Skip to main content

Servlet 3.1 in Public Review

Posted by swchan2 on January 11, 2013 at 5:58 PM PST

Servlet 3.1 is in Public Review now.
New features in Servlet 3.1 and changes since the EDR are listed below:

  • support Non Blocking IO
    ReadListener, WriteListener are added to handle the non-blocking IO. And the corresponding setters are added to ServletInputStream and ServletOutputStream respectively. Futhermore, ServletInputStream#isFinished, #isReady and ServletOutputStream#isReady are added.
    Changes since EDR:
    • Rename ServletOutputStream#canWrite to ServletOutputStream#isReady.
    • Remove the requirement to read/write data as much as possible before Read/WriteListener is invoked.
    • Non Blocking I/O will only work in Async or Upgrade scenarios. This will simplify the understanding and usage of the API.
  • support upgrading HTTP protocol
    The allows the integration of web socket provider with servlet container provider.
    Changes since EDR:
    • Rename ProtocolHandler to HttpUpgradeHandler.
    • Add the following method to HttpUpgradeHandler
      public void destroy();

      This allows the handler clean up resources during destroy.

    • the upgrade API will take a class rather than an instance. This allows the container to do CDI if necessary.
      In HttpServletRequest, in EDR, we have
      public void upgrade(ProtocolHandler handler) throws IOException;

      In Public Review, we have

      public <T extends HttpUpgradeHandler> T  upgrade(Class<T> handlerClass) throws IOException;
  • run-as clarification
    run-as will also apply to Servlet#init and #destroy now.
  • Add new API to change session id
    The Session fixation attack is a security vulnerability to web application. One way to resolve this is to change the session id during authentication. Container providers has achieved this by using proprietary API. A new method is added to HttpServletRequest as follows:
    public String changeSessionId();

    And a new HttpSessionIdListener is added for the corresponding event. This allows JASPIC (JSR 196) auth modules to be written in a portable way.

  • Clarification on reset character encoding (more details in presentation)

And there are other bug fixes and clarifications. If you want to learn more about the Servlet 3.1, you can download the spec and javadoc from jcp.org.