1. Bring up on stage two customers to tell the audience about their experiences.
Manpower Associates is a $14.9B global company with 27,000 employees in the temporary staffing business. Manpower runs a combined PeopleSoft Enterprise and JD Edwards EnterpriseOne shop. These experts in human resources use Enterprise HCM for their own staffing and EnterpriseOne Payroll and Service Billing for handling the large volumes of US-based temporary staff. Manpower is very happy with Oracle’s support since purchasing PeopleSoft and is looking forward to a long relationship with Oracle.
Spokesperson will be Jay Schaudies, Vice President, Global eCommerce.
Welch Foods is the food processing and marketing arm of National Grape Cooperative Association. Organized in 1945, National Grape is a grower-owned agricultural cooperative with 1,461 members. The company, headquartered in Concord, Massachusetts, operates six plants located in Michigan, New York, Pennsylvania and Washington. The company was running a mix of legacy, home grown, and manual systems that failed to provide senior management with accurate and timely cost and production information. Welch’s required a centralized manufacturing and financial information system to improve management decision making. The solution had to be hot-pluggable with existing technologies, for example, Welch’s Plumtree portal.
Welch Foods chose Oracle over SAP for this business-critical application. The key to the customer’s business problem was their ability to manage costs. The company’s costs are driven by fruit solid content in each of their products, and they use a specialized technique called BRIX for measuring and calculating the cost of materials. Welch’s compared SAP and Oracle SAP’s software was too rigid and, therefore, unable to include the BRIX calculation in their manufacturing solution. Only Oracle’s OPM could bind this custom cost method into the Quality Management Process.
Technology customer yet to be determined. Current possibilities include eBay and FTD Florists. 1 1

2. 2
Secure, Asynchronous Web Applications Using Java Servlet 3.0 and Java EE 6
Rajiv Mordani
Shing Wai Chan
Prasanth Pallamreddy

3. The following is intended to outline our general product direction
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3

4. Security enhancements Use cases Q&A
Agenda
Overview
Asynchronous support
Security enhancements
Use cases
Q&A 4

5. Servlet 3.0 final with Java EE 6 Feature set includes support for
Overview
Servlet 3.0 final with Java EE 6
Feature set includes support for
Ease of development
Pluggability
Asynchronous support
Security
File upload 5

6. Why Asynchronous Servlets?
Asynchronous support
Why Asynchronous Servlets?
Waiting for resources (e.g JDBC connection)
Waiting for events (e.g Chat)
Waiting for response (e.g call to a web service)
No Async IO
In a future release with dependency on NIO2 6

7. Overview of Asynchronous API ServletRequest
ServletRequest.isAsyncSupported()
true if all filters / servlets support async in
The filter chain
The RequestDispatch chain 7

8. Overview of Asynchronous API ServletRequest / AsyncContext
Configured in
web.xml
<async-supported>true</async-supported>
With annotation
@WebServlet(asyncSupported=true)
Programmatic
registration.setAsyncSupported(true) 8

9. Overview of Asynchronous API AsyncContext
AsyncContext ServletRequest.startAsync()
Called by Filter / Servlet
Response is not committed on the return of
servlet.service(request, response)
Filter chain
AsyncContext ServletRequest.startAsync(request,response )
Variation that can preserve wrappers 9

10. Overview of Asynchronous API AsyncContext
AsyncContext.dispatch()
Called by the asynchronous handler
Schedule async dispatch
DispatcherType.ASYNC
Response generated by Filter / Servlet
Using container thread pool
Possibly using frameworks like JSF, JSP or others
Java EE context available (EJB, JNDI, JTA etc) 10

11. Overview of Asynchronous API AsyncContext
AsyncContext.dispatch(String path)
Allows dispatching a different servlet in the same context
AsyncContext.dispatch(ServletContext context, String path)
Allows dispatching a different servlet relative to the context specified 11

12. Overview of Asynchronous API AsyncContext
AsyncContext.complete()
Called by asynchronous handler
Signals response has been generated
Must be called to indicate to the container that async processing is done
If dispatched to the container the container calls complete implicitly if no other async operation is started 12

13. Overview of Asynchronous API Timeout
AsyncContext.setTimeout(long timeout)
Specifies the timout for the async operation
AsyncListener’s onTimeout is notified of timeout if one is registered
Default handling is an error dispatch with error code set to 500 13

14. Overview of Asynchronous API Timeout
Listener
AsyncListener.onTimeout
AsyncListener.onComplete
AsyncListener.onStart
AsyncListener.onError 14

15. Demo 15

16. Security Specifying constraints via annotations
Introduced annotations in Servlet 3.0 to define auth constraints and user data constraints via annotations
@ServletSecurity
@HttpConstraint
@HttpMethodConstraint 16

17. Security Specifying constraints via annotations
@ServletSecurity used to define HttpConstraints that apply to all http methods or HttpMethodConstraints that applies to a specific HTTP method
Method specific ones take precedence over the HttpConstraints 17

18. Security Specifying constraints via annotations
Security constraints in web.xml override annotations
web-resource-collection enhanced with http-method- omission to
Accommodate annotation precedence rules
Sustain overrides
Allow constraints to be specified on non-enumerable HTTP method subsets 18

19. Security Specifying constraints via annotations: Examples
@WebServlet(“/myurl1”) rolesAllowed={“staff”})) public class MyServlet1 extends HttpServlet { }
@WebServlet(“/myurl2”) transportGuarantee=TransportGuarantee.CONFIDENTIAL)) public class MyServlet2 extends HttpServlet { } 19

