JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

What’s New in JSR 340, Servlet 3.1? Shing Wai Chan Rajiv Mordani

Session ID: CON 4854


The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Program Agenda

§ Servlet 3.1 Overview

§ Non-blocking IO

§ Protocol Upgrade

§ Security enhancements

§ Miscellaneous features

§ Resources


Servlet 3.1 Overview

§ FINAL: Part of Java EE 7 § Upgrade from Servlet 3.0 § Scalability

–  Expose Non-blocking IO API § Support newer technologies that leverage HTTP protocol for the initial

handshake –  Support general upgrade mechanism for protocols like WebSocket



Program Agenda

§ Servlet 3.1 Overview

§ Non-blocking IO

§ Protocol Upgrade


§ Miscellaneous features

§ Resources


Non-blocking IO

public class TestServlet extends HttpServlet protected void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { ServletInputStream input = request.getInputStream(); byte[] b = new byte[1024]; int len = -1; while ((len = input.read(b)) != -1) { … }

}

}

Traditional IO Example


Non Blocking IO

§ Add two new interfaces: ReadListener, WriteListener § Add APIs to ServletInputStream, ServletOutputStream § For asynchronous and upgrade only

Overview


Non-blocking IO

public interface ReadListener extends EventListener { public void onDataAvailable() throws IOException; public void onAllDataRead() throws IOException; public void onError(Throwable t);

}

javax.servlet.ReadListener


Non-blocking IO

public interface WriteListener extends EventListener { public void onWritePossible() throws IOException; public void onError(Throwable t);

}

javax.servlet.WriteListener


Non-blocking IO

§ javax.servlet.ServletInputStream –  public abstract boolean isFinished() –  public abstract boolean isReady()

–  public abstract void setReadListener(ReadListener listener)

§ javax.servlet.ServletOutputStream –  public abstract boolean isReady()

–  public abstract setWriteListener(WriteListener listener)

ServletInputStream, ServletOutputStream


Non-blocking IO

public class TestServlet extends HttpServlet {

protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

AsyncContext ac = req.startAsync();

…

ServletInputStream input = req.getInputStream();

ReadListener readListener = new ReadListenerImpl(input, output, ac);

input.setReadListener(readListener);

}

}

Example


Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while ((len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { … } public void onError(final Throwable t) { … } }

Example (cont’d): Quiz


Non-blocking IO public class ReadListenerImpl implements ReadListener { … public void onDataAvailable() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (input.isReady() && (len = input.read(b)) != -1) { … } } public void onAllDataRead() throws IOException { ac.complete(); } public void onError(final Throwable t) { … } }

Example (cont’d 2): Answer


Non-blocking IO

public class TestServlet2 extends HttpServlet {

protected void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

AsyncContext ac = req.startAsync();

…

ServletOutputStream output = req.getOutputStream();

WriteListener writeListener = new WriteListenerImpl(output, ac);

output.setWriteListener(writeListener);

}

}

Example 2


Non-blocking IO public class WriteListenerImpl implements WriteListener { … public void onWritePossible() throws IOException { … int len = -1; byte b[] = new byte[1024]; while (output.isReady()) { … } … } public void onError(final Throwable t) { … } }

Example 2 (cont’d)


Program Agenda

§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security Enhancements § Miscellaneous § Resources


Protocol Upgrade

§ HTTP 1.1 (RFC 2616) § Connection § Transition to some other, incompatible protocol

–  For examples, IRC/6.9, Web Socket

HTTP Upgrade


Protocol Upgrade

§ Originally proposed as part of HTML5 §  IETF-defined Protocol: RFC 6455

–  Handshake –  Data Transfer

§ W3C defined JavaScript API –  Candidate Recommendation, 2012-09-20

§ Bi-directional, full-duplex / TCP

Example: WebSocket


Client GET /chat HTTP/1.1 Host: server.example.com Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: http://example.com Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13

Protocol Upgrade

Server HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo= Sec-WebSocket-Protocol: chat

WebSocket Example


Protocol Upgrade

§ Add API to HttpServletRequest § Add two new interfaces

–  javax.servlet.http.HttpUpgradeHandler –  javax.servlet.http.WebConnection

§ Can use non-blocking IO API in upgrade

Overview


Protocol Upgrade

§ New interface javax.servlet.http.HttpUpgradeHandler –  void init(WebConnection wc) –  void destroy()

§ New interface javax.servlet.http.WebConnection extends AutoClosable

–  ServletInputStream getInputStream() throws IOException –  ServletOutputStream getOutputStream() throws IOException

HttpUpgradeHandler, WebConnection


Protocol Upgrade

§ Add a method to HttpServletRequest –  <T extends HttpUpgradeHandler> T upgrade(Class<T> handlerClass) throws IOException, ServletException

HttpServletRequest


Protocol Upgrade

HttpServlet / Filter

req.upgrade(…)

init

destroy

HTTP Request

upgraded protocol requests / responses

HttpUpgradeHandler


Protocol Upgrade

public class UpgradeServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { … if (decideToUpgrade) { EchoHttpUpgradeHandler handler = request.upgrade(EchoHttpUpgradeHandler.class); … }

}

Example


Protocol Upgrade

public class EchoHttpUpgradeHandler implements HttpUpgradeHandler { public void init(WebConnection wc) { try { ServletInputStream input = wc.getInputStream(); ServletOutputStream output = wc.getOutputStream(); ReadListener readListener = …; input.setReadListener(readListener); … } public void destroy() { … }

