Carview!

CARVIEW

MOTORHOMES

Select Language

HTTP/2 302 server: nginx date: Wed, 16 Jul 2025 02:41:17 GMT content-type: text/plain; charset=utf-8 content-length: 0 x-archive-redirect-reason: found capture at 20080724002005 location: https://web.archive.org/web/20080724002005/https://weblogs.java.net/blog/mode/ server-timing: captures_list;dur=0.745285, exclusion.robots;dur=0.025142, exclusion.robots.policy;dur=0.011072, esindex;dur=0.015773, cdx.remote;dur=7.747190, LoadShardBlock;dur=247.973235, PetaboxLoader3.datanode;dur=141.544785, PetaboxLoader3.resolve;dur=41.328097 x-app-server: wwwb-app224 x-ts: 302 x-tr: 281 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=0 set-cookie: SERVER=wwwb-app224; path=/ x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() HTTP/2 200 server: nginx date: Wed, 16 Jul 2025 02:41:18 GMT content-type: text/html x-archive-orig-date: Thu, 24 Jul 2008 15:08:53 GMT x-archive-orig-server: Apache x-archive-orig-vary: Host x-archive-orig-x-cache: MISS from weblogs.java.net x-archive-orig-connection: close x-archive-orig-transfer-encoding: chunked x-archive-orig-x_commoncrawl_parsesegmentid: 3901 x-archive-orig-x_commoncrawl_originalurl: https://weblogs.java.net/blog/mode/ x-archive-orig-x_commoncrawl_urlfp: 5920780303203766689 x-archive-orig-x_commoncrawl_hostfp: -9099437952485161423 x-archive-orig-x_commoncrawl_signature: 88e27c62081046e572dfd06e1fa4e2c8 x-archive-orig-x_commoncrawl_crawlno: 1 x-archive-orig-x_commoncrawl_fetchtimestamp: 1216884005361 x-archive-guessed-content-type: text/html x-archive-guessed-charset: utf-8 memento-datetime: Thu, 24 Jul 2008 00:20:05 GMT link: ; rel="original", ; rel="timemap"; type="application/link-format", ; rel="timegate", ; rel="first memento"; datetime="Sat, 19 Nov 2005 07:46:50 GMT", ; rel="prev memento"; datetime="Tue, 05 Feb 2008 12:01:06 GMT", ; rel="memento"; datetime="Thu, 24 Jul 2008 00:20:05 GMT", ; rel="next memento"; datetime="Sat, 06 Sep 2008 19:37:56 GMT", ; rel="last memento"; datetime="Mon, 11 Nov 2024 09:49:58 GMT" content-security-policy: default-src 'self' 'unsafe-eval' 'unsafe-inline' data: blob: archive.org web.archive.org web-static.archive.org wayback-api.archive.org athena.archive.org analytics.archive.org pragma.archivelab.org wwwb-events.archive.org x-archive-src: 1217096314156_8-c/1217096604222_26.arc.gz server-timing: captures_list;dur=0.493336, exclusion.robots;dur=0.019260, exclusion.robots.policy;dur=0.008391, esindex;dur=0.010164, cdx.remote;dur=13.609458, LoadShardBlock;dur=190.290052, PetaboxLoader3.datanode;dur=147.247454, PetaboxLoader3.resolve;dur=360.134298, load_resource;dur=366.655063 x-app-server: wwwb-app224 x-ts: 200 x-tr: 649 server-timing: TR;dur=0,Tw;dur=0,Tc;dur=0 x-location: All x-rl: 0 x-na: 0 x-page-cache: MISS server-timing: MISS x-nid: DigitalOcean referrer-policy: no-referrer-when-downgrade permissions-policy: interest-cohort=() content-encoding: gzip Rajiv Mordani's Blog

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Rajiv Mordani's Blog

Rajiv Mordani is a senior engineer at Sun Microsystems, working on the web technologies as an architect. Rajiv has been involved in the open source community at Apache with xerces and tomcat in the past doing implementation and also as the JAXP specification lead. He is currently the specification lead for Servlets.

Aggregrated feed for GlasFish webtier related blogs

Posted by mode on May 21, 2008 at 11:15 PM | Permalink | Comments (0)

We now have an aggregated feed for all webtier related blogs - https://feeds.feedburner.com/GlassFish-webtier.

