Skip to main content

swchan2's Blog

deny-uncovered-http-methods in Servlet 3.1

Posted by swchan2 on April 19, 2013 at 10:54 AM PDT

Servlet 3.1 Specification (JSR 340) is almost ready for the release. Several new security features have been added in this version of Servlet specification.

In this blog, I will explain one of the security features, namely deny-uncovered-http-methods.

Non-blocking IO in Servlet 3.1 By Example

Posted by swchan2 on April 16, 2013 at 3:51 PM PDT

Update: One should not use response in AsyncListener#onComplete. Only print debug in this example.

Servlet 3.1 (JSR 340) is almost ready for the release. One of the new features is the support for non-blocking IO. ReadListener and WriteListener are introduced to allow non-blocking processing in Servlet.

Servlet 3.1 in Proposed Final Draft

Posted by swchan2 on March 18, 2013 at 8:54 AM PDT

Servlet 3.1 was in Public Review in Janurary 2013. And it is in Proposed Final Draft now. Most of the new features are related to security.
In this following, I will highlight features since Servlet 3.1 Public Review:

  • add new API javax.servlet.http.Part#getSubmittedFileName

Servlet 3.1 in Public Review

Posted by swchan2 on January 11, 2013 at 5:58 PM PST

Servlet 3.1 is in Public Review now.
New features in Servlet 3.1 and changes since the EDR are listed below:

  • support Non Blocking IO

startAsync in Servlet 3.0

Posted by swchan2 on September 8, 2011 at 5:15 PM PDT

Prior to Servlet 3.0, a servlet may need to wait for a long operation to complete and can cause thread starvation in web container. In Servlet 3.0, asynchronous processing is introduced to handle this situation.

Cross-site request forgery prevention filter in GlassFish 3.1.1

Posted by swchan2 on May 31, 2011 at 3:06 PM PDT

Cross-site request forgery (CSRF)
is a malicious attack exploiting the trust of a site from a user's browser.
As an example, an user may be tricked to invoke a url to do a bank transaction
by either clicking on the url or accessing the url through <img>.

Turning off default error page in GlassFish 3.x

Posted by swchan2 on April 18, 2011 at 5:23 PM PDT

In GlassFish, when no error page is specified for a given web application, a default error page will be displayed. In some use cases, it is desirable to turn off the default error page.
In this blog, we will summarize different ways to achieve this.

In a Virtual Server

keepstate, keepSessions, keep-state, save-sessions-enabled in GlassFish 3.1

Posted by swchan2 on March 9, 2011 at 6:34 AM PST

GlassFish supports the preseving of HTTP session data across the redeployment of web application.

Prior to GlassFish 3.1, one can achieve this through the command line as follows:
  asadmin redeploy --properties keepSessions=true --name ${APP_NAME} ${A_WAR}

High Availability Single Sign On in GlassFish 3.1

Posted by swchan2 on March 1, 2011 at 4:36 PM PST

Single Sign On allows web applications to share the same authentication state.

GlassFish v2 supports virtual server level Single Sign On (SSO). Web applications with the same authentication realm in a given virtual server can share the authentication state in GlassFish v2.