SlideShare une entreprise Scribd logo

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

S
Shing Wai Chan

This document outlines the key features of Servlet 3.1 including non-blocking I/O, protocol upgrades, and security enhancements. It discusses how Servlet 3.1 introduces APIs for asynchronous and non-blocking I/O using read and write listeners. It also covers how protocol upgrades allow servlets to upgrade HTTP connections to other protocols like WebSocket. The document reviews new security features like changing the session ID on authentication to prevent fixation attacks.

Technologie
1  sur  51
Télécharger pour lire hors ligne
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
What’s New in JSR 340, Servlet 3.1? Shing Wai Chan Rajiv Mordani Session ID: CON 4854
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 Servlet 3.1 Overview §  FINAL: Part of Java EE 7 §  Upgrade from Servlet 3.0 §  Scalability –  Expose Non-blocking IO API §  Support newer technologies that leverage HTTP protocol for the initial handshake –  Support general upgrade mechanism for protocols like WebSocket §  Security enhancements
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 Non-blocking IO public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … } } } Traditional IO Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 Non Blocking IO §  Add two new interfaces: ReadListener, WriteListener §  Add APIs to ServletInputStream, ServletOutputStream §  For asynchronous and upgrade only Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Non-blocking IO public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); } javax.servlet.ReadListener
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 Non-blocking IO public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); } javax.servlet.WriteListener
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 Non-blocking IO §  javax.servlet.ServletInputStream –  public abstract boolean isFinished() –  public abstract boolean isReady() –  public abstract void setReadListener(ReadListener listener) §  javax.servlet.ServletOutputStream –  public abstract boolean isReady() –  public abstract setWriteListener(WriteListener listener) ServletInputStream, ServletOutputStream
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12 Non-blocking IO public class TestServlet extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListener readListener = new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } } Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } } Example (cont’d): Quiz
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } } Example (cont’d 2): Answer
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Non-blocking IO public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output = req.getOutputStream(); WriteListener writeListener = new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } } Example 2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } } Example 2 (cont’d)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18 Protocol Upgrade §  HTTP 1.1 (RFC 2616) §  Connection §  Transition to some other, incompatible protocol –  For examples, IRC/6.9, Web Socket HTTP Upgrade
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19 Protocol Upgrade §  Originally proposed as part of HTML5 §  IETF-defined Protocol: RFC 6455 –  Handshake –  Data Transfer §  W3C defined JavaScript API –  Candidate Recommendation, 2012-09-20 §  Bi-directional, full-duplex / TCP Example: WebSocket
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20 Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Protocol Upgrade Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat WebSocket Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21 Protocol Upgrade §  Add API to HttpServletRequest §  Add two new interfaces –  javax.servlet.http.HttpUpgradeHandler –  javax.servlet.http.WebConnection §  Can use non-blocking IO API in upgrade Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22 Protocol Upgrade §  New interface javax.servlet.http.HttpUpgradeHandler –  void init(WebConnection wc) –  void destroy() §  New interface javax.servlet.http.WebConnection extends AutoClosable –  ServletInputStream getInputStream() throws IOException –  ServletOutputStream getOutputStream() throws IOException HttpUpgradeHandler, WebConnection
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23 Protocol Upgrade §  Add a method to HttpServletRequest –  <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException HttpServletRequest
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24 Protocol Upgrade HttpServlet / Filter req.upgrade(…) init destroy HTTP Request upgraded protocol requests / responses HttpUpgradeHandler
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25 Protocol Upgrade public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } } Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26 Protocol Upgrade public class EchoHttpUpgradeHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … } } Example (cont’d)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27 Protocol Upgrade TyrusServletFilter req.upgrade(…) init destroy HTTP Request WebSocket requests / responses TyrusHttpUpgradeHandler Example 2: Reference Implementation of JSR 356, Java API for WebSocket
