JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)
-
Upload
shing-wai-chan -
Category
Technology
-
view
1.140 -
download
1
description
Transcript of JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1
What’s New in JSR 340, Servlet 3.1? Shing Wai Chan Rajiv Mordani
Session ID: CON 4854
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 3
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 4
Program Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security enhancements
§ Miscellaneous features
§ Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 5
Servlet 3.1 Overview
§ FINAL: Part of Java EE 7 § Upgrade from Servlet 3.0 § Scalability
– Expose Non-blocking IO API § Support newer technologies that leverage HTTP protocol for the initial
handshake – Support general upgrade mechanism for protocols like WebSocket
§ Security enhancements
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 6
Program Agenda
§ Servlet 3.1 Overview
§ Non-blocking IO
§ Protocol Upgrade
§ Security enhancements
§ Miscellaneous features
§ Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 7
Non-blocking IO
public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … }
}
}
Traditional IO Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 8
Non Blocking IO
§ Add two new interfaces: ReadListener, WriteListener § Add APIs to ServletInputStream, ServletOutputStream § For asynchronous and upgrade only
Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 9
Non-blocking IO
public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t);
}
javax.servlet.ReadListener
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 10
Non-blocking IO
public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t);
}
javax.servlet.WriteListener
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 11
Non-blocking IO
§ javax.servlet.ServletInputStream – public abstract boolean isFinished() – public abstract boolean isReady()
– public abstract void setReadListener(ReadListener listener)
§ javax.servlet.ServletOutputStream – public abstract boolean isReady()
– public abstract setWriteListener(WriteListener listener)
ServletInputStream, ServletOutputStream
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 12
Non-blocking IO
public class TestServlet extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletInputStream input = req.getInputStream();
ReadListener readListener = new ReadListenerImpl(input, output, ac);
input.setReadListener(readListener);
}
}
Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 13
Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } }
Example (cont’d): Quiz
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 14
Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } }
Example (cont’d 2): Answer
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 15
Non-blocking IO
public class TestServlet2 extends HttpServlet {
protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {
AsyncContext ac = req.startAsync();
…
ServletOutputStream output = req.getOutputStream();
WriteListener writeListener = new WriteListenerImpl(output, ac);
output.setWriteListener(writeListener);
}
}
Example 2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 16
Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } }
Example 2 (cont’d)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 17
Program Agenda
§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security Enhancements § Miscellaneous § Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 18
Protocol Upgrade
§ HTTP 1.1 (RFC 2616) § Connection § Transition to some other, incompatible protocol
– For examples, IRC/6.9, Web Socket
HTTP Upgrade
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 19
Protocol Upgrade
§ Originally proposed as part of HTML5 § IETF-defined Protocol: RFC 6455
– Handshake – Data Transfer
§ W3C defined JavaScript API – Candidate Recommendation, 2012-09-20
§ Bi-directional, full-duplex / TCP
Example: WebSocket
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 20
Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13
Protocol Upgrade
Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat
WebSocket Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 21
Protocol Upgrade
§ Add API to HttpServletRequest § Add two new interfaces
– javax.servlet.http.HttpUpgradeHandler – javax.servlet.http.WebConnection
§ Can use non-blocking IO API in upgrade
Overview
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 22
Protocol Upgrade
§ New interface javax.servlet.http.HttpUpgradeHandler – void init(WebConnection wc) – void destroy()
§ New interface javax.servlet.http.WebConnection extends AutoClosable
– ServletInputStream getInputStream() throws IOException – ServletOutputStream getOutputStream() throws IOException
HttpUpgradeHandler, WebConnection
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 23
Protocol Upgrade
§ Add a method to HttpServletRequest – <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException
HttpServletRequest
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 24
Protocol Upgrade
HttpServlet / Filter
req.upgrade(…)
init
destroy
HTTP Request
upgraded protocol requests / responses
HttpUpgradeHandler
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 25
Protocol Upgrade
public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … }
}
Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 26
Protocol Upgrade
public class EchoHttpUpgradeHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … }
}
Example (cont’d)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 27
Protocol Upgrade
TyrusServletFilter req.upgrade(…)
init
destroy
HTTP Request
WebSocket requests / responses