20. Security Specifying constraints via annotations: Examples (cont’d)
@WebServlet(“/myurl3”) @ServletSecurity( httpMethodConstraints={ @HttpMethodConstraint(value=“POST”, rolesAllowed={“javaee”}), @HttpMethodConstraint(“GET”), @HttpMethodConstraint(value=“PUT”, emptyRoleSemantic=EmptyRoleSemanitc.DENY}) public class MyServlet3 extends HttpServlet { } 20

21. Security Specifying constraints via Programmatic API
javax.servlet.ServletSecurityElement
javax.servlet.HttpConstraintElement
javax.servlet.HttpMethodConstraintElement
ServletRegistration.Dynamic.setServletSecurity(ServletS ecurityElement constraint) 21

22. Security Specifying constraints via Programmatic API: Example
public class MyListener implements ServletContextListener { public void contextInitialized(ServletContextEvent sce) { ServletContext sc = sce.getServletContext(); ServletRegistration.Dynamic sr = sc.addServlet(...); ServletSecurityElement sse = new ...; sr.setServletSecurity(sse); } } 22

23. Security Programmatic login / logout
HttpServletRequest.login(String username, String password)
Application supervises credential collection
HttpServletRequest.authenticate(HttpServletResponse response)
Application initiates container mediated authentication from a resource that is not covered by any authentication constraints
Application decides when authentication must occur 23

24. Security Programmatic login / logout
Integration of additional container authentication modules via Servlet profile of JSR 196 recommended
HttpServletRequest.logout() 24

25. Security Securing cookies (cont’d)
Two types
Application generated cookies
Session tracking cookies
Two attributes
Secure
HttpOnly
Two Java classes
javax.servlet.http.Cookie
javax.servlet.SessionCookieConfig 25

26. Security Securing cookies (cont’d)
<web-app> <session-config> <cookie-config> … <secure>true</secure> <http-only>true</http-only> <cookie-config> <session-config> </web-app> 26

27. Demo 27

28. Usecase 1 28

29. Shopping Cart Checkout
Performing async operations in non-container threads
The checkout operation is expensive
Create order, bill credit-card, persist order
The request thread is blocked till all these operations complete
Try offloading this operation to an Async Servlet
Request thread is freed
Response is handled when the checkout is complete
Allows throttling request threads independent of processing threads 29

30. Checkout with Async EJB
Performing async operations in non-container threads
EJB 3.1 introduces Async EJBs
One way calls
Future responses
EJBs can now be packaged in wars
EJB execution is scheduled by the container
Interesting possibilities when combined with Async Servlets 30

31. Async Servlet, Async EJB Container Async Dispatch
Checkout – 3 Scenarios 1 2 3
Sync Servlet, Sync EJB
Async Servlet, Sync EJB
Async Servlet, Async EJB
Servlet Async APIs provide a lot of flexibility
AsyncContext can be accessed outside the scope of the Servlet Container
With EJB-in-WAR,
Moves the responsibility of dispatching tasks to the container
Allows the throttling of web threads and the EJB threads
Container Async Dispatch
User Async Dispatch
Request
Servlet
EJB
Response

32. CheckOutServlet
@WebServlet(urlPatterns={"/checkout"}, asyncSupported=true)
public class CheckOutServlet extends HttpServlet {
...
@EJB CheckOutBean checkoutBean;
public void service(... request, ... response) throws ... {
// validate request
AsyncContext ctx = request.startAsync();
checkoutBean.processCheckout(ctx);
// free the request thread - return } 32

33. CheckOutBean @Stateless
public class CheckOutBean { @TransactionAttribute(TransactionAttributeType.REQUIRED) @Asynchronous public void processAsync(AsyncContext ctx) {
try { // process the checkout here
...
ctx.dispatch(“/checkout-success”);
} catch (Exception exception) {
sessionContext.rollbackOnly();
ctx.dispatch(“/checkout-failed”); } 33

34. Accessing AsyncContext on user managed threads
Performing async operations in non-container threads
Thread environment not setup
Loading webapp classes and resources
Propagating logged in state, security
Accessing java:comp environment
Exception handling
Cleanup thread environment to prevent memory leaks
Classloader
Thread locals 34

35. When using Async API be aware of
Performing async operations in non-container threads
Race conditions
Timeouts
Accessing AsyncContext out of request scope
A response may have already been committed
Some containers pool request & response objects
User managed thread pools
Memory leaks 35

36. Usecase 2 36

37. WebSockets(WS) with Async Servlets
WS implementation is possible with Async Servlets
Requires exclusive access to underlying sockets
Containers may not provide this capability
Demonstrate the capability of Async Servlets
The WS demo is a proof of concept
Components
Controller Servlet – to upgrade the connection to WS
Selector – to listen to read events on the socket
Listener – to process messages read from the WS 37

38. Demo 38

39. Servlet 3.0 is here today and is ready to be used
Conclusion
Servlet 3.0 is here today and is ready to be used
Can use it to build secure apps with performance and scalabality
Foundation for pluggability in the Java EE platform 39

40. Visit the GlassFish Server booth at HHJ-017 (Hilton JavaOne Booth)
Resources
Visit the WebLogic Server Booth at HHJ-008 (Hilton – JavaOne Booth)
Visit the Java EE Booth at HHJ-016 (Hilton – JavaOne Booth)
Visit the GlassFish Server booth at HHJ-017 (Hilton JavaOne Booth) 40

41. JavaOne and Oracle Develop Latin America 2010
December 7–9, 2010 41

42. JavaOne and Oracle Develop Beijing 2010
December 13–16, 2010 42