20.1 Changes in the Servlet API 2.3

Java Servlet Programming, 2nd Edition > 20. What's New in the Servlet 2.3 API > 20.1 Changes in the Servlet API 2.3

20.1 Changes in the Servlet API 2.3

Servlet API 2.3 actually leaves the core of servlets relatively untouched, which indicates that servlets have reached a high level of maturity. Most of the action has involved adding new features outside the core. Among the changes:

• Servlets now require JDK 1.2 or later.

• A filter mechanism has (finally) been created.

• Application lifecycle events have been added.

• New internationalization support has been added.

• The technique to express inter-JAR dependencies has been formalized.

• Rules for class loading have been clarified.

• New error and security attributes have been added.

• The HttpUtils class has been deprecated.

• Various new helpful methods have been added.

• Several DTD behaviors have been expanded and clarified.

Other clarifications have been made, but they mostly concern server vendors, not general servlet programmers (except for the fact that programmers will see improved portability), so I'll omit those details.

Before I begin my examination, let me point out that Version 2.3 has been released as a draft specification only. Most of the features discussed here won't yet work with all servers. If you want to test those features, I recommend downloading the official reference implementation server, Apache Tomcat 4.0. It's open source, and you can download the server for free. Tomcat 4.0 is currently in beta release; its support for API 2.3 is getting better, but is still incomplete. Read the NEW_SPECS.txt file that comes with Tomcat 4.0 to learn its level of support for all new specification features.

20.1.1 Servlets in J2SE and J2EE

One of the first things you should note about Servlet API 2.3 is that servlets now depend on the Java 2 Platform, Standard Edition 1.2 (also known as J2SE 1.2 or JDK 1.2). This small, but important, change means you can now use J2SE 1.2 features in your servlets and be guaranteed that the servlets will work across all servlet containers. Previously, you could use J2SE 1.2 features, but servers were not required to support them.

The Servlet API 2.3 is slated to become a core part of Java 2 Platform, Enterprise Edition 1.3 ( J2EE 1.3). The previous version, Servlet API 2.2, was part of J2EE 1.2. The only noticeable difference is the addition of a few relatively obscure J2EE-related deployment descriptor tags in the web.xml DTD: <resource-env-ref> to support "administered objects," such as those required by the Java Messaging System ( JMS), <res-ref-sharing-scope> to allow either shared or exclusive access to a resource reference, and <run-as> to specify the security identity of a caller to an EJB. Most servlet authors need not concern themselves with those J2EE tags; you can get a full description from the J2EE 1.3 specification.

20.1.2 Filters

The most significant part of API 2.3 is the addition of filters. Filters are objects that can transform a request or modify a response. Note that they are not servlets; they do not actually create a response. They are preprocessors of the request before it reaches a servlet, and/or postprocessors of the response leaving a servlet. In a sense, filters are a mature version of the old "servlet chaining" concept. A filter can:

• Intercept a servlet's invocation before the servlet is called.

• Examine a request before a servlet is called.

• Modify the request headers and request data by providing a customized version of the request object that wraps the real request.

• Modify the response headers and response data by providing a customized version of the response object that wraps the real response.

• Intercept a servlet's invocation after the servlet is called.

You can configure a filter to act on a servlet or group of servlets; that servlet or group can be filtered by zero or more filters. Some practical filter ideas include authentication filters, logging and auditing filters, image conversion filters, data compression filters, encryption filters, tokenizing filters, filters that trigger resource access events, XSLT filters that transform XML content, or MIME-type chain filters (just like servlet chaining).

A filter implements javax.servlet.Filter and defines its three methods:

void setFilterConfig(FilterConfig config)

This method sets the filter's configuration object.

FilterConfig getFilterConfig()

This method returns the filter's configuration object.

void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)

This method performs the actual filtering work

The server calls setFilterConfig( ) once to prepare the filter for service, then calls doFilter( ) any number of times for various requests. The FilterConfig interface has methods to retrieve the filter's name, its init parameters, and the active servlet context. The server can also pass null to setFilterConfig( ) to indicate that the filter is being taken out of service.

