JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

What’s New in JSR 340,
Servlet 3.1?
Shing Wai Chan
Rajiv Mordani
Session ID: CON 4854

The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle s products
remains at the sole discretion of Oracle.

Program Agenda
§  Servlet 3.1 Overview
§  Non-blocking IO
§  Protocol Upgrade
§  Security enhancements
§  Miscellaneous features
§  Resources

Servlet 3.1 Overview
§  FINAL: Part of Java EE 7
§  Upgrade from Servlet 3.0
§  Scalability
–  Expose Non-blocking IO API
§  Support newer technologies that leverage HTTP protocol for the initial
handshake
–  Support general upgrade mechanism for protocols like WebSocket

Program Agenda
§  Miscellaneous features
§  Resources

Non-blocking IO
public class TestServlet extends HttpServlet
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws IOException,
ServletException {
ServletInputStream input =
request.getInputStream();
byte[] b = new byte[1024];
int len = -1;
while ((len = input.read(b)) != -1) {
…
}
}
}
Traditional IO Example

Non Blocking IO
§  Add two new interfaces: ReadListener, WriteListener
§  Add APIs to ServletInputStream, ServletOutputStream
§  For asynchronous and upgrade only
Overview

Non-blocking IO
public interface ReadListener extends EventListener {
public void onDataAvailable() throws IOException;
public void onAllDataRead() throws IOException;
public void onError(Throwable t);
}
javax.servlet.ReadListener

Non-blocking IO
public interface WriteListener extends EventListener {
public void onWritePossible() throws IOException;
public void onError(Throwable t);
}
javax.servlet.WriteListener

Non-blocking IO
§  javax.servlet.ServletInputStream
–  public abstract boolean isFinished()
–  public abstract boolean isReady()
–  public abstract void setReadListener(ReadListener
listener)
§  javax.servlet.ServletOutputStream
–  public abstract boolean isReady()
–  public abstract setWriteListener(WriteListener
listener)
ServletInputStream, ServletOutputStream

Non-blocking IO
public class TestServlet extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse
res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletInputStream input = req.getInputStream();
ReadListener readListener = new ReadListenerImpl(input, output,
ac);
input.setReadListener(readListener);
}
}
Example

Non-blocking IO
public class ReadListenerImpl implements ReadListener {
…
public void onDataAvailable() throws IOException {
…
int len = -1;
byte b[] = new byte[1024];
while ((len = input.read(b)) != -1) {
…
}
}
public void onAllDataRead() throws IOException {
…
}
public void onError(final Throwable t) {
…
}
}
Example (cont’d): Quiz

Non-blocking IO
public class ReadListenerImpl implements ReadListener {
…
public void onDataAvailable() throws IOException {
…
int len = -1;
while (input.isReady() && (len = input.read(b)) != -1) {
…
}
}
public void onAllDataRead() throws IOException {
ac.complete();
}
…
}
}
Example (cont’d 2): Answer

Non-blocking IO
public class TestServlet2 extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse
res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletOutputStream output = req.getOutputStream();
WriteListener writeListener = new WriteListenerImpl(output,
ac);
output.setWriteListener(writeListener);
}
}
Example 2

Non-blocking IO
public class WriteListenerImpl implements WriteListener {
…
public void onWritePossible() throws IOException {
…
int len = -1;
while (output.isReady()) {
…
}
…
}
…
}
}
Example 2 (cont’d)

Program Agenda
§  Security Enhancements
§  Miscellaneous
§  Resources

Protocol Upgrade
§  HTTP 1.1 (RFC 2616)
§  Connection
§  Transition to some other, incompatible protocol
–  For examples, IRC/6.9, Web Socket
HTTP Upgrade

Protocol Upgrade
§  Originally proposed as part of HTML5
§  IETF-defined Protocol: RFC 6455
–  Handshake
–  Data Transfer
§  W3C defined JavaScript API
–  Candidate Recommendation, 2012-09-20
§  Bi-directional, full-duplex / TCP
Example: WebSocket

Client
GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key:
dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat,
superchat
Sec-WebSocket-Version: 13
Protocol Upgrade
Server
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept:
s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Sec-WebSocket-Protocol: chat
WebSocket Example

Protocol Upgrade
§  Add API to HttpServletRequest
§  Add two new interfaces
–  javax.servlet.http.HttpUpgradeHandler
–  javax.servlet.http.WebConnection
§  Can use non-blocking IO API in upgrade
Overview

Protocol Upgrade
§  New interface javax.servlet.http.HttpUpgradeHandler
–  void init(WebConnection wc)
–  void destroy()
§  New interface javax.servlet.http.WebConnection extends
AutoClosable
–  ServletInputStream getInputStream() throws IOException
–  ServletOutputStream getOutputStream() throws
IOException
HttpUpgradeHandler, WebConnection

Protocol Upgrade
§  Add a method to HttpServletRequest
–  <T extends HttpUpgradeHandler>
T upgrade(Class<T> handlerClass)
throws IOException, ServletException
HttpServletRequest

Protocol Upgrade
HttpServlet /
Filter
req.upgrade(…)
init
destroy
HTTP Request
upgraded
protocol
requests /
responses
HttpUpgradeHandler

Protocol Upgrade
public class UpgradeServlet extends HttpServlet
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException,
ServletException {
…
if (decideToUpgrade) {
EchoHttpUpgradeHandler handler =
request.upgrade(EchoHttpUpgradeHandler.class);
…
}
}
Example

Protocol Upgrade
public class EchoHttpUpgradeHandler implements HttpUpgradeHandler {
public void init(WebConnection wc) {
try {
ServletInputStream input = wc.getInputStream();
ServletOutputStream output = wc.getOutputStream();
ReadListener readListener = …;
input.setReadListener(readListener);
…
}
public void destroy() {
…
}
}
Example (cont’d)

