Monday Nov 11, 2013

HTTP Session Invalidation in Servlet/GlassFish

HTTP session invalidation is something most of us take for granted and don't think much about. However for security and performance sensitive applications it is helpful to have at least a basic understanding of how it works in Servlets.

In a brief code centric blog post Servlet specification lead Shing Wai Chan introduces the APIs for session invalidation and explains how you can fine tune the underlying reaper thread for session invalidation when it is needed in GlassFish 4. Don't hesitate to post a question here if the blog is not clear, this is a relatively esoteric topic...

Tuesday Jun 25, 2013

deny-uncovered-http-methods in Servlet 3.1

Servlet 3.1 is a relatively minor release included in Java EE 7. However, the Java EE foundational API still contains some very important changes. One such set of features are the security enhancements done in Servlet 3.1 such as the new deny-uncovered-http-methods option.

Servlet 3.1 co-spec lead Shing Wai Chan outlines the use case for the feature and shows you how to use it in a recent code example driven post. You can also check out the official specification yourself or try things out with the newly released Java EE 7 SDK.

Thursday May 30, 2013

Non-Blocking I/O in Servlet 3.1

Servlet 3.1 is a relatively minor release slated for Java EE 7. However, the Java EE foundational API still contains some very important changes, especially for folks building on the Servlet API. One such feature is the newly added support for non-blocking I/O to empower low-latency, high throughput applications, protocols and web frameworks.

Servlet 3.1 co-spec lead Shing Wai Chan shows you how in a recent code example driven post. Incidentally, Servlet 3.1 recently had it's final release. You can now check out the official specification yourself. You can also try the API out with a GlassFish promoted build.

Thursday May 09, 2013

HTTP Upgrades in Servlet 3.1

Servlet 3.1 is a relatively minor release slated for Java EE 7. However, the Java EE foundational API still contains some very important changes, especially for folks building on the Servlet API. The newly added support for HTTP protocol upgrades is a great example. The upgrade facility has been there since HTTP 1.1, but just hasn't been used that widely. It facilitates building richer protocols on top of HTTP. Under the hood, this is exactly the mechanism that HTML 5 WebSockets use (as you know, we now have excellent support for WebSockets in Java EE via JSR 356). You can most certainly use HTTP protocol upgrades in similarly powerful and innovative ways yourself.

Servlet 3.1 co-spec lead Shing Wai Chan shows you how in his recent code example driven post. Incidentally, Servlet 3.1 recently passed it's final approval ballot. You could check out the proposed final draft yourself.

Tuesday Jan 15, 2013

Servlet 3.1 in Public Review

Servlet 3.1 is now in public review. Although it is a relatively minor release for the mature Servlet API, this release has a number of important changes, particularly for enabling higher-level frameworks. The Public Review Draft for Servlet 3.1 will end on February 11th so now is the time to download the spec and send in any comments that you might have.

Servlet spec lead Shing Wai Chan is kind enough to summarize the changes and invites you to learn more. The page also contains a download link to the draft spec as well as a link to Shing Wai Chan's JavaOne presentation on Servlet 3.1.

Stay tuned for more JSRs making progress as the steady march towards the Java EE 7 release keeps rolling forward!

Tuesday Mar 01, 2011

More Java EE 7 content: Servlet, EL, JMS and JSF updates

Following-up on to yesterday's post on JSR 342 (Java EE 7), there are actually four other JSRs that have been filed :
JSR 340: Java Servlet 3.1 Specification
JSR 341: Expression Language 3.0
JSR 343: JavaTM Message Service 2.0
JSR 344: JavaServerTM Faces 2.2

JCP - Java Community Process

Servlet 3.1 should offer easier to build asynchronous applications (extending the work done for 3.0), support and utilize Java EE concurrency APIs, support WebSockets, offer multi-tenant isolation support and more. The co-spec leads are Shing Wai Chan and Rajiv Mordani.

Expression Language (EL) 3.0, which used to be defined as part of the JSP expert group, now has a dedicated JSR due to its relationship with other parts of the platform such as CDI and JSF. The goal there is to consider support for projection and collection, date types (with appropriate comparison operators) and maybe equality, string concatenation, and sizeof operators. Kin-man Chung is the specification lead.

JMS 2.0 should bring to this API some long awaited EoD (Ease of Development) love, clarification of the relationship between the JMS and other Java EE specifications and a new mandatory API for the integration of any JMS provider in Java EE application servers. Nigel Deakin is the spec lead for this one.

JavaServer Faces (JSF) 2.2 will continue to focus on ease of development, better portlet integration but also consider new features (HTML 5 and others), and of course work on fixes. The plan is to finish before the end of this calendar year (2011). Check out Ed Burns' recent post on this.

All JSRs are now up for voting and slatted for inclusion in Java EE 7, thus hopefully joining JPA 2.1 and JAX-RS 2.0 in the list of "work in progress" JSRs. Speaking of JAX-RS, Marek, the new co-spec lead has a quick update.

Sunday Apr 04, 2010

Leveraging Servlet 3.0 - Authentication without Forms using GlassFish v3 and Vaadin

The new Servlet 3.0 specification in JavaEE 6 (JSR website, JavaOne Session, VC podcast) packs many new features, including Annotations, Dynamic Registration, Pluggability and Asynchronous Support.

Servlet 3.0 also includes quite a number of security improvements, as described by Kumar a couple of months ago in a Summary of new Security Features in Servlet 3.0. As Ron explains, one of the themes is that Java EE 6 and Servlet 3.0 Converge on Container Security Functionality, another is extra functionality, as explained by Nithya's 3 recent posts ([1], [2], [3]) covering http-method-omission element in web.xml, and the authenticate and login methods of HttpServletRequest.