It's anticipated that in the Final Release of 2.3 the getFilterConfig( ) method will be removed and the setFilterConfig(FilterConfig config) method will be replaced by init(FilterConfig) and destroy( ).

Each filter receives the current request and response in its doFilter( ) method, as well as a FilterChain containing the filters that still must be processed. In the doFilter( ) method, a filter may do what it wants with the request and response. (For example, it could gather data by calling their methods, or wrap the objects to give them new behavior, as discussed next.) The filter then calls chain.doFilter( ) to transfer control to the next filter. When that call returns, a filter can, at the end of its own doFilter( ) method, perform additional work on the response; for instance, it can log information about the response. If the filter wants to halt the request processing and gain full control of the response, it can intentionally not call the next filter.

A filter may wrap the request and/or response objects to provide custom behavior, changing certain method call implementation to influence later request handling actions. The Servlet API 2.3 provides new HttpServletRequestWrapper and HttpServletResponseWrapper classes to help with this. They provide default implementations of all request and response methods, and delegate the calls to the original request or response by default. Changing one method's behavior just requires extending the wrapper and reimplementing one method. Wrappers give filters great control over the request-handling and response-generating process. The code for a simple logging filter that records the duration of all requests is shown here:

public class LogFilter implements Filter {   FilterConfig config;   public void setFilterConfig(FilterConfig config) {     this.config = config;   }   public FilterConfig getFilterConfig(  ) {     return config;   }   public void doFilter(ServletRequest req,                        ServletResponse res,                        FilterChain chain) {     ServletContext context = getFilterConfig().getServletContext(  );     long bef = System.currentTimeMillis(  );     chain.doFilter(req, res); // no chain parameter needed here     long aft = System.currentTimeMillis(  );     context.log("Request to " + req.getRequestURI(  ) + ": " +                                                      (aft-bef));   } }

When the server calls setFilterConfig( ), the filter saves a reference to the filter configuration in its config variable, which is later used in the doFilter( ) method to retrieve the ServletContext. The logic in doFilter( ) is simple: time how long request handling takes and log the time once processing has been completed. To use this filter, you must declare it in the web.xml deployment descriptor using the <filter> tag, as shown here:

<filter>   <filter-name>     log   </filter-name>   <filter-class>     LogFilter   </filter-class> </filter>

This tells the server a filter named log is implemented in the LogFilter class. You can apply a registered filter to certain URL patterns or servlet names using the <filter-mapping> tag:

<filter-mapping>   <filter-name>log</filter-name>   <url-pattern>/*</url-pattern> </filter-mapping>

This configures the filter to operate on all requests to the server (static or dynamic), just what we want for our logging filter. If you connect to a simple page, the log output might look like this:

Request to /index.jsp: 10

20.1.3 Lifecycle Events

Servlet API 2.3's second most significant change is the addition of application lifecycle events, which let "listener" objects be notified when servlet contexts and sessions are initialized and destroyed, as well as when attributes are added or removed from a context or session.

Servlet lifecycle events work like Swing events. Any listener interested in observing the ServletContext lifecycle can implement the ServletContextListener interface. The interface has two methods:

void contextInitialized(ServletContextEvent e)

Called when a web application is first ready to process requests (i.e., on web server startup and when a context is added or reloaded). Requests will not be handled until this method returns.

void contextDestroyed(ServletContextEvent e)

Called when a web application is about to be shut down (i.e., on web server shutdown or when a context is removed or reloaded). Request handling will be stopped before this method is called.

The ServletContextEvent class passed to both methods consists only of a getServletContext( ) method that returns the context being initialized or destroyed.

A listener interested in observing the ServletContext attribute lifecycle can implement the ServletContextAttributesListener interface, which has three methods:

void attributeAdded(ServletContextAttributeEvent e)

Called when an attribute is added to a servlet context.

void attributeRemoved(ServletContextAttributeEvent e)

Called when an attribute is removed from a servlet context.

void attributeReplaced(ServletContextAttributeEvent e)

Called when an attribute is replaced by another attribute in a servlet context.