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28 DEMO
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30 Security Enhancements §  Emails or web pages from hackers containing –  http://abank.com?SID=ABCDEFGHIJ §  Change Session id on authentication –  Add to interface HttpServletRequest §  public String changeSessionId() –  New interface javax.servlet.http.HttpSessionIdListener §  void sessionIdChanged(HttpSessionEvent se, String oldSessionId) Session Fixation Attack
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31 Security Enhancements User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor Any authenticated users Quiz
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32 Security Enhancements §  Role “*” means any defined roles Any authenticated users Answer to the Quiz User Group Role /foo (“*”) /bar (“admin”) Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33 Security Enhancements §  Roles “**”, any authenticated users §  For example, –  @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”})) Any authenticated users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34 Security Enhancements §  deny-uncovered-http-methods in web.xml §  For example, –  <web-app …>
 " "…" " " "" " "<deny-uncovered-http-methods/> " "" " "<security-constraint>
 " " "<web-resource-collection>
 " " " "<web-resource-name>protected</web-resource-name>
 " " " "<url-pattern>/*</url-pattern>
 " " " "<http-method>GET</http-method>
 " " "</web-resource-collection>
 " " "<auth-constraint>
 " " " "<role-name>manager</role-name>
 " " "</auth-constraint>
 " "</security-constraint>
 </web-app>" deny-uncovered-http-methods
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35 Security Enhancements §  Clarification on run-as –  Servlet#init, Servlet#destroy Run as
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36 Security Enhancements §  Java EE 7, not in Servlet 3.1 §  Java security manager §  Declaring permissions required by application components §  META-INF/permission.xml §  See EE.6.2 of Java EE 7 spec for details. Declaring Permissions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38 Miscellaneous §  ServletResponse#reset –  Clears any data that exists in the buffer as well as the status code and headers §  ServletResponse#setCharacterEncoding –  Sets the character encoding (MIME charset) of the response being sent to the client, for example, to UTF-8. –  … ServletResponse#reset and #setCharacterEncoding Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); } } ServletResponse#reset and setCharacterEncoding (cont’d) Quiz in Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException } } ServletResponse#reset and setCharacterEncoding (cont’d 2) Answer to Quiz in Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41 Miscellaneous §  Character encoding setting after ServletResponse#reset –  Only #getServletOutputStream or #getWriter –  #setCharacterEncoding has no effect after calling #getWriter –  Servlet 3.0 §  #reset clears HTTP headers, status code, data in buffer –  Servlet 3.1 §  #reset clears –  HTTP headers, status code, data in buffer –  state of calling #getServletOutputStream or #getWriter ServletResponse#reset and #setCharacterEncoding (cont’d 3)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print } } ServletResponse#reset and #setCharacterEncoding (cont’d 4) Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43 Miscellaneous §  HttpServletResponse.sendRedirect –  a.jsp –  /b/a.jsp –  http://anotherhost.com/b/a.jsp –  //anotherhost.com/b/a.jsp (Network Path Reference) Relative Protocol URL
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44 Miscellaneous §  Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration –  throw IllegalStateException §  Add method javax.servlet.http.Part#getSubmittedFileName() Multi-part
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.45 Miscellaneous §  Clarification for ServletContainerInitiailizer –  independent of metadata-complete –  instance per web application ServletContainerInitializer
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46 Miscellaneous §  ServletRequestWrapper#isWrapperFor(Class<?> c) §  ServletResponseWrapper#isWrapperFor(Class<?> c) §  HandlesTypes#value return Class<?>[ ] Generic
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47 Miscellaneous §  Add method ServletContext#getVirtualServerName() §  Add method ServletRequest#getContentLengthLong() §  Add method ServletResponse#setContentLengthLong(long len) Others
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security §  Miscellaneous §  Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49 Resources §  Spec and Javadoc –  http://jcp.org/en/jsr/detail?id=340 –  http://servlet-spec.java.net §  GlassFish 4.0 –  http://glassfish.java.net –  webtier@glassfish.java.net §  blog –  http://www.java.net/blog/swchan2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.50 Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.51

