JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)

728 views

Published on

JavaOne Shanghai 2013 presentation CON1387 (in Chinese)
Servlet 3.1 (JSR 340) 有什麼新功能?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
728
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)

  1. 1. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.1
  2. 2. Servlet 3.1 (JSR 340) 有什麼新 功能? Shing Wai Chan (陳成威) Servlet 3.1 Specification Lead java.net/blog/swchan2 Session ID: CON1387
  3. 3. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.3 以下内容旨在概述产品的总体发展方向。该内容仅供参考,不可纳入任何合同。其 内容不构成提供任何材料、代码或功能的承诺,并且不应该作为制定购买决策的依 据。此处所述有关 Oracle 产品的任何特性或功能的开发、发布以及相应的日程安 排均由 Oracle 自行决定。
  4. 4. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.4 议题 §  Servlet 3.1 概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  5. 5. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.5 Servlet 3.1 概述 §  Java EE 7 的特性 §  Servlet 3.0的升级 §  可扩展性 –  添加 Non-blocking IO API §  支持新技术,利用HTTP协议的初始握手 –  支持一般的协议升级机制,例如 WebSocket §  安全性增强
  6. 6. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.6 议题 §  Servlet 3.1 概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  7. 7. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.7 Non-blocking IO public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … } } } 傳統 IO 示範
  8. 8. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.8 Non Blocking IO §  添加兩个新接口: ReadListener, WriteListener §  在 ServletInputStream 和 ServletOutputStream 中添加方法 §  只可在非同步 (asynchronous) 和协议升级時使用 概述
  9. 9. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.9 Non-blocking IO public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); } javax.servlet.ReadListener
  10. 10. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.10 Non-blocking IO public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); } javax.servlet.WriteListener
  11. 11. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.11 Non-blocking IO §  javax.servlet.ServletInputStream –  public abstract boolean isFinished() –  public abstract boolean isReady() –  public abstract void setReadListener(ReadListener listener) §  javax.servlet.ServletOutputStream –  public abstract boolean isReady() –  public abstract setWriteListener(WriteListener listener) ServletInputStream, ServletOutputStream
  12. 12. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.12 Non-blocking IO public class TestServlet extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListener readListener = new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } } 示範
  13. 13. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.13 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } } 示範 (续):测验
  14. 14. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.14 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } } 示範 (续):测验解答
  15. 15. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.15 Non-blocking IO public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output = req.getOutputStream(); WriteListener writeListener = new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } } 示範 2
  16. 16. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.16 Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } } 示範 2 (续)
  17. 17. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.17 议题 §  Servlet 3.1 概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  18. 18. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.18 协议升级 §  HTTP 1.1 (RFC 2616) §  Connection §  过渡到一些其他的,不兼容的协议 –  For examples, IRC/6.9, Web Socket HTTP Upgrade
  19. 19. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.19 协议升级 §  协议: IETF §  API: W3C §  双向,全双工 / TCP 示例: WebSocket
  20. 20. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.20 Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 协议升级 Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat WebSocket 示例
  21. 21. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.21 协议升级 §  添加方法在 HttpServletRequest 中 §  添加两个新接口 –  javax.servlet.http.HttpUpgradeHandler –  javax.servlet.http.WebConnection §  在升级中,可以使用 non-blocking IO API 概述
  22. 22. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.22 协议升级 §  新接口 javax.servlet.http.HttpUpgradeHandler –  void init(WebConnection wc) –  void destroy() §  新接口 javax.servlet.http.WebConnection extends AutoClosable –  ServletInputStream getInputStream() throws IOException –  ServletOutputStream getOutputStream() throws IOException HttpUpgradeHandler, WebConnection
  23. 23. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.23 协议升级 §  添加方法在 HttpServletRequest –  <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException HttpServletRequest
  24. 24. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.24 协议升级 HttpServlet / Filter req.upgrade(…) init destroy HTTP Request 升级协议的 请求 / 响应 HttpUpgradeHandler
  25. 25. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.25 协议升级 public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } } 示範
  26. 26. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.26 协议升级 public class EchoProtocolHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … } } 示範 (续)
