29 July 2012

What’s new in Servlet 3 (edit)

Servlets 3 (JSR 315) highlights:

  • Instead of configuring the web application in the web.xml deployment description you now have more options
    • modular deployment descriptor
      jars can be bundled with your webapp containing a web-fragment.xml file. These files are merged with the main web.xml file of your webapp. This allows for easy plugging in of web application modules. If you plugin a framework jar, you won’t have to modify the web.xml of your application anymore (e.g. to send all *.do files to a framework servlet).
    • annotations
      @WebServlet ("/jeeves")
      public class ZServlet extends HttpServlet {
      ....
      }
      • Extends HttpServlet, no POJO (yes!)
    • programmatic configuration
    • Asynchronous servlets
      @WebServlet ("/jeeves", asyncSupported=true) 
      public class ZServlet extends HttpServlet { 
      private AsyncContext ctx
      
      public void doGet( HttpServletRequest req, HttpServletResponse res) { 
      
         ctx = req.startAsync(); 
        // kick off a thread for async work
        ctx.start(new L8r());
        //method returns immediatly, no response sent
      } // end doGet method
      
      class L8r implements Runnable{
         public void run(){
          // do work
          ...
          // response ready
          ctx.complete();
          // alternative: ctx.dispatch("responseViewer.jsp");
        } // end run method
       } //end L8r class
      } //end ZServlet class

      The asynchronous servlet doGet() method does not wait for the L8r thread to complete. The request/response parameters however are not committed, but they are cached in AsyncContext. The L8r thread can then use these to reply to the waiting client.
    • Security
      • ProgrammaticLogin class
      • Java EE5 authorisation annotations
        • @RolesAllowed
        • @PermitAll
        • @DenyAll
      • @transportprotected: use SSL
      • Session security
      • <session-config>
        <!-- do not expose session id by using URL rewriting --> 
          <tracking-mode>COOKIE</tracking-mod>
          <cookie-config>
            <!-- do not expose cookie to javascript-->
            <http-only>true</ttp-only>
            <!-- only transit cookie over encrypted connection-->
            <secure>true</secure>
          </cookie-config>
        </session-config>
        
    • EL 2.2
      Method calls are now possible from EL, e.g.:
        #{portfolio.add('ORCL',100)}

    • File upload (aka multipart support)