Recommandé

Servlet 3.1
Servlet 3.1Servlet 3.1
Servlet 3.1
Arun Gupta
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Rapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINARapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINA
trustinlee
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
jobandesther
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Arun Gupta
 
Tomcat New Evolution
Tomcat New EvolutionTomcat New Evolution
Tomcat New Evolution
Allan Huang
 
The Web on OSGi: Here's How
The Web on OSGi: Here's HowThe Web on OSGi: Here's How
The Web on OSGi: Here's How
mrdon
 
Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!
Reza Rahman
 

Recommandé

Servlet 3.1
Servlet 3.1Servlet 3.1
Servlet 3.1
Arun Gupta
 
Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5Java EE 7: Boosting Productivity and Embracing HTML5
Java EE 7: Boosting Productivity and Embracing HTML5
Arun Gupta
 
Rapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINARapid Network Application Development with Apache MINA
Rapid Network Application Development with Apache MINA
trustinlee
 
Networking and Data Access with Eqela
Networking and Data Access with EqelaNetworking and Data Access with Eqela
Networking and Data Access with Eqela
jobandesther
 
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Java EE 7: Whats New in the Java EE Platform @ Devoxx 2013
Arun Gupta
 
Tomcat New Evolution
Tomcat New EvolutionTomcat New Evolution
Tomcat New Evolution
Allan Huang
 
The Web on OSGi: Here's How
The Web on OSGi: Here's HowThe Web on OSGi: Here's How
The Web on OSGi: Here's How
mrdon
 
Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!Reactive Java EE - Let Me Count the Ways!
Reactive Java EE - Let Me Count the Ways!
Reza Rahman
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSF
Jiayun Zhou
 
Reactive server with netty
Reactive server with nettyReactive server with netty
Reactive server with netty
Dmitriy Dumanskiy
 
Project Reactor Now and Tomorrow
Project Reactor Now and TomorrowProject Reactor Now and Tomorrow
Project Reactor Now and Tomorrow
VMware Tanzu
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
Servlets
ServletsServlets
Servlets
Manav Prasad
 
Java servlets
Java servletsJava servlets
Java servlets
yuvarani p
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
Yevgeniy Brikman
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
biicode
 
How to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applicationsHow to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applications
Ondrej Mihályi
 
Seven perilous pitfalls to avoid with Java | DevNation Tech Talk
Seven perilous pitfalls to avoid with Java | DevNation Tech TalkSeven perilous pitfalls to avoid with Java | DevNation Tech Talk
Seven perilous pitfalls to avoid with Java | DevNation Tech Talk
Red Hat Developers
 
GlassFish BOF
GlassFish BOFGlassFish BOF
GlassFish BOF
glassfish
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with Kotlin
RapidValue
 
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
0xdaryl
 
Leveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results AsynchrhonouslyLeveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results Asynchrhonously
David Gómez García
 
Jersey framework
Jersey frameworkJersey framework
Jersey framework
knight1128
 
Apache Tomcat 7 by Filip Hanik
Apache Tomcat 7 by Filip HanikApache Tomcat 7 by Filip Hanik
Apache Tomcat 7 by Filip Hanik
Edgar Espina
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
Cisco DevNet
 
Modern Java Workshop
Modern Java WorkshopModern Java Workshop
Modern Java Workshop
Simon Ritter
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
Alberto García Illera
 
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
Shing Wai Chan
 
Java ee7 1hour
Java ee7 1hourJava ee7 1hour
Java ee7 1hour
Frank Rodriguez
 

Contenu connexe

Tendances

Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSF
Jiayun Zhou
 
Project Reactor Now and Tomorrow
Project Reactor Now and TomorrowProject Reactor Now and Tomorrow
Project Reactor Now and Tomorrow
VMware Tanzu
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
Yevgeniy Brikman
 