The ServletContextAttributeEvent class extends ServletContextEvent, and adds getName( ) and getValue( ) methods so the listener can learn about the attribute being changed. That is useful because web applications that need to synchronize application state (context attributes) with something like a database can now do it in one place.

The session listener model is similar to the context listener model. In the session model, there's an HttpSessionListener interface with two methods:

void sessionCreated(HttpSessionEvent e)

Called when a session is created.

void sessionDestroyed(HttpSessionEvent e)

Called when a session is destroyed (invalidated).

The methods accept an HttpSessionEvent instance with a getSession( ) accessor to return the session being created or destroyed. You can use all these methods when implementing an administrator interface that keeps track of all active users in a web application.

The session model also has an HttpSessionAttributesListener interface with three methods. Those methods tell the listener when attributes change, and could be used, for example, by an application that synchronizes profile data held in sessions into a database:

void attributeAdded(HttpSessionBindingEvent e)

Called when an attribute is added to a session.

void attributeRemoved(HttpSessionBindingEvent e)

Called when an attribute is removed from a session.

void attributeReplaced(HttpSessionBindingEvent e)

Called when an attribute replaces another attribute in a session.

As you might expect, the HttpSessionBindingEvent class extends HttpSessionEvent and adds getName( ) and getValue( ) methods. The only somewhat abnormal thing is that the event class is named HttpSessionBindingEvent, not HttpSessionAttributeEvent. That's for legacy reasons; the API already had an HttpSessionBindingEvent class, so it was reused. This confusing aspect of the API may be ironed out before final release.

A possible practical use of lifecycle events is a shared database connection managed by a context listener. You declare the listener in the web.xml file as follows:

  <listener>   <listener-class>     com.acme.MyConnectionManager   </listener-class>  </listener>

The server creates an instance of the listener class to receive events and uses introspection to determine what listener interface (or interfaces) the class implements. Bear in mind that because the listener is configured in the deployment descriptor, you can add new listeners without any code change. You could write the listener itself as something like this:

public class MyConnectionManager implements ServletContextListener {   public void contextInitialized(ServletContextEvent e) {     Connection con =     // create connection       e.getServletContext(  ).setAttribute("con", con);   }   public void contextDestroyed(ServletContextEvent e) {     Connection con =        (Connection) e.getServletContext(  ).getAttribute("con");     try { con.close(  ); }     catch (SQLException ignored) { } // close connection   } }

This listener ensures that a database connection is available in every new servlet context, and that all connections are closed when the context shuts down.

The HttpSessionActivationListener interface, another new listener interface in API 2.3, is designed to handle sessions that migrate from one server to another. A listener implementing HttpSessionActivationListener is notified when any session is about to passivate (move) and when the session is about to activate (become live) on the second host. These methods give an application the chance to persist nonserializable data across JVMs, or to glue or unglue serialized objects back into some kind of object model before or after migration. The interface has two methods:

void sessionWillPassivate(HttpSessionEvent e)

The session is about to passivate. The session will already be out of service when this call is made.

void sessionDidActivate(HttpSessionEvent e)

The session has been activated. The session will not yet be in service when this call is made.

You register this listener just like the others. However, unlike the others, the passivate and activate calls here will most likely occur on two different servers!

20.1.4 Selecting Character Encodings

The Servlet API 2.3 provides much-needed support for handling foreign language form submittals. A new method, request.setCharacterEncoding(String encoding), allows you to tell the server a request's character encoding. A character encoding (also known as a charset) is a way to map bytes to characters. The server can use the specified charset to correctly parse the parameters and POST data.

By default, a server parses parameters using the common Latin-1 (ISO 8859-1) charset. Unfortunately, that only works for Western European languages. When a browser uses another charset, it is supposed to send the encoding information in the Content-Type header of the request, but virtually no browsers adhere to this. The setCharacterEncoding( ) method lets a servlet tell the server what charset is in use (it is typically the charset of the page that contains the form); the server takes care of the rest. For example, a servlet receiving Japanese parameters from a Shift_JIS encoded form could read the parameters like this:

// Set the charset as Shift_JIS   req.setCharacterEncoding("Shift_JIS");   // Read a parameter using that charset   String name = req.getParameter("name");

Remember to set the encoding before calling getParameter( ) or getReader( ). The setCharacterEncoding( ) call may throw a java.io.UnsupportedEncodingException if the encoding is not supported. This functionality is also available for users of API 2.2 and earlier, as part of the com.oreilly.servlet.ParameterParser class.