Forum and mailing list dedicated for webtier in GlassFish

Posted by mode on May 14, 2008 at 09:23 PM | Permalink | Comments (3)

We now have a mailing list - webtier@glassfish.dev.java.net and forum dedicated to discuss user issues for the webtier of GlassFish. The intent is to use the mailing list and forum for discussing the webtier technologies including Servlets, JSP, JSF, JSTL, Grizzly and scripting support in GlassFish and build a community that focuses on webtier of the Java EE platform. Cross-posting from one to the other is still not working but it should be pretty soon. Please consider joining the mailing list or use the forum.

JSR 315 Needs YOU: Response to Greg's blog

Posted by mode on May 14, 2008 at 04:38 PM | Permalink | Comments (9)

In my previous post I described some of the pluggability mechanism being added to the servlet 3.0 specification. One of the issues that I didn't touch upon in detail was how the annotations and web-fragments are processed and how can one override / turn off the auto scanning of annotations and web-fragments.

Greg Wilkins from Webtide blogged about the pluggability mechanism and raised an issue with the auto-scanning. Hopefully this blog will make the argument for the simple scanning of annotations and web-fragments and argue against the case of having a more flexible scheme in this release of the servlet specification.

I will start with the annotation case first and then talk about the web-fragments. When you use annotations to declare servlets and Filters then you must have a url-mapping / FilterMapping attribute on the corresponding servlet / Filter. In this way there is no convention by which a servlet is exposed without having an explicit mapping. Also , as with the rest of the Java EE platform, specifically technologies like EJB and Web Services, the deployment descriptor is used to override information that is specified via annotations. So if you have a servlet that is declared via annotations during development and now you need to change one attribute of the servlet when you go from development to production, you don't need to modify the code. Instead you override the configuration using the web.xml file. In the example below I show how this can be used -

@Servlet(url-mapping="/foo")
public class MyServlet {
    @GET
    public void handleGet(HttpServletRequest req, HttpServletResponse res) {
         ...
     }
}

At deployment time say you want to override the url-mapping for the servlet defined above. The way you would do that would be by defining the new mapping for the servlet in the web.xml as shown below -

<web-app>
  <servlet-mapping>
    <servlet-name>
      MyServlet
    </servlet-name>
    <url-pattern>
      /MyApp
    </url-pattern>
  </servlet-mapping>
</web-app>

If you didn't want any of the annotations to be processed at all by the container and wanted to specify all the configuration via the deployment descriptor, then, like with the rest of the Java EE 5 platform, we have the metadata-complete element in the descriptor. If the element is present and set to "true" then the container will not process any annotations and just use the configuration specified in the descriptor. This provides a way disable the auto-scanning for those that have concerns about performance, and security. This is consistent with what we have today in Java EE 5 platform and has worked well with EJBs and JAX-WS (Web Services APIs). We have not received any negative feedback about security and performance being an issue. Web Services are endpoints that are exposed on the web so the argument someone makes about there not being a security hole in EJB does not stand true for Web Services.

The second issue is about auto-scanning of web-fragments. The early draft of the specification says that the container needs to process web-fragments and make available the servlets, filters an listeners defined via the fragments. As discussed in my earlier post, this helps with use of frameworks. Currently the early draft of the specification says that the same flag - metadata-complete controls both the scanning of annotations and fragments. I still think that is sufficient for the developers. However during JavaOne we had an expert group face-to-face meeting and discussed the possibility of having another flag to control the scanning of web fragments and use the metadata-complete just to control scanning of annotations. Again similar to metadata-complete this flag would control whether to scan for web-fragments or not. If you choose not to scan the web-fragments then you would need to specify the entire metadata that you need in in the web.xml of the application, a-la metadata-complete :). For those that have major security concerns this would probably be the route to go because even if you do have the include mechanism there would be no way to specify just one servlet from the jar file. The container would still scan for all the servlets, filters and listeners from the framework available. The concept of "trusting" certain frameworks doesn't seem to solve the problem. Let's take Spring for example - if you choose Spring as the framework but didn't want one of the servlets defined in Spring to be available. The include mechanism would not work for you. You would have to fall back on defining everything in the web.xml of the application anyways. The benefit that the include proposal from Greg Wilkins is very little specially if the main concern is that servlets and filters are being exposed without the user intending to do so. I think that it is the problem of the framework developer and not the user of the framework to make sure that they don't expose certain types of components. By using a flag to control scanning you can effectively get what the include mechanism provides except you don't get partial scanning of only a certain set of jars. The include mechanism would probably only make the descriptor more verbose in having to list the jars you want scanned.