How to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applicationsHow to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applications
Ondrej Mihályi
 
Leveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results AsynchrhonouslyLeveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results Asynchrhonously
David Gómez García
 
Jersey framework
Jersey frameworkJersey framework
Jersey framework
knight1128
 

Tendances (20)

Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Java EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSFJava EE 6 CDI Integrates with Spring & JSF
Java EE 6 CDI Integrates with Spring & JSF
 
Reactive server with netty
Reactive server with nettyReactive server with netty
Reactive server with netty
 
Project Reactor Now and Tomorrow
Project Reactor Now and TomorrowProject Reactor Now and Tomorrow
Project Reactor Now and Tomorrow
 
The Play Framework at LinkedIn
The Play Framework at LinkedInThe Play Framework at LinkedIn
The Play Framework at LinkedIn
 
Servlets
ServletsServlets
Servlets
 
Java servlets
Java servletsJava servlets
Java servlets
 
Node.js vs Play Framework
Node.js vs Play FrameworkNode.js vs Play Framework
Node.js vs Play Framework
 
Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014Dependencies Managers in C/C++. Using stdcpp 2014
Dependencies Managers in C/C++. Using stdcpp 2014
 
How to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applicationsHow to bake reactive behavior into your Java EE applications
How to bake reactive behavior into your Java EE applications
 
Seven perilous pitfalls to avoid with Java | DevNation Tech Talk
Seven perilous pitfalls to avoid with Java | DevNation Tech TalkSeven perilous pitfalls to avoid with Java | DevNation Tech Talk
Seven perilous pitfalls to avoid with Java | DevNation Tech Talk
 
GlassFish BOF
GlassFish BOFGlassFish BOF
GlassFish BOF
 
Appium Automation with Kotlin
Appium Automation with KotlinAppium Automation with Kotlin
Appium Automation with Kotlin
 
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
JavaOne 2015 CON7547 "Beyond the Coffee Cup: Leveraging Java Runtime Technolo...
 
Leveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results AsynchrhonouslyLeveraging Completable Futures to handle your query results Asynchrhonously
Leveraging Completable Futures to handle your query results Asynchrhonously
 
Jersey framework
Jersey frameworkJersey framework
Jersey framework
 
Apache Tomcat 7 by Filip Hanik
Apache Tomcat 7 by Filip HanikApache Tomcat 7 by Filip Hanik
Apache Tomcat 7 by Filip Hanik
 
Aci programmability
Aci programmabilityAci programmability
Aci programmability
 
Modern Java Workshop
Modern Java WorkshopModern Java Workshop
Modern Java Workshop
 
Hacking oracle using metasploit
Hacking oracle using metasploitHacking oracle using metasploit
Hacking oracle using metasploit
 

Similaire à JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

Similaire à JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340) (20)

JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
JavaOne Shanghai 2013 - Servlet 3.1 (JSR 340)
 
Java ee7 1hour
Java ee7 1hourJava ee7 1hour
Java ee7 1hour
 
OTN Tour 2013: What's new in java EE 7
OTN Tour 2013: What's new in java EE 7OTN Tour 2013: What's new in java EE 7
OTN Tour 2013: What's new in java EE 7
 
Java EE7
Java EE7Java EE7
Java EE7
 
Servlet 4.0 Adopt-a-JSR 10 Minute Infodeck
Servlet 4.0 Adopt-a-JSR 10 Minute InfodeckServlet 4.0 Adopt-a-JSR 10 Minute Infodeck
Servlet 4.0 Adopt-a-JSR 10 Minute Infodeck
 
Java EE 7 Platform: Boosting Productivity and Embracing HTML5 - Arun Gupta (R...
Java EE 7 Platform: Boosting Productivity and Embracing HTML5 - Arun Gupta (R...Java EE 7 Platform: Boosting Productivity and Embracing HTML5 - Arun Gupta (R...
Java EE 7 Platform: Boosting Productivity and Embracing HTML5 - Arun Gupta (R...
 