20.1.5 JAR Dependencies

A WAR file (Web Application Archive file, added in Servlet API 2.2) often requires various other JAR libraries to exist on the server and operate correctly. For example, a web application using the ParameterParser class needs cos.jar in the classpath. A web application using WebMacro needs webmacro.jar.

Before API 2.3, either those dependencies had to be documented (as if anyone actually reads documentation!) or each web application had to include all its required JAR files in its own WEB-INF/lib directory (unnecessarily bloating each web application). Servlet API 2.3 lets you express JAR dependencies within the WAR using the WAR's META-INF/MANIFEST.MF entry. That is the standard way for JAR files to declare dependencies, but with API 2.3, WAR files must officially support the same mechanism. If a dependency can't be satisfied, a server can politely reject the web application at deployment time instead of causing an obscure error message at runtime. The mechanism allows a high degree of granularity. For example, you can express a dependency on a particular version of an optional package, and the server has to find the right one with a search algorithm.

20.1.6 Class Loaders

Here's a small change with a big impact: in API 2.3, a servlet container (a.k.a. the server) will ensure that classes in a web application not be allowed to see the server's implementation classes. In other words, the class loaders should be kept separate.

That doesn't sound like much, but it eliminates the possibility of a collision between Web application classes and server classes. That had become a serious problem because of XML parser conflicts. Each server needs an XML parser to parse web.xml files, and many web applications these days also use an XML parser to handle reading, manipulation, and writing of XML data. If the parsers supported different DOM or SAX versions, that could cause an irreparable conflict. The separation of class scope solves this issue nicely.

20.1.7 New Error Attributes

The previous API version, Servlet API 2.2, introduced several request attributes that could be used by servlets and JSPs acting as targets of an <error-page> rule. Recall from earlier in the book that <error-page> rules let you configure a web application so that certain error status codes or exception types cause specific pages to be displayed:

<web-app>     <!-- ..... -->     <error-page>         <error-code>             404         </error-code>         <location>             /404.html         </location>     </error-page>     <error-page>         <exception-type>             javax.servlet.ServletException         </exception-type>         <location>             /servlet/ErrorDisplay         </location>     </error-page>     <!-- ..... --> </web-app>

A servlet in the <location> for an <error-page> rule could receive the following three attributes:

javax.servlet.error.status_code

An Integer telling the error status code, if any.

javax.servlet.error.exception_type

A Class instance indicating the type of exception that caused the error, if any.

javax.servlet.error.message

A String telling the exception message, passed to the exception constructor.

Using those attributes, a servlet could generate an error page customized to the error, as shown here:

import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class ErrorDisplay extends HttpServlet {   public void doGet(HttpServletRequest req,       HttpServletResponse res)       throws ServletException, IOException {     res.setContentType("text/html");     PrintWriter out = res.getWriter(  );     String code = null, message = null, type = null;     Object codeObj, messageObj, typeObj;     // Retrieve the three possible error attributes.     // Some may be null     codeObj = req.getAttribute("javax.servlet.error.status_code");     messageObj = req.getAttribute("javax.servlet.error.message");     typeObj = req.         getAttribute("javax.servlet.error.exception_type");     // Convert the attributes to string values     // We do things this way because some old servers return String     // types while new servers return Integer, String, and Class     // types. This works for all.     if (codeObj != null) code = codeObj.toString(  );     if (messageObj != null) message = messageObj.toString(  );     if (typeObj != null) type = typeObj.toString(  );     // The error reason is either the status code or exception type     String reason = (code != null ? code : type);     out.println("<HTML>");     out.println("<HEAD><TITLE>" + reason + ": " + message +         "</TITLE></HEAD>");     out.println("<BODY>");     out.println("<H1>" + reason + "</H1>");     out.println("<H2>" + message + "</H2>");     out.println("<HR>");     out.println("<I>Error accessing " + req.getRequestURI(  ) +         "</I>");     out.println("</BODY></HTML>");   } }

But what if the error page could contain the exception stack trace or the URI of the servlet that truly caused the problem (since it's not always the originally requested URI)? With API 2.2, that wasn't possible. With API 2.3, that information is available with two new attributes:

javax.servlet.error.exception

A Throwable object that is the actual exception thrown.

javax.servlet.error.request_uri

A String telling the URI of the resource causing problems.