}

Example (cont’d)


Protocol Upgrade

TyrusServletFilter req.upgrade(…)

init

destroy

HTTP Request

WebSocket requests / responses

TyrusHttpUpgradeHandler

Example 2: Reference Implementation of JSR 356, Java API for WebSocket


DEMO


Agenda



Security Enhancements

§ Emails or web pages from hackers containing –  http://abank.com?SID=ABCDEFGHIJ

§ Change Session id on authentication –  Add to interface HttpServletRequest

§  public String changeSessionId() –  New interface javax.servlet.http.HttpSessionIdListener

§  void sessionIdChanged(HttpSessionEvent se, String oldSessionId)

Session Fixation Attack



User Group Role /foo (“*”) /bar (“admin”) Alice manager admin Bob staff staff Carol contractor

Any authenticated users Quiz



§ Role “*” means any defined roles

Any authenticated users Answer to the Quiz

User Group Role /foo (“*”) /bar (“admin”)

Alice manager admin ok ok Bob staff staff ok deny Carol contractor deny deny



§ Roles “**”, any authenticated users § For example,

–  @WebServlet(“/foo”) @ServletSecurity(@HttpConstraint(rolesAllowed={“**”}))

Any authenticated users



§ deny-uncovered-http-methods in web.xml § For example,

–  <web-app …> " "…" " " ""

" "<deny-uncovered-http-methods/> " ""

" "<security-constraint> " " "<web-resource-collection> " " " "<web-resource-name>protected</web-resource-name> " " " "<url-pattern>/*</url-pattern> " " " "<http-method>GET</http-method> " " "</web-resource-collection> " " "<auth-constraint> " " " "<role-name>manager</role-name> " " "</auth-constraint> " "</security-constraint> </web-app>"

deny-uncovered-http-methods



§ Clarification on run-as –  Servlet#init, Servlet#destroy

Run as



§  Java EE 7, not in Servlet 3.1 §  Java security manager § Declaring permissions required by application components § META-INF/permission.xml § See EE.6.2 of Java EE 7 spec for details.

Declaring Permissions


Agenda



Miscellaneous

§ ServletResponse#reset –  Clears any data that exists in the buffer as well as the status code and

headers

§ ServletResponse#setCharacterEncoding –  Sets the character encoding (MIME charset) of the response being sent to

the client, for example, to UTF-8. –  …

ServletResponse#reset and #setCharacterEncoding Servlet 3.0


Miscellaneous

public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); response.getOutputStream().println("Done"); }

}

ServletResponse#reset and setCharacterEncoding (cont’d) Quiz in Servlet 3.0


Miscellaneous

public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // no effect response.getOutputStream().println("Done"); // IllegalStateException }

}

ServletResponse#reset and setCharacterEncoding (cont’d 2) Answer to Quiz in Servlet 3.0


Miscellaneous

§ Character encoding setting after ServletResponse#reset –  Only #getServletOutputStream or #getWriter –  #setCharacterEncoding has no effect after calling #getWriter –  Servlet 3.0

§  #reset clears HTTP headers, status code, data in buffer –  Servlet 3.1

§  #reset clears –  HTTP headers, status code, data in buffer –  state of calling #getServletOutputStream or #getWriter

ServletResponse#reset and #setCharacterEncoding (cont’d 3)


Miscellaneous

public class TestServlet extends HttpServlet protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { response.setContentType("text/html"); response.setCharacterEncoding("ISO-8859-1"); PrintWriter writer = response.getWriter(); … response.reset(); response.setContentType("text/plain"); response.setCharacterEncoding("Big5"); // set Big5 encoding response.getOutputStream().println("Done"); // print }

}

ServletResponse#reset and #setCharacterEncoding (cont’d 4) Example


Miscellaneous

§ HttpServletResponse.sendRedirect –  a.jsp –  /b/a.jsp –  http://anotherhost.com/b/a.jsp –  //anotherhost.com/b/a.jsp (Network Path Reference)

Relative Protocol URL


Miscellaneous

§ Clarification for HttpServletRequest#getPart, #getParts without multi-part configuration

–  throw IllegalStateException

§ Add method javax.servlet.http.Part#getSubmittedFileName()

Multi-part


Miscellaneous

§ Clarification for ServletContainerInitiailizer –  independent of metadata-complete –  instance per web application

ServletContainerInitializer


Miscellaneous

§ ServletRequestWrapper#isWrapperFor(Class<?> c) § ServletResponseWrapper#isWrapperFor(Class<?> c) § HandlesTypes#value return Class<?>[ ]

Generic


Miscellaneous

§ Add method ServletContext#getVirtualServerName()

§ Add method ServletRequest#getContentLengthLong() § Add method ServletResponse#setContentLengthLong(long len)

Others


Agenda

§ Servlet 3.1 Overview § Non-blocking IO § Protocol Upgrade § Security § Miscellaneous § Resources


Resources

§ Spec and Javadoc –  http://jcp.org/en/jsr/detail?id=340 –  http://servlet-spec.java.net

§ GlassFish 4.0 –  http://glassfish.java.net –  [email protected]

§ blog –  http://www.java.net/blog/swchan2


Graphic Section Divider

JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)

Technology

Transcript of JavaOne San Francisco 2013 - Servlet 3.1 (JSR 340)