40. 40. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException } } ServletResponse#reset and setCharacterEncoding (cont’d 2) Answer to Quiz in Servlet 3.0
  41. 41. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41 Miscellaneous §  Character encoding setting after ServletResponse#reset –  Only #getServletOutputStream or #getWriter –  #setCharacterEncoding has no effect after calling #getWriter –  Servlet 3.0 §  #reset clears HTTP headers, status code, data in buffer –  Servlet 3.1 §  #reset clears –  HTTP headers, status code, data in buffer –  state of calling #getServletOutputStream or #getWriter ServletResponse#reset and #setCharacterEncoding (cont’d 3)
  42. 42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print } } ServletResponse#reset and #setCharacterEncoding (cont’d 4) Example
  43. 43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43 Miscellaneous §  HttpServletResponse.sendRedirect –  a.jsp –  /b/a.jsp –  http://anotherhost.com/b/a.jsp –  //anotherhost.com/b/a.jsp (Network Path Reference) Relative Protocol URL
  44. 44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44 Miscellaneous §  Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration –  throw IllegalStateException §  Add method javax.servlet.http.Part#getSubmittedFileName() Multi-part
  45. 45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.45 Miscellaneous §  Clarification for ServletContainerInitiailizer –  independent of metadata-complete –  instance per web application ServletContainerInitializer
  46. 46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46 Miscellaneous §  ServletRequestWrapper#isWrapperFor(Class<?> c) §  ServletResponseWrapper#isWrapperFor(Class<?> c) §  HandlesTypes#value return Class<?>[ ] Generic
  47. 47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47 Miscellaneous §  Add method ServletContext#getVirtualServerName() §  Add method ServletRequest#getContentLengthLong() §  Add method ServletResponse#setContentLengthLong(long len) Others
  48. 48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security §  Miscellaneous §  Resources
  49. 49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49 Resources §  Spec and Javadoc –  http://jcp.org/en/jsr/detail?id=340 –  http://servlet-spec.java.net §  GlassFish 4.0 –  http://glassfish.java.net –  webtier@glassfish.java.net §  blog –  http://www.java.net/blog/swchan2
  50. 50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.50 Graphic Section Divider
  51. 51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.51

×