Those attributes let the error page include the stack trace of the exception and the URI of the problem resource. The servlet below has been rewritten to use the new attributes. Note that it fails gracefully if they don't exist, for backward compatibility:

import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class ErrorDisplay extends HttpServlet {   public void doGet(HttpServletRequest req, HttpServletResponse res)                                throws ServletException, IOException {     res.setContentType("text/html");     PrintWriter out = res.getWriter(  );     String code = null, message = null, type = null, uri = null;     Object codeObj, messageObj, typeObj;     Throwable throwable;     // Retrieve the three possible error attributes, some may be null     codeObj = req.getAttribute("javax.servlet.error.status_code");     messageObj = req.getAttribute("javax.servlet.error.message");     typeObj = req.getAttribute("javax.servlet.error.exception_type");     throwable = (Throwable)       req.getAttribute("javax.servlet.error.exception");     uri = (String)       req.getAttribute("javax.servlet.error.request_uri");     if (uri == null) {       uri = req.getRequestURI(  ); // in case there's no URI given     }     // Convert the attributes to string values     if (codeObj != null) code = codeObj.toString(  );     if (messageObj != null) message = messageObj.toString(  );     if (typeObj != null) type = typeObj.toString(  );     // The error reason is either the status code or exception type     String reason = (code != null ? code : type);     out.println("<HTML>");     out.println("<HEAD><TITLE>" + reason + ": " + message +                 "</TITLE></HEAD>");     out.println("<BODY>");     out.println("<H1>" + reason + "</H1>");     out.println("<H2>" + message + "</H2>");     out.println("<PRE>");     if (throwable != null) {       throwable.printStackTrace(out);     }     out.println("</PRE>");     out.println("<HR>");     out.println("<I>Error accessing " + uri + "</I>");     out.println("</BODY></HTML>");   } } 

20.1.8 New Security Attributes

Servlet API 2.3 also adds two new request attributes that can help a servlet make an informed decision about how to handle secure HTTPS connections. For requests made using HTTPS, the server will provide these new request attributes:

javax.servlet.request.cipher_suite

A String representing the cipher suite used by HTTPS, if any.

javax.servlet.request.key_size

An Integer representing the bit size of the algorithm, if any.

A servlet can use those attributes to programmatically decide if the connection is secure enough to proceed. An application may reject connections with small bitsizes or untrusted algorithms. For example, a servlet could use the following method to ensure that its connection uses at least a 128-bit key size:

public boolean isAbove128(HttpServletRequest req) {   Integer size = (Integer)     req.getAttribute("javax.servlet.request.key_size");   if (size == null || size.intValue(  ) < 128) {     return false;   }   else {     return true;   } }

The attribute names in the Proposed Final Draft use dashes instead of underscores; however, they're being changed, as shown here before the Final Release, to be more consistent with existing attribute names.

20.1.9 Little Tweaks

A number of small changes also made it into the API 2.3 release. First, the getAuthType( ) method that returns the type of authentication used to identify a client has been defined to return one of the four new static final String constants in the HttpServletRequest class: BASIC_AUTH, DIGEST_AUTH, CLIENT_CERT_AUTH, and FORM_AUTH. This allows simplified code like:

if (req.getAuthType(  ) == req.BASIC_AUTH) {   // handle basic authentication }

Of course, the four constants still have traditional String values, so the following code from API 2.2 works too, but is not as fast or as elegant. Notice the reverse equals( ) check to avoid a NullPointerException if getAuthType( ) returns null:

if ("BASIC".equals(req.getAuthType(  ))) {   // handle basic authentication }

Another change in API 2.3 is that HttpUtils has been deprecated. HttpUtils has always stood out as an odd collection of static methods calls that were useful sometimes, but might have been better placed elsewhere. As you may recall, the class contained methods to reconstruct an original URL from a request object and to parse parameter data into a hashtable. API 2.3 moves this functionality into the request object where it more properly belongs, and deprecates HttpUtils. The new methods on the request object are:

StringBuffer req.getRequestURL( )

Returns a StringBuffer containing the original request URL, rebuilt from the request information.

java.util.Map req.getParameterMap( )

Returns an immutable Map of the request's parameters. The parameter names act as keys and the parameter values act as map values. It has not been decided how parameters with multiple values will be handled; most likely, all values will be returned as a String[]. These methods use the new req.setCharacterEncoding( ) method to handle character conversions.

API 2.3 also adds two new methods to ServletContext that let you obtain the name of the context and a list of all the resources it holds:

String context.getServletContextName( )

Returns the name of the context as declared in the web.xml file.

java.util.Set context.getResourcePaths( )

Returns all the resource paths available in the context, as an immutable set of String objects. Each String has a leading slash ( / ) and should be considered relative to the context root.

There is also a new method on the response object to increase programmer control of the response buffer. API 2.2 introduced a res.reset( ) method to reset the response and clear the response body, headers, and status code. API 2.3 adds a res.resetBuffer( ) that clears just the response body:

void resetBuffer( )

Clears the response buffer without clearing headers or the status code. If the response has already been committed, it throws an IllegalStateException.

And finally, after a lengthy debate by a group of experts, Servlet API 2.3 has clarified once and for all exactly what happens on a res.sendRedirect("/index.html") call for a servlet executing within a non-root context. The issue is that Servlet API 2.2 requires an incomplete path like "/index.html" to be translated by the servlet container into a complete path, but it does not say how context paths are to be handled. If the servlet making the call is in a context at the path "/contextpath", should the redirect URI translate relative to the container root (http://server:port/index.html) or the context root (http://server:port/contextpath/index.html)? For maximum portability, it's imperative to define the behavior; after lengthy debate, the experts chose to translate relative to the container root. For those who want context relative, you can prepend the output from getContextPath( ) to your URI.

20.1.10 DTD Clarifications

The Servlet API 2.3 ties up a few loose ends regarding the web.xml deployment descriptor behavior. It's now mandated that you trim text values in the web.xml file before use. (In standard non-validated XML, all white space is generally preserved.) This rule ensures that the following two entries can be treated identically:

<servlet-name>hello<servlet-name>

and

<servlet-name>   hello </servlet-name>

The Servlet API 2.3 also allows an <auth-constraint> rule, so the special value "*" can be used as a <role-name> wildcard to allow all roles. This allows you to write a rule like the following that lets all users enter as soon as they've been properly identified as belonging to any role in the web application:

<auth-constraint>   <role-name>*</role-name> <!-- allow all recognized roles --> </auth-constraint>

Finally, it's been clarified that you can use a role name declared by a <security-role> rule as a parameter to the isUserInRole( ) method. For example, look at the following snippet of a web.xml entry:

<servlet>     <servlet-name>         secret     </servlet-name>     <servlet-class>         SalaryViewer     </servlet-class>     <security-role-ref>         <role-name>             mgr <!-- name used by servlet -->         </role-name>         <role-link>             manager <!-- name used in deployment descriptor -->         </role-link>     </security-role-ref> </servlet> <!-- ... --> <security-role>     <role-name>         manager     </role-name> </security-role>

With this, the servlet secret can call either isUserInRole("mgr") or isUserInRole("manager"); both will give the same behavior. Basically, security-role-ref acts to create an alias, but isn't necessary. That is what you'd naturally expect, but the API 2.2 specification could be interpreted as implying that you could only use roles explicitly declared in a <security-role-ref> alias rule. (If that doesn't make sense to you, don't worry about it; just be aware that things are now guaranteed to work as they should.)