What’s new in Servlet 3.0?

With the introduction of Java EE6 the new Java Servlet 3.0 API (JSR 315) have made several enhancements to the previous Servlet API: ease of development and deployment, extensibility, asynchronous support, and security enhancements.

For ease of development, the new API have several annotations to declare servlets ,filters, listeners and security constraints. @WebServlet defines servlets,@WebFilter defines servlet filters, @WebListener defines a listener, @WebInitParam defines an init param, @ServletSecurity defines security constraints, and finally @MultipartConfig can be used for handling file uploads. Here is a sample servlet declared with the @WebServlet annotation:

@WebServlet(name=” TestServlet”, urlPattern=”/testApp/*”)
public class TestServlet extends HttpServlet {
public void doGet(HttpServletRequest req,HttpServletResponse resp)
{
...
}

New Servlet API also lets developers register their servlets dynamically during ServletContext initilization:

ServletRegistration.Dynamic dynamic =
servletContext.addServlet(“DynamicServlet”, “com.test.TestServlet”)
dynamic.addMapping(“/testServlet”);
dynamic.setAsyncSupported(true);

Asynchronous support introduced in Servlet 3.0 is another nice enhancement which is useful for possibly long running requests. To enable asynchronous support, @WebServlet(asyncSupported=true) should be declared. When the asyncSupported attribute is set to true, the response object is not committed on method exit. First

AsyncContext ctx = ServletRequest.startAsync(req, res);

should be called.

This AsyncContext object caches the request/response pair. When done with the request, one of the AsyncContext.dispatch(), AsyncContext.dispatch(path), or AsyncContext.dispatch(servletContext, path) methods can be called to dispatch the request to the container to be rendered. For example

ctx.dispatch("/result.jsp");

forwards the request to the container so that the result.jsp is rendered as response.

Here is a complete example illustrating the use of asynchronous support in Servlet 3.0:

   @WebServlet("/testServlet" asyncSupported=true)
   public class TestServlet extends HttpServlet {
        public void doGet(HttpServletRequest req, HttpServletResponse res) {
            ...
            AsyncContext aCtx = request.startAsync(req, res);
            ScheduledThreadPoolExecutor executor = new ThreadPoolExecutor(10);
            executor.execute(new AsyncServiceCall(aCtx));
        }
   }

   public class AsyncServiceCall implements Runnable {
        private AsyncContext ctx;
        public AsyncWebService(AsyncContext ctx) {
            this.ctx = ctx;
        }
        public void run() {
            // Invoke possibly long running service and dispatch the response
            ctx.dispatch("/render.jsp");
   }

For the security part, Servlet 3.0 API now supports programmatic authentication, login and logout with HttpServletRequest.authenticate, HttpServletRequest.login and HttpServletRequest.logout methods. It is now possible to declare security constraints with the @ServletSecurity annotation:

@WebServlet(name="testServlet", urlPatterns={"/ testServlet "})
@ServletSecurity(@HttpConstraint(rolesAllowed = {"testUser", "admin”}))
public class TestServlet extends HttpServlet {

In this example, only “testUser” and “admin” users are authorized to call any of the HTTP methods of the TestServlet. It is also possible to specify security constraints for each HTTP method:

@ServletSecurity(httpMethodConstraints={ @HttpMethodConstraint("GET"),
    @HttpMethodConstraint(value="POST", rolesAllowed={"testUser"})})

In this example, all users are allowed to call GET methods, however only testUsers are allowed to call POST methods.

For detailed information about new features in the Servlet 3.0 API I recommend reading JSR 315 (http://jcp.org/en/jsr/detail?id=315)