Contenu connexe Similaire à JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340) (20) JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)2. What’s New in JSR 340,
Servlet 3.1?
Shing Wai Chan
Rajiv Mordani
Session ID: CON 4854
3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract.
It is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle s products
remains at the sole discretion of Oracle.
4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Program Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security enhancements
§ Miscellaneous features
§ Resources
5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Servlet 3.1 Overview
§ FINAL: Part of Java EE 7
§ Upgrade from Servlet 3.0
§ Scalability
– Expose Non-blocking IO API
§ Support newer technologies that leverage HTTP protocol for the initial
handshake
– Support general upgrade mechanism for protocols like WebSocket
§ Security enhancements
6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
Program Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security enhancements
§ Miscellaneous features
§ Resources
7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Non-blocking IO
public class TestServlet extends HttpServlet
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws IOException,
ServletException {
ServletInputStream input =
request.getInputStream();
byte[] b = new byte[1024];
int len = -1;
while ((len = input.read(b)) != -1) {
…
}
}
}
Traditional IO Example
8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Non Blocking IO
§ Add two new interfaces: ReadListener, WriteListener
§ Add APIs to ServletInputStream, ServletOutputStream
§ For asynchronous and upgrade only
Overview
9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Non-blocking IO
public interface ReadListener extends EventListener {
public void onDataAvailable() throws IOException;
public void onAllDataRead() throws IOException;
public void onError(Throwable t);
}
javax.servlet.ReadListener
10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Non-blocking IO
public interface WriteListener extends EventListener {
public void onWritePossible() throws IOException;
public void onError(Throwable t);
}
javax.servlet.WriteListener
11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Non-blocking IO
§ javax.servlet.ServletInputStream
– public abstract boolean isFinished()
– public abstract boolean isReady()
– public abstract void setReadListener(ReadListener
listener)
§ javax.servlet.ServletOutputStream
– public abstract boolean isReady()
– public abstract setWriteListener(WriteListener
listener)
ServletInputStream, ServletOutputStream
12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Non-blocking IO
public class TestServlet extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse
res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletInputStream input = req.getInputStream();
ReadListener readListener = new ReadListenerImpl(input, output,
ac);
input.setReadListener(readListener);
}
}
Example
13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Non-blocking IO
public class ReadListenerImpl implements ReadListener {
…
public void onDataAvailable() throws IOException {
…
int len = -1;
byte b[] = new byte[1024];
while ((len = input.read(b)) != -1) {
…
}
}
public void onAllDataRead() throws IOException {
…
}
public void onError(final Throwable t) {
…
}
}
Example (cont’d): Quiz
14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Non-blocking IO
public class ReadListenerImpl implements ReadListener {
…
public void onDataAvailable() throws IOException {
…
int len = -1;
byte b[] = new byte[1024];
while (input.isReady() && (len = input.read(b)) != -1) {
…
}
}
public void onAllDataRead() throws IOException {
ac.complete();
}
public void onError(final Throwable t) {
…
}
}
Example (cont’d 2): Answer
15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Non-blocking IO
public class TestServlet2 extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse
res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletOutputStream output = req.getOutputStream();
WriteListener writeListener = new WriteListenerImpl(output,
ac);
output.setWriteListener(writeListener);
}
}
Example 2
16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Non-blocking IO
public class WriteListenerImpl implements WriteListener {
…
public void onWritePossible() throws IOException {
…
int len = -1;
byte b[] = new byte[1024];
while (output.isReady()) {
…
}
…
}
public void onError(final Throwable t) {
…
}
}
Example 2 (cont’d)
17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Program Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security Enhancements
§ Miscellaneous
§ Resources
18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Protocol Upgrade
§ HTTP 1.1 (RFC 2616)
§ Connection
§ Transition to some other, incompatible protocol
– For examples, IRC/6.9, Web Socket
HTTP Upgrade
19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Protocol Upgrade
