Skip to main content

Servlet 3.1 in Proposed Final Draft

Posted by swchan2 on March 18, 2013 at 8:54 AM PDT

Servlet 3.1 was in Public Review in Janurary 2013. And it is in Proposed Final Draft now. Most of the new features are related to security.
In this following, I will highlight features since Servlet 3.1 Public Review:

  • add new API javax.servlet.http.Part#getSubmittedFileName
  • add new API javax.servlet.ServletContext#getVirtualServerName
    This API allows a JASPIC module to be registered in a Servlet container in a portable way.
  • default deny semantic
    Prior to Servlet 3.1, if the given HTTP methods are not covered by the given security constraint for given URL patterns, then the HTTP methods are not protected for the corresponding URL patterns. This may not be the desired behavior. A new element deny-uncovered-http-methods is added to web.xml so that the behavior of those HTTP methods for the given URL patterns can be configured easily.
  • authenticated role, **
    If the role name ** is not explictly defined in web.xml, it is used to denote the role name of all authenticated users. The role name ** can be used in defining an security-constraint in web.xml and as argument of HttpServletRequest#isUSerInRole.

More details in security can be found in Chapter 13 of Servlet 3.1 Proposed Final Draft. There are other clarifications, too. The spec and javadoc for Servlet 3.1 can be downloaded from