  27. 27. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.27 协议升级 TyrusServletFilter req.upgrade(…) init destroy HTTP Request WebSocket 的请求 / 响 应 TyrusHttpUpgradeHandler 示範 2: JSR356,Java API for WebSocket 的参考实现
  28. 28. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.28 示範
  29. 29. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.29 Agenda §  Servlet 3.1 概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  30. 30. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.30 安全性增强 §  黑客的电子邮件或网⻚页 –  http://abank.com?SID=ABCDEFGHIJ §  身份验证后改变 Session id –  添加在接口 HttpServletRequest §  public String changeSessionId() –  新接口 javax.servlet.http.HttpSessionIdListener §  void sessionIdChanged(HttpSessionEvent se, String oldSessionId) Session 固定攻擊
  31. 31. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.31 安全性增强 User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor 任何通過身份驗證的用戶 测验
  32. 32. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.32 安全性增强 §  角色 “*” 是指任何定义的角色 任何通過身份驗證的用戶 测验解答 User Group Role /foo (“*”) /bar (“admin”) Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny
  33. 33. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.33 安全性增强 §  角色 “**”,任何通過身份驗證的用戶 §  例如, –  @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”})) 任何通過身份驗證的用戶
  34. 34. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.34 安全性增强 §  deny-uncovered-http-methods: web.xml 中的元素 §  示例, –  <web-app …>
 " "…" " " "" " "<deny-uncovered-http-methods/> " "" " "<security-constraint>
 " " "<web-resource-collection>
 " " " "<web-resource-name>protected</web-resource-name>
 " " " "<url-pattern>/*</url-pattern>
 " " " "<http-method>GET</http-method>
 " " "</web-resource-collection>
 " " "<auth-constraint>
 " " " "<role-name>manager</role-name>
 " " "</auth-constraint>
 " "</security-constraint>
 </web-app>" deny-uncovered-http-methods
  35. 35. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.35 安全性增强 §  澄清 run-as 的有效範圍 –  Servlet#init, Servlet#destroy Run as
  36. 36. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.36 议题 §  Servlet 3.1概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  37. 37. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.37 杂项功能 §  ServletResponse#reset –  清除 HTTP headers, status code, 缓冲区中的数据 §  ServletResponse#setCharacterEncoding –  设置发送到客户端响应的字符编码​​(MIME字符集),例如,转换为UTF-8 –  … ServletResponse#reset 和 #setCharacterEncoding Servlet 3.0
  38. 38. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.38 杂项功能 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); } } ServletResponse#reset 和 setCharacterEncoding (续) Servlet 3.0 测验
  39. 39. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.39 杂项功能 public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException } } ServletResponse#reset 和 setCharacterEncoding (续 2) Servlet 3.0 测验解答
  40. 40. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.40 杂项功能 §  ServletResponse#reset 后的字符编码设置 –  只有 #getServletOutputStream 或 #getWriter –  在调用 #getWriter 后,#setCharacterEncoding 没有任何效果 –  Servlet 3.0 §  #reset 清除 HTTP headers, status code, 缓冲区中的数据 –  Servlet 3.1 §  #reset清除 –  HTTP headers, status code, 缓冲区中的数据 –  调用 #getServletOutputStream 或 #getWriter 的状态 ServletResponse#reset 和 #setCharacterEncoding (续 3)
  41. 41. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.41 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print } } ServletResponse#reset 和 #setCharacterEncoding (续 4) 示例
  42. 42. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.42 杂项功能 §  HttpServletResponse.sendRedirect –  a.jsp –  /b/a.jsp –  http://anotherhost.com/b/a.jsp –  //anotherhost.com/b/a.jsp (网络路径参考) 相对协议的URL
  43. 43. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.43 杂项功能 §  澄清 HttpServletRequest#getPart, #getParts 在没有multi-part 配置时 –  抛出 IllegalStateException §  添加方法 javax.servlet.http.Part#getSubmittedFileName() Multi-part
  44. 44. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.44 杂项功能 §  有关 ServletContainerInitiailizer 的澄清 –  独立于 metadata-complete –  每一个Web应用程序有一实例 ServletContainerInitializer
  45. 45. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.45 杂项功能 §  ServletRequestWrapper#isWrapperFor(Class<?> c) §  ServletResponseWrapper#isWrapperFor(Class<?> c) §  HandlesTypes#value 返回 Class<?>[ ] Generics
  46. 46. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.46 杂项功能 §  添加方法 ServletContext#getVirtualServerName() §  添加方法 ServletRequest#getContentLengthLong() §  添加方法 ServletResponse#setContentLengthLong(long len) 其他
  47. 47. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.47 Agenda §  Servlet 3.1 概述 §  Non-blocking IO §  协议升级 §  安全性增强 §  杂项功能 §  资源
  48. 48. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.48 资源 §  规范和 API 文档 –  http://jcp.org/en/jsr/detail?id=340 –  http://servlet-spec.java.net §  GlassFish 4.0 –  http://glassfish.java.net –  webtier@glassfish.java.net §  博客 –  http://www.java.net/blog/swchan2
  49. 49. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.49 Graphic Section Divider
  50. 50. Copyright © 2013 Oracle and/or its affiliates. All rights reserved.50

×