§ Originally proposed as part of HTML5
§ IETF-defined Protocol: RFC 6455
– Handshake
– Data Transfer
§ W3C defined JavaScript API
– Candidate Recommendation, 2012-09-20
§ Bi-directional, full-duplex / TCP
Example: WebSocket
20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Client
GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key:
dGhlIHNhbXBsZSBub25jZQ==
Origin: http://example.com
Sec-WebSocket-Protocol: chat,
superchat
Sec-WebSocket-Version: 13
Protocol Upgrade
Server
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept:
s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Sec-WebSocket-Protocol: chat
WebSocket Example
21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Protocol Upgrade
§ Add API to HttpServletRequest
§ Add two new interfaces
– javax.servlet.http.HttpUpgradeHandler
– javax.servlet.http.WebConnection
§ Can use non-blocking IO API in upgrade
Overview
22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Protocol Upgrade
§ New interface javax.servlet.http.HttpUpgradeHandler
– void init(WebConnection wc)
– void destroy()
§ New interface javax.servlet.http.WebConnection extends
AutoClosable
– ServletInputStream getInputStream() throws IOException
– ServletOutputStream getOutputStream() throws
IOException
HttpUpgradeHandler, WebConnection
23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Protocol Upgrade
§ Add a method to HttpServletRequest
– <T extends HttpUpgradeHandler>
T upgrade(Class<T> handlerClass)
throws IOException, ServletException
HttpServletRequest
24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Protocol Upgrade
HttpServlet /
Filter
req.upgrade(…)
init
destroy
HTTP Request
upgraded
protocol
requests /
responses
HttpUpgradeHandler
25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Protocol Upgrade
public class UpgradeServlet extends HttpServlet
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException,
ServletException {
…
if (decideToUpgrade) {
EchoHttpUpgradeHandler handler =
request.upgrade(EchoHttpUpgradeHandler.class);
…
}
}
Example
26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Protocol Upgrade
public class EchoHttpUpgradeHandler implements HttpUpgradeHandler {
public void init(WebConnection wc) {
try {
ServletInputStream input = wc.getInputStream();
ServletOutputStream output = wc.getOutputStream();
ReadListener readListener = …;
input.setReadListener(readListener);
…
}
public void destroy() {
…
}
}
Example (cont’d)
27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Protocol Upgrade
TyrusServletFilter
req.upgrade(…)
init
destroy
HTTP Request
WebSocket
requests /
responses
TyrusHttpUpgradeHandler
Example 2: Reference Implementation of JSR 356, Java API for WebSocket
29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security Enhancements
§ Miscellaneous
§ Resources
30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Security Enhancements
§ Emails or web pages from hackers containing
– http://abank.com?SID=ABCDEFGHIJ
§ Change Session id on authentication
– Add to interface HttpServletRequest
§ public String changeSessionId()
– New interface javax.servlet.http.HttpSessionIdListener
§ void sessionIdChanged(HttpSessionEvent se, String
oldSessionId)
Session Fixation Attack
31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Security Enhancements
User Group Role /foo (“*”) /bar (“admin”)
Alice manager admin
Bob staff staff
Carol contractor
Any authenticated users
Quiz
32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
Security Enhancements
§ Role “*” means any defined roles
Any authenticated users
Answer to the Quiz
User Group Role /foo (“*”) /bar (“admin”)
Alice manager admin ok ok
Bob staff staff ok deny
Carol contractor deny deny
33. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
Security Enhancements
§ Roles “**”, any authenticated users
§ For example,
– @WebServlet(“/foo”)
@ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))
Any authenticated users
34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34
Security Enhancements
§ deny-uncovered-http-methods in web.xml
§ For example,
– <web-app …>
" "…" " " ""
" "<deny-uncovered-http-methods/> " ""
" "<security-constraint>
" " "<web-resource-collection>
" " " "<web-resource-name>protected</web-resource-name>
" " " "<url-pattern>/*</url-pattern>
" " " "<http-method>GET</http-method>
" " "</web-resource-collection>
" " "<auth-constraint>
" " " "<role-name>manager</role-name>
" " "</auth-constraint>
" "</security-constraint>
</web-app>"
deny-uncovered-http-methods
35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35
Security Enhancements
§ Clarification on run-as
– Servlet#init, Servlet#destroy
Run as
36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36
Security Enhancements
§ Java EE 7, not in Servlet 3.1
§ Java security manager
§ Declaring permissions required by application components
§ META-INF/permission.xml
§ See EE.6.2 of Java EE 7 spec for details.