TyrusHttpUpgradeHandler
Example 2: Reference Implementation of JSR 356, Java API for WebSocket
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 28
DEMO
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 29
Agenda
§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security Enhancements § Miscellaneous § Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 30
Security Enhancements
§ Emails or web pages from hackers containing – http://abank.com?SID=ABCDEFGHIJ
§ Change Session id on authentication – Add to interface HttpServletRequest
§ public String changeSessionId() – New interface javax.servlet.http.HttpSessionIdListener
§ void sessionIdChanged(HttpSessionEvent se, String oldSessionId)
Session Fixation Attack
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 31
Security Enhancements
User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor
Any authenticated users Quiz
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 32
Security Enhancements
§ Role “*” means any defined roles
Any authenticated users Answer to the Quiz
User Group Role /foo (“*”) /bar (“admin”)
Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 33
Security Enhancements
§ Roles “**”, any authenticated users § For example,
– @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))
Any authenticated users
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 34
Security Enhancements
§ deny-uncovered-http-methods in web.xml § For example,
– <web-app …> " "…" " " ""
" "<deny-uncovered-http-methods/> " ""
" "<security-constraint> " " "<web-resource-collection> " " " "<web-resource-name>protected</web-resource-name> " " " "<url-pattern>/*</url-pattern> " " " "<http-method>GET</http-method> " " "</web-resource-collection> " " "<auth-constraint> " " " "<role-name>manager</role-name> " " "</auth-constraint> " "</security-constraint> </web-app>"
deny-uncovered-http-methods
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 35
Security Enhancements
§ Clarification on run-as – Servlet#init, Servlet#destroy
Run as
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 36
Security Enhancements
§ Java EE 7, not in Servlet 3.1 § Java security manager § Declaring permissions required by application components § META-INF/permission.xml § See EE.6.2 of Java EE 7 spec for details.
Declaring Permissions
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 37
Agenda
§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security Enhancements § Miscellaneous § Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 38
Miscellaneous
§ ServletResponse#reset – Clears any data that exists in the buffer as well as the status code and
headers
§ ServletResponse#setCharacterEncoding – Sets the character encoding (MIME charset) of the response being sent to
the client, for example, to UTF-8. – …
ServletResponse#reset and #setCharacterEncoding Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 39
Miscellaneous
public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); }
}
ServletResponse#reset and setCharacterEncoding (cont’d) Quiz in Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 40
Miscellaneous
public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException }
}
ServletResponse#reset and setCharacterEncoding (cont’d 2) Answer to Quiz in Servlet 3.0
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 41
Miscellaneous
§ Character encoding setting after ServletResponse#reset – Only #getServletOutputStream or #getWriter – #setCharacterEncoding has no effect after calling #getWriter – Servlet 3.0
§ #reset clears HTTP headers, status code, data in buffer – Servlet 3.1
§ #reset clears – HTTP headers, status code, data in buffer – state of calling #getServletOutputStream or #getWriter
ServletResponse#reset and #setCharacterEncoding (cont’d 3)
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 42
Miscellaneous
public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print }
}
ServletResponse#reset and #setCharacterEncoding (cont’d 4) Example
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 43
Miscellaneous
§ HttpServletResponse.sendRedirect – a.jsp – /b/a.jsp – http://anotherhost.com/b/a.jsp – //anotherhost.com/b/a.jsp (Network Path Reference)
Relative Protocol URL
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 44
Miscellaneous
§ Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration
– throw IllegalStateException
§ Add method javax.servlet.http.Part#getSubmittedFileName()
Multi-part
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 45
Miscellaneous
§ Clarification for ServletContainerInitiailizer – independent of metadata-complete – instance per web application
ServletContainerInitializer
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 46
Miscellaneous
§ ServletRequestWrapper#isWrapperFor(Class<?> c) § ServletResponseWrapper#isWrapperFor(Class<?> c) § HandlesTypes#value return Class<?>[ ]
Generic
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 47
Miscellaneous
§ Add method ServletContext#getVirtualServerName()
§ Add method ServletRequest#getContentLengthLong() § Add method ServletResponse#setContentLengthLong(long len)
Others
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 48
Agenda
§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security § Miscellaneous § Resources
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 49
Resources
§ Spec and Javadoc – http://jcp.org/en/jsr/detail?id=340 – http://servlet-spec.java.net
§ GlassFish 4.0 – http://glassfish.java.net – [email protected]
§ blog – http://www.java.net/blog/swchan2
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 50
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 51