JSR 236 Concurrency Utils for EE presentation for JavaOne 2013 (CON7948)
JSR 236 Concurrency Utils for EE presentation for JavaOne 2013 (CON7948)JSR 236 Concurrency Utils for EE presentation for JavaOne 2013 (CON7948)
JSR 236 Concurrency Utils for EE presentation for JavaOne 2013 (CON7948)
 
As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0As novidades do Java EE 7: do HTML5 ao JMS 2.0
As novidades do Java EE 7: do HTML5 ao JMS 2.0
 
Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()Presente e Futuro: Java EE.next()
Presente e Futuro: Java EE.next()
 
Batch Applications for the Java Platform
Batch Applications for the Java PlatformBatch Applications for the Java Platform
Batch Applications for the Java Platform
 
Getting Started with WebSocket and Server-Sent Events in Java
Getting Started with WebSocket and Server-Sent Events in JavaGetting Started with WebSocket and Server-Sent Events in Java
Getting Started with WebSocket and Server-Sent Events in Java
 
112815 java ee8_davidd
112815 java ee8_davidd112815 java ee8_davidd
112815 java ee8_davidd
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
 
JAX RS 2.0 - OTN Bangalore 2013
JAX RS 2.0 - OTN Bangalore 2013JAX RS 2.0 - OTN Bangalore 2013
JAX RS 2.0 - OTN Bangalore 2013
 
JAX-RS 2.0: RESTful Web Services
JAX-RS 2.0: RESTful Web ServicesJAX-RS 2.0: RESTful Web Services
JAX-RS 2.0: RESTful Web Services
 
"Quantum" Performance Effects
"Quantum" Performance Effects"Quantum" Performance Effects
"Quantum" Performance Effects
 
Getting Started with WebSocket and Server-Sent Events using Java by Arun Gupta
Getting Started with WebSocket and Server-Sent Events using Java by Arun GuptaGetting Started with WebSocket and Server-Sent Events using Java by Arun Gupta
Getting Started with WebSocket and Server-Sent Events using Java by Arun Gupta
 
Getting started with Websocket and Server-sent Events using Java - Arun Gupta
Getting started with Websocket and Server-sent Events using Java - Arun Gupta Getting started with Websocket and Server-sent Events using Java - Arun Gupta
Getting started with Websocket and Server-sent Events using Java - Arun Gupta
 
Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013Best Practices for JSF, Gameduell 2013
Best Practices for JSF, Gameduell 2013
 