ALT DESCR

A great example of the new functionality is Bobby's Authentication Without the Form where he modifies the RIA app in Creating Secure Vaadin Applications using JavaEE 6 to use the new login machinery and thus remove the need for extraneous JSP files.

Bobby's very complete post includes full source code and a nice Screencast; note it requires a recent build of GlassFish 3.0.1 due to a bug in 3fcs.

You may also want to refer to the JavaEE 6 javadocs (e.g. HttpServletRequest) and to the JavaEE 6 Tutorial: Part I (e.g. see Web Application Security) and Part II (requires free registration).

I had not noticed Vaadin previously but it seems to be gaining some popularity; its programming model is strongly server-centric and generates client-code via GWT. You can see a Online Sampler and it recently deployed a Component Directory; its KB has a number of articles on how to use it with GlassFish Server. They also announced deals recently with BlackBelt Factory and with our old Liferay friends.

While chasing the sources for this spotlight I bumped into a number of other Java-based RIA frameworks including: Echo and ZK as well as frameworks like Flex/BlazeDS, GWT, and the JSF-based frameworks we know.

Wednesday Mar 24, 2010

Initial GlassFish v3 Performance

ALT DESCR

GlassFish v2 has excellence performance and GF v3 has a lot of new code, so it would not be surprising if there was some initial performance degradation, to be "fixed" in a later release. Turns out that this is not the case: Scott (Mr. Performance) reports that the performance of v3 is actually higher, and scales better, than v2. One of the benefits of cleaner code!

Check out Scott's Initial Report on GlassFish v3 Performance

Monday Jun 08, 2009

NetBeans 6.7 RC2 Now Available - And Writting Servlet 3.0 and EJB 3.1 Applications

ALT DESCR

The second release candidate for NetBeans 6.7 is now available - check RC2 Download Page and James' Writeup. The next RC should be the final.

Note that NB 6.7 still includes the old "GFv3 Prelude" release and you need to manually install GFv3 Preview (the J1 release). For example, check Arun's writeup for has a detailed explanation on how to use NB 6.7 to write Servlet 3.0 and EJB 3.1 Applications

Friday May 08, 2009

Servlet 3.0 PFD Now Available - And Information on web-fragment.xml

ALT DESCR

The Proposed Final Draft for Servlet 3.0 is now available from the official JSR 315 page. This is the version that will be implemented (\*) in GlassFish v3 EA (aka as the JavaOne release).

And, on the same topic, Shing Wai has a note explaining how web-fragment.xml works. This new feature is intended to provide pluggability of library jars.

(\*) modulo bugs and (according to Rajiv) file upload.

Thursday May 07, 2009

New Security Annotations in Servlet 3.0

ALT DESCR

The new (not yet published) Servlet 3.0 PFD also includes an expanded set of Security Annotations, to expand the existing annotations like @DeclareRoles and @RunAs with @DenyAll, @PermitAll, @RolesAllowed and @TransportProtected.

Check Shing Wai Shing Wai's writeup for details.

I'll post when the actual Servlet 3.0 PFD document is available.

Tuesday Apr 28, 2009

Here Comes ... Servlet 3.0 PFD

ALT DESCR

The Servlet 3.0 Expert Group has delivered its Proposed Final Draft to the JCP and it should be available later this week. In the meantime Rajiv has provided a brief update on the Latest Set of Changes.

And, if you are attending JavaOne, check out TS-3790 presented by Jan, Greg and Rajiv; also see the Full Catalog... and don't forget the Unconference and Party.

Tuesday Jan 13, 2009

Public Review Drafts of JSF 2.0, Servlet 3.0 and JCA 1.6 Approved by the JCP

A quick update: the JCP SE/EE EC has approved all the Java EE 6 specs in the first batch of votes mentioned in our Jan 6th Report:

ALT DESCR

Vote results for JSF 2.0 (Ed Burns & Roger Kitain, JSR 314, @TA )
Vote results for Servlet 3.0 (Rajiv Mordani, JSR 315, @TA )
Vote results for JCA 1.6 (Binod PG & Sivakumar Thyagarajan, JSR 322, @TA )

EJB 3.1 (results) and JPA 2.0 (results), were approved previously; Bean Validation, WebBeans will go to vote on Feb 3rd.

Monday Jan 05, 2009

Java EE 6 - JCP Update...

During the break, I noticed that the Bean Validation spec had gone into Public Review Draft. That spec is the last of the batch being considered for JavaEE 6. Below is a full list based on a pass through JCP (will adjust if I missed any); all of them are either in PRD or past it; the only exception is Java EE 6 itself (JSR 316) which, by definition, lags them all.

ALT DESCR

• WebBeans (Gavin King, JSR 299, @TA )
• Bean Validation (Emmanuel Bernard, JSR 303, @TA )
• JSF 2.0 (Ed Burns & Roger Kitain, JSR 314, @TA )
• Servlet 3.0 (Rajiv Mordani, JSR 315, @TA )
• JPA 2.0 (Linda DeMichiel, JSR 317, @TA )
• EJB 3.1 (Ken Saks, JSR 318 @TA )
• JCA 1.6 (Binod PG & Sivakumar Thyagarajan, JSR 322, @TA )

Some of these specs have already been voted on: EJB 3.1 (results) and JPA 2.0 (results); for some others the vote starts on Jan 6th: JCA 1.6, Servlet 3.0, JSF 2.0, and a last batch starts on Feb 3rd: Bean Validation, WebBeans.