Protocol Upgrade
TyrusServletFilter
req.upgrade(…)
init
destroy
HTTP Request
WebSocket
requests /
responses
TyrusHttpUpgradeHandler
Example 2: Reference Implementation of JSR 356, Java API for WebSocket

DEMO

Agenda
§  Resources

Security Enhancements
§  Emails or web pages from hackers containing
–  http://abank.com?SID=ABCDEFGHIJ
§  Change Session id on authentication
–  Add to interface HttpServletRequest
§  public String changeSessionId()
–  New interface javax.servlet.http.HttpSessionIdListener
§  void sessionIdChanged(HttpSessionEvent se, String
oldSessionId)
Session Fixation Attack

User Group Role /foo (“*”) /bar (“admin”)
Alice manager admin
Bob staff staff
Carol contractor
Any authenticated users
Quiz

§  Role “*” means any defined roles
Answer to the Quiz
User Group Role /foo (“*”) /bar (“admin”)
Alice manager admin ok ok
Bob staff staff ok deny
Carol contractor deny deny

§  Roles “**”, any authenticated users
§  For example,
–  @WebServlet(“/foo”)
@ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))

§  deny-uncovered-http-methods in web.xml
§  For example,
–  <web-app …> 
" "…" " " ""
" "<deny-uncovered-http-methods/> " ""
" "<security-constraint> 
" " "<web-resource-collection> 
" " " "<web-resource-name>protected</web-resource-name> 
" " " "<url-pattern>/*</url-pattern> 
" " " "<http-method>GET</http-method> 
" " "</web-resource-collection> 
" " "<auth-constraint> 
" " " "<role-name>manager</role-name> 
" " "</auth-constraint> 
" "</security-constraint> 
</web-app>"
deny-uncovered-http-methods

§  Clarification on run-as
–  Servlet#init, Servlet#destroy
Run as

§  Java EE 7, not in Servlet 3.1
§  Java security manager
§  Declaring permissions required by application components
§  META-INF/permission.xml
§  See EE.6.2 of Java EE 7 spec for details.
Declaring Permissions

Agenda
§  Resources

Miscellaneous
§  ServletResponse#reset
–  Clears any data that exists in the buffer as well as the status code and
headers
§  ServletResponse#setCharacterEncoding
–  Sets the character encoding (MIME charset) of the response being sent to
the client, for example, to UTF-8.
–  …
ServletResponse#reset and #setCharacterEncoding
Servlet 3.0

Miscellaneous
HttpServletResponse response) throws IOException, ServletException {
response.setContentType("text/html");
response.setCharacterEncoding("ISO-8859-1");
PrintWriter writer = response.getWriter();
…
response.reset();
response.setContentType("text/plain");
response.setCharacterEncoding("Big5");
response.getOutputStream().println("Done");
}
}
ServletResponse#reset and setCharacterEncoding (cont’d)
Quiz in Servlet 3.0

Miscellaneous
…
response.reset();
response.setCharacterEncoding("Big5"); // no effect
response.getOutputStream().println("Done"); //
IllegalStateException
}
}
ServletResponse#reset and setCharacterEncoding (cont’d 2)
Answer to Quiz in Servlet 3.0

Miscellaneous
§  Character encoding setting after ServletResponse#reset
–  Only #getServletOutputStream or #getWriter
–  #setCharacterEncoding has no effect after calling #getWriter
–  Servlet 3.0
§  #reset clears HTTP headers, status code, data in buffer
–  Servlet 3.1
§  #reset clears
–  HTTP headers, status code, data in buffer
–  state of calling #getServletOutputStream or #getWriter
ServletResponse#reset and #setCharacterEncoding (cont’d 3)

Miscellaneous
…
response.reset();
response.setCharacterEncoding("Big5"); // set Big5 encoding
response.getOutputStream().println("Done"); // print
}
}
ServletResponse#reset and #setCharacterEncoding (cont’d 4)
Example

Miscellaneous
§  HttpServletResponse.sendRedirect
–  a.jsp
–  /b/a.jsp
–  http://anotherhost.com/b/a.jsp
–  //anotherhost.com/b/a.jsp (Network Path Reference)
Relative Protocol URL

Miscellaneous
§  Clarification for HttpServletRequest#getPart, #getParts
without multi-part configuration
–  throw IllegalStateException
§  Add method
javax.servlet.http.Part#getSubmittedFileName()
Multi-part

Miscellaneous
§  Clarification for ServletContainerInitiailizer
–  independent of metadata-complete
–  instance per web application
ServletContainerInitializer

Miscellaneous
§  ServletRequestWrapper#isWrapperFor(Class<?> c)
§  ServletResponseWrapper#isWrapperFor(Class<?> c)
§  HandlesTypes#value return Class<?>[ ]
Generic

Miscellaneous
§  Add method ServletContext#getVirtualServerName()
§  Add method ServletRequest#getContentLengthLong()
§  Add method ServletResponse#setContentLengthLong(long
len)
Others

Agenda
§  Security
§  Resources

Resources
§  Spec and Javadoc
–  http://jcp.org/en/jsr/detail?id=340
–  http://servlet-spec.java.net
§  GlassFish 4.0
–  http://glassfish.java.net
–  webtier@glassfish.java.net
§  blog
–  http://www.java.net/blog/swchan2

Graphic Section Divider

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

Recommended

More Related Content

What's hot

What's hot(20)

Similar to JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

Similar to JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)(20)

Recently uploaded

Recently uploaded(20)

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)