Completable future
Completable futureCompletable future
Completable future
 

Dernier

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

  • 1. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
  • 2. What’s New in JSR 340, Servlet 3.1? Shing Wai Chan Rajiv Mordani Session ID: CON 4854
  • 3. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
  • 4. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
  • 5. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5 Servlet 3.1 Overview §  FINAL: Part of Java EE 7 §  Upgrade from Servlet 3.0 §  Scalability –  Expose Non-blocking IO API §  Support newer technologies that leverage HTTP protocol for the initial handshake –  Support general upgrade mechanism for protocols like WebSocket §  Security enhancements
  • 6. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security enhancements §  Miscellaneous features §  Resources
  • 7. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7 Non-blocking IO public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … } } } Traditional IO Example
  • 8. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8 Non Blocking IO §  Add two new interfaces: ReadListener, WriteListener §  Add APIs to ServletInputStream, ServletOutputStream §  For asynchronous and upgrade only Overview
  • 9. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9 Non-blocking IO public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t); } javax.servlet.ReadListener
  • 10. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10 Non-blocking IO public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t); } javax.servlet.WriteListener
  • 11. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11 Non-blocking IO §  javax.servlet.ServletInputStream –  public abstract boolean isFinished() –  public abstract boolean isReady() –  public abstract void setReadListener(ReadListener listener) §  javax.servlet.ServletOutputStream –  public abstract boolean isReady() –  public abstract setWriteListener(WriteListener listener) ServletInputStream, ServletOutputStream
  • 12. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12 Non-blocking IO public class TestServlet extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletInputStream input = req.getInputStream(); ReadListener readListener = new ReadListenerImpl(input, output, ac); input.setReadListener(readListener); } } Example
  • 13. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } } Example (cont’d): Quiz
  • 14. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14 Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } } Example (cont’d 2): Answer
  • 15. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15 Non-blocking IO public class TestServlet2 extends HttpServlet { protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException { AsyncContext ac = req.startAsync(); … ServletOutputStream output = req.getOutputStream(); WriteListener writeListener = new WriteListenerImpl(output, ac); output.setWriteListener(writeListener); } } Example 2
  • 16. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16 Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } } Example 2 (cont’d)
  • 17. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17 Program Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  • 18. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18 Protocol Upgrade §  HTTP 1.1 (RFC 2616) §  Connection §  Transition to some other, incompatible protocol –  For examples, IRC/6.9, Web Socket HTTP Upgrade
  • 19. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19 Protocol Upgrade §  Originally proposed as part of HTML5 §  IETF-defined Protocol: RFC 6455 –  Handshake –  Data Transfer §  W3C defined JavaScript API –  Candidate Recommendation, 2012-09-20 §  Bi-directional, full-duplex / TCP Example: WebSocket
  • 20. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20 Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 Protocol Upgrade Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat WebSocket Example
  • 21. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21 Protocol Upgrade §  Add API to HttpServletRequest §  Add two new interfaces –  javax.servlet.http.HttpUpgradeHandler –  javax.servlet.http.WebConnection §  Can use non-blocking IO API in upgrade Overview
  • 22. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22 Protocol Upgrade §  New interface javax.servlet.http.HttpUpgradeHandler –  void init(WebConnection wc) –  void destroy() §  New interface javax.servlet.http.WebConnection extends AutoClosable –  ServletInputStream getInputStream() throws IOException –  ServletOutputStream getOutputStream() throws IOException HttpUpgradeHandler, WebConnection
  • 23. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23 Protocol Upgrade §  Add a method to HttpServletRequest –  <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException HttpServletRequest
  • 24. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24 Protocol Upgrade HttpServlet / Filter req.upgrade(…) init destroy HTTP Request upgraded protocol requests / responses HttpUpgradeHandler
  • 25. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25 Protocol Upgrade public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … } } Example
  • 26. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26 Protocol Upgrade public class EchoHttpUpgradeHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … } } Example (cont’d)
  • 27. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27 Protocol Upgrade TyrusServletFilter req.upgrade(…) init destroy HTTP Request WebSocket requests / responses TyrusHttpUpgradeHandler Example 2: Reference Implementation of JSR 356, Java API for WebSocket
  • 28. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28 DEMO
