The Source for Java Technology Collaboration
User: Password:
Register | Login help    



Syndicate this blog (XML)

Rajiv Mordani's Blog

April 2008 Archives


Servlet 3.0 (JSR 315) update

Posted by mode on April 30, 2008 at 04:50 PM | Permalink | Comments (12)

Update: The early draft of the specification is now available at the JCP site. Click here to get to the draft. It's been a while since I put a post on the blog so I thought I would take this opportunity to give an update on the servlet 3.0 specification. The expert group has been working through to enhance the APIs in the servlet specification. This blog is to give an update to the developers about the features that are proposed for the upcoming early draft of the specification. The main areas covered so far by the expert group are
  • Pluggability and extensibility
  • Ease of development
  • Async support
  • Security enhancements
  • Some enhancements to the existing APIs.

Pluggability and extensibility

In keeping with one of the main theme for Java EE 6, the goal of this requirement is provide more extension points in the servlet container to allow developers to easily use frameworks / libraries by "just dropping" a jar file in the application classpath and not require any additional configuration in the application. Today, in a servlet container the application has one monolithic web.xml that defines all the deployment artifacts for the application, including the dependencies of the application on the framework components. In it's current state, a developer must go through the documentation of each framework that it depends on and declare the appropriate servlets, filters, Listeners, etc. To overcome this issue in servlet 3.0 we are adding a new feature that allows having more than one web.xml, or as it is being referred in the specification as web fragments. A framework can define it's own web.xml that declares the necessary components for the framework that is then included for use in the web applicaton. It is the job of the container to assemble all the fragments at deployment / runtime of the application.

Along with the changes mentioned above there are few new APIs to also allow programmatic addition of Servlets and Filters at start up time of an application. API changes for configuration addition:
ServletContext: addServlet, addServletMapping, addFilter, addFilterMapping

Ease of Development

In servlet 3.0 one of the areas of focus is ease of development. The servlet 3.0 API is making use of annotations to enable a declarative style of programming for components of a web application. For example - to define a servlet you would use the following piece of code - 
package samples;
import javax.servlet.http.annotation.*;

@Servlet(urlMappings={"/foo"})
public class SimpleSample {

}
The use of annotations makes web.xml optional and a developer does not really need to use it unless they want to change some configuration without changing code - for example at deployment time. Also, as with all the other parts of the Java EE platform, the descriptor always overrides the metadata provided via use of annotations.

Async support

The initial proposal for Async servlet support came from Greg Wilkins from Webtide and has been discussed and refined in the expert group. Support for async servlets allows you to suspend and resume request processing and enable and disable the response depending on the need of the application. A good use case of this servlet is in writing comet style applications. API changes for async support:
ServletRequest: suspend, resume, complete, isSuspended, isResumed, isTimeout, isInitial
ServletResponse: disable, enable, isDisabled
ServletRequestListener: requestSuspended, requestResumed, requestCompleted

Security enhancements

While this is not in the early draft of the specification as it needs some more discussion in the expert group, I thought I would give a sneak preview of what might be in the next draft of the specification. Ron Monzillo from Sun who is a security expert and has done work on many of the security related JSRs proposed the addition of methods to HttpServletRequest and HttpSession to support programmatic login and logout. API changes for login / logout support:
HttpServletRequest: login, logout
HttpSession:logout

Enhancements to existing APIs

A few areas of the current API have been enhanced that will help in developer productivity. Listed below are some of them -
  • Ability to get a ServletContext and a Response object from the Request object. To get a Context (to maybe get context information or to get a RequestDispatcher for example) today you need to create a HttpSession object just to get a reference to a Context object. With the addition of the new APIs you can now get the Context and the associated Response from the ServletRequest. API changes for getting a Context and Response:
    ServletRequest: getServletContext, getServletResponse
  • Mark a cookie as an HttpOnly cookie. By setting a cookie to be an HttpOnly cookie you prevent client side scripting code from getting access to the cookie. Most modern browsers support this feature and it helps mitigate some kinds of cross-site scripting attacks. API changes to support HttpOnlyCookie:
    Cookie: setHttpOnly, isHttpOnly

Note: For details about all the API changes look at the javadocs (once the spec is available from the jcp website). The exact method signatures aren't duplicated here. Instead just the names are here to give an idea of the kind of changes.


This work is licensed under a Creative Commons License.
Creative Commons License

Powered by
Movable Type 3.01D
 Feed java.net RSS Feeds
Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Oreilly LogoCollabnet Logo
Powered by Sun Microsystems, Inc.,
O'Reilly and CollabNet