Another mechanism that came up during the face-to-face which hasn't been still talked about in the expert group is the concept of disabling servlets and filters in the application's web.xml. For example we could have in the application's web.xml the following -

  <servlet>
    <servlet-name>FrameworkServlet</servlet-name>
    <enabled>false</enabled>
  </servlet>

This way some of the servlets that aren't needed in production can be disabled via the main web.xml of the application and the security issue can be mitigated while keeping things simple.

Servlet 3.0 pluggability

Posted by mode on May 13, 2008 at 11:08 PM | Permalink | Comments (8)

In my earlier post I gave an overview of the things that are being worked upon in Servlet 3.0. This post focuses on one of the areas that the expert group has been working on - pluggability.

Pluggability

There are a lot of frameworks / libraries that are built on top of the servlet container. Most frameworks today require you to configure a servlet, filter or listener in the application's web.xml in addition to including it as a dependency in the WEB-INF/lib directory. Today in a servlet container the application has one monolithic web.xml that defines all the deployment artifacts for the application, including the dependencies of the application on the framework components. In it's current state, a developer must go through the documentation of each framework that it depends on and declare the appropriate servlets, filters, Listeners, etc. The goal is to make it possible to use frameworks without having to worry about any additional configuration.

To overcome this issue in servlet 3.0 we are adding a new feature that allows having more than one web.xml, or as it is being referred in the specification as web fragments. A framework can define it's own web.xml that declares the necessary components for the framework that is then included for use in the web applicaton. At deployment the container is responsible for discovering the web.xml fragments and processing them. A new element is being added to the schema for web applications - web-fragment that can define servlets, filters listeners. Below is a simple example of such a fragment.

<web-fragment>
  <servlet>
    <servlet-name>welcome</servlet-name>
    <servlet-class>
      WelcomeServlet
    </servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>welcome</servlet-name>
    <url-pattern>/Welcome</url-pattern>
  </servlet-mapping>
...
</web-fragment>

The above fragment would be included in the META-INF directory of the framework jar file.

In addition to changes to modularize the web.xml there are also annotations being defined to declare servlets (@Servlet), filters (@ServletFilter) and the annotations have all the attributes defined to make web.xml optional. These attributes contain information like url-mapping, init-params and other information that would typically be defined in the deployment descriptor. This way Servlets, filters etc can be defined entirely using annotations and would be picked up from the WEB-INF/classes or WEB-INF/lib directory.

Along with the changes mentioned above there are few new APIs to also allow programmatic addition of Servlets and Filters at start up time of an application. API changes for adding configuration are added to the ServletContext class and are listed here below:

ServletContext: 
    addServlet 
    addServletMapping 
    addFilter 
    addFilterMapping

Below is an example that shows how the APIs defined in ServletContext can be used.

@ServletContextListener
public class MyListener {
    public void contextInitialized (ServletContextEvent sce) {
        ServletContext sc = sce.getServletContext();
        sc.addServlet("myServlet", 
                      "Sample servlet", 
                      "foo.bar.MyServlet", 
                       null, -1);
        sc.addServletMapping("myServlet", 
                             new String[] {"/urlpattern/*"});
    }
}

@ServletContextListener
public class MyListener {
    public void contextInitialized (ServletContextEvent sce) {
        ServletContext sc = sce.getServletContext();
        sc.addFilter("myFilter", 
                     "Sample Filter", 
                     "foo.bar.MyFilter", 
                      null);
        sc.addFilterMapping("myFilter", 
                             new String[] {"/urlpattern/*"},                         
                            “myServlet”,
                             DispatcherType.REQUEST, false);
    }
}

As you can see with the changes above now the onus is on the framework authors to make sure that they declare and make available the components and be self sufficient. As for the developers / users of the frameworks they now just need to include these libraries in their application and start using it.