Declaring Permissions
37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37
Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security Enhancements
§ Miscellaneous
§ Resources
38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38
Miscellaneous
§ ServletResponse#reset
– Clears any data that exists in the buffer as well as the status code and
headers
§ ServletResponse#setCharacterEncoding
– Sets the character encoding (MIME charset) of the response being sent to
the client, for example, to UTF-8.
– …
ServletResponse#reset and #setCharacterEncoding
Servlet 3.0
39. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39
Miscellaneous
public class TestServlet extends HttpServlet
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
response.setContentType("text/html");
response.setCharacterEncoding("ISO-8859-1");
PrintWriter writer = response.getWriter();
…
response.reset();
response.setContentType("text/plain");
response.setCharacterEncoding("Big5");
response.getOutputStream().println("Done");
}
}
ServletResponse#reset and setCharacterEncoding (cont’d)
Quiz in Servlet 3.0
40. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40
Miscellaneous
public class TestServlet extends HttpServlet
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
response.setContentType("text/html");
response.setCharacterEncoding("ISO-8859-1");
PrintWriter writer = response.getWriter();
…
response.reset();
response.setContentType("text/plain");
response.setCharacterEncoding("Big5"); // no effect
response.getOutputStream().println("Done"); //
IllegalStateException
}
}
ServletResponse#reset and setCharacterEncoding (cont’d 2)
Answer to Quiz in Servlet 3.0
41. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41
Miscellaneous
§ Character encoding setting after ServletResponse#reset
– Only #getServletOutputStream or #getWriter
– #setCharacterEncoding has no effect after calling #getWriter
– Servlet 3.0
§ #reset clears HTTP headers, status code, data in buffer
– Servlet 3.1
§ #reset clears
– HTTP headers, status code, data in buffer
– state of calling #getServletOutputStream or #getWriter
ServletResponse#reset and #setCharacterEncoding (cont’d 3)
42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42
Miscellaneous
public class TestServlet extends HttpServlet
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws IOException, ServletException {
response.setContentType("text/html");
response.setCharacterEncoding("ISO-8859-1");
PrintWriter writer = response.getWriter();
…
response.reset();
response.setContentType("text/plain");
response.setCharacterEncoding("Big5"); // set Big5 encoding
response.getOutputStream().println("Done"); // print
}
}
ServletResponse#reset and #setCharacterEncoding (cont’d 4)
Example
43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43
Miscellaneous
§ HttpServletResponse.sendRedirect
– a.jsp
– /b/a.jsp
– http://anotherhost.com/b/a.jsp
– //anotherhost.com/b/a.jsp (Network Path Reference)
Relative Protocol URL
44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44
Miscellaneous
§ Clarification for HttpServletRequest#getPart, #getParts
without multi-part configuration
– throw IllegalStateException
§ Add method
javax.servlet.http.Part#getSubmittedFileName()
Multi-part
45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.45
Miscellaneous
§ Clarification for ServletContainerInitiailizer
– independent of metadata-complete
– instance per web application
ServletContainerInitializer
46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46
Miscellaneous
§ ServletRequestWrapper#isWrapperFor(Class<?> c)
§ ServletResponseWrapper#isWrapperFor(Class<?> c)
§ HandlesTypes#value return Class<?>[ ]
Generic
47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47
Miscellaneous
§ Add method ServletContext#getVirtualServerName()
§ Add method ServletRequest#getContentLengthLong()
§ Add method ServletResponse#setContentLengthLong(long
len)
Others
48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48
Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security
§ Miscellaneous
§ Resources
49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49
Resources
§ Spec and Javadoc
– http://jcp.org/en/jsr/detail?id=340
– http://servlet-spec.java.net
§ GlassFish 4.0
– http://glassfish.java.net
– webtier@glassfish.java.net
§ blog
– http://www.java.net/blog/swchan2
50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.50
Graphic Section Divider