  • 29. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  • 30. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30 Security Enhancements §  Emails or web pages from hackers containing –  http://abank.com?SID=ABCDEFGHIJ §  Change Session id on authentication –  Add to interface HttpServletRequest §  public String changeSessionId() –  New interface javax.servlet.http.HttpSessionIdListener §  void sessionIdChanged(HttpSessionEvent se, String oldSessionId) Session Fixation Attack
  • 31. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31 Security Enhancements User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor Any authenticated users Quiz
  • 32. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32 Security Enhancements §  Role “*” means any defined roles Any authenticated users Answer to the Quiz User Group Role /foo (“*”) /bar (“admin”) Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny
  • 33. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33 Security Enhancements §  Roles “**”, any authenticated users §  For example, –  @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”})) Any authenticated users
  • 34. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.34 Security Enhancements §  deny-uncovered-http-methods in web.xml §  For example, –  <web-app …>
 " "…" " " "" " "<deny-uncovered-http-methods/> " "" " "<security-constraint>
 " " "<web-resource-collection>
 " " " "<web-resource-name>protected</web-resource-name>
 " " " "<url-pattern>/*</url-pattern>
 " " " "<http-method>GET</http-method>
 " " "</web-resource-collection>
 " " "<auth-constraint>
 " " " "<role-name>manager</role-name>
 " " "</auth-constraint>
 " "</security-constraint>
 </web-app>" deny-uncovered-http-methods
  • 35. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.35 Security Enhancements §  Clarification on run-as –  Servlet#init, Servlet#destroy Run as
  • 36. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.36 Security Enhancements §  Java EE 7, not in Servlet 3.1 §  Java security manager §  Declaring permissions required by application components §  META-INF/permission.xml §  See EE.6.2 of Java EE 7 spec for details. Declaring Permissions
  • 37. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.37 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security Enhancements §  Miscellaneous §  Resources
  • 38. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.38 Miscellaneous §  ServletResponse#reset –  Clears any data that exists in the buffer as well as the status code and headers §  ServletResponse#setCharacterEncoding –  Sets the character encoding (MIME charset) of the response being sent to the client, for example, to UTF-8. –  … ServletResponse#reset and #setCharacterEncoding Servlet 3.0
  • 39. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.39 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); } } ServletResponse#reset and setCharacterEncoding (cont’d) Quiz in Servlet 3.0
  • 40. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.40 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException } } ServletResponse#reset and setCharacterEncoding (cont’d 2) Answer to Quiz in Servlet 3.0
  • 41. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.41 Miscellaneous §  Character encoding setting after ServletResponse#reset –  Only #getServletOutputStream or #getWriter –  #setCharacterEncoding has no effect after calling #getWriter –  Servlet 3.0 §  #reset clears HTTP headers, status code, data in buffer –  Servlet 3.1 §  #reset clears –  HTTP headers, status code, data in buffer –  state of calling #getServletOutputStream or #getWriter ServletResponse#reset and #setCharacterEncoding (cont’d 3)
  • 42. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.42 Miscellaneous public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print } } ServletResponse#reset and #setCharacterEncoding (cont’d 4) Example
  • 43. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.43 Miscellaneous §  HttpServletResponse.sendRedirect –  a.jsp –  /b/a.jsp –  http://anotherhost.com/b/a.jsp –  //anotherhost.com/b/a.jsp (Network Path Reference) Relative Protocol URL
  • 44. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.44 Miscellaneous §  Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration –  throw IllegalStateException §  Add method javax.servlet.http.Part#getSubmittedFileName() Multi-part
  • 45. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.45 Miscellaneous §  Clarification for ServletContainerInitiailizer –  independent of metadata-complete –  instance per web application ServletContainerInitializer
  • 46. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.46 Miscellaneous §  ServletRequestWrapper#isWrapperFor(Class<?> c) §  ServletResponseWrapper#isWrapperFor(Class<?> c) §  HandlesTypes#value return Class<?>[ ] Generic
  • 47. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.47 Miscellaneous §  Add method ServletContext#getVirtualServerName() §  Add method ServletRequest#getContentLengthLong() §  Add method ServletResponse#setContentLengthLong(long len) Others
  • 48. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.48 Agenda §  Servlet 3.1 Overview §  Non-blocking IO §  Protocol Upgrade §  Security §  Miscellaneous §  Resources
  • 49. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.49 Resources §  Spec and Javadoc –  http://jcp.org/en/jsr/detail?id=340 –  http://servlet-spec.java.net §  GlassFish 4.0 –  http://glassfish.java.net –  webtier@glassfish.java.net §  blog –  http://www.java.net/blog/swchan2
  • 50. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.50 Graphic Section Divider
  • 51. Copyright © 2013, Oracle and/or its affiliates. All rights reserved.51