Servlet 3.0 (JSR 315) update

Posted by mode on April 30, 2008 at 04:50 PM | Permalink | Comments (12)

Update: The early draft of the specification is now available at the JCP site. Click here to get to the draft. It's been a while since I put a post on the blog so I thought I would take this opportunity to give an update on the servlet 3.0 specification. The expert group has been working through to enhance the APIs in the servlet specification. This blog is to give an update to the developers about the features that are proposed for the upcoming early draft of the specification. The main areas covered so far by the expert group are

Pluggability and extensibility
Ease of development
Async support
Security enhancements
Some enhancements to the existing APIs.

Pluggability and extensibility

In keeping with one of the main theme for Java EE 6, the goal of this requirement is provide more extension points in the servlet container to allow developers to easily use frameworks / libraries by "just dropping" a jar file in the application classpath and not require any additional configuration in the application. Today, in a servlet container the application has one monolithic web.xml that defines all the deployment artifacts for the application, including the dependencies of the application on the framework components. In it's current state, a developer must go through the documentation of each framework that it depends on and declare the appropriate servlets, filters, Listeners, etc. To overcome this issue in servlet 3.0 we are adding a new feature that allows having more than one web.xml, or as it is being referred in the specification as web fragments. A framework can define it's own web.xml that declares the necessary components for the framework that is then included for use in the web applicaton. It is the job of the container to assemble all the fragments at deployment / runtime of the application.

Along with the changes mentioned above there are few new APIs to also allow programmatic addition of Servlets and Filters at start up time of an application. API changes for configuration addition:
ServletContext: addServlet, addServletMapping, addFilter, addFilterMapping

Ease of Development

In servlet 3.0 one of the areas of focus is ease of development. The servlet 3.0 API is making use of annotations to enable a declarative style of programming for components of a web application. For example - to define a servlet you would use the following piece of code -

package samples;
import javax.servlet.http.annotation.*;
@Servlet(urlMappings={"/foo"})
public class SimpleSample {
}

The use of annotations makes web.xml optional and a developer does not really need to use it unless they want to change some configuration without changing code - for example at deployment time. Also, as with all the other parts of the Java EE platform, the descriptor always overrides the metadata provided via use of annotations.

Async support

The initial proposal for Async servlet support came from Greg Wilkins from Webtide and has been discussed and refined in the expert group. Support for async servlets allows you to suspend and resume request processing and enable and disable the response depending on the need of the application. A good use case of this servlet is in writing comet style applications. API changes for async support:
ServletRequest: suspend, resume, complete, isSuspended, isResumed, isTimeout, isInitial ServletResponse: disable, enable, isDisabled ServletRequestListener: requestSuspended, requestResumed, requestCompleted

Security enhancements

While this is not in the early draft of the specification as it needs some more discussion in the expert group, I thought I would give a sneak preview of what might be in the next draft of the specification. Ron Monzillo from Sun who is a security expert and has done work on many of the security related JSRs proposed the addition of methods to HttpServletRequest and HttpSession to support programmatic login and logout. API changes for login / logout support:
HttpServletRequest: login, logout HttpSession:logout

Enhancements to existing APIs

A few areas of the current API have been enhanced that will help in developer productivity. Listed below are some of them -

Ability to get a ServletContext and a Response object from the Request object. To get a Context (to maybe get context information or to get a RequestDispatcher for example) today you need to create a HttpSession object just to get a reference to a Context object. With the addition of the new APIs you can now get the Context and the associated Response from the ServletRequest. API changes for getting a Context and Response:
ServletRequest: getServletContext, getServletResponse
Mark a cookie as an HttpOnly cookie. By setting a cookie to be an HttpOnly cookie you prevent client side scripting code from getting access to the cookie. Most modern browsers support this feature and it helps mitigate some kinds of cross-site scripting attacks. API changes to support HttpOnlyCookie:
Cookie: setHttpOnly, isHttpOnly

Note: For details about all the API changes look at the javadocs (once the spec is available from the jcp website). The exact method signatures aren't duplicated here. Instead just the names are here to give an idea of the kind of changes.