modules/tomcat-11-preview.html - tomcat-training - Git at Google

 <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
 -->
 <section>
   <h3>Agenda</h3>
   <p>Jakarta EE 11</p>
   <p>Jakarta Servlet</p>
   <p>Jakarta Pages</p>
   <p>Jakarta WebSocket</p>
   <p>Jakarta Expression Language</p>
   <p>Jakarta Authentication</p>
   <p>Jakarta Annotations</p>
   <p>Tomcat specific changes</p>
 </section>
 <section>
   <h3>Jakarta EE 11</h3>
   <p>42 individual specifications - Tomcat implements 6</p>
   <p>Platform specification - Tomcat implements relevant sections</p>
   <p>Minimum of Java 21</p>
   <p>No SecurityManager support</p>
   <p>Testing and Compatibility Kits (TCKs) are being refactored</p>
   <p>First milestones due end of November</p>
   <p>Final release June/July 2024</p>
 </section>
 <section>
   <h3>Jakarta Servlet - 6.1</h3>
   <p>No major changes</p>
   <p>Clarification</p>
   <p>Clean-up</p>
   <p>Various improvements</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Headers</h3>
   <p>Calls using null for a header name will be NO-OPs</p>
   <p>Using null when setting a header value will remove all current values</p>
   <p>Calls using null when adding a header value will be NO-OPs</p>
   <p>The empty string is a valid value for a header</p>
   <p>Any method that sets a header is a NO-OP once the response is committed</p>
   <p>Align getDateHeader() and getIntHeader() with getHeader() for multiple values</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Async</h3>
   <p>dispatch() and complete() close non-blocking output streams</p>
   <p>write(), print(), println() and flush() are "write operations"</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Redirects</h3>
   <p>Status code can be specified</p>
   <p>Response body can be specified</p>
   <p>Relative redirects are allowed</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Security</h3>
   <p>Clarify that all ServletContext methods that accept a path bypass security constraints</p>
   <p>Remove sensitive HTTP headers from TRACE responses</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Parameters</h3>
   <p>Invalid parameters will always trigger an Exception</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Miscellaneous I</h3>
   <p>Update HTTP RFC references to latest versions</p>
   <p>HTTPS support is now mandatory</p>
   <p>New constants for status codes 308, 421, 422 and 426</p>
   <p>New request attribute jakarta.servlet.error.query_string</p>
   <p>Add ByteBuffer support to ServletInputStream and ServletOutputStream</p>
   <p>Charset support for setCharacterEncoding()</p>
 </section>
 <section>
   <h3>Jakarta Servlet - Miscellaneous II</h3>
   <p>Context root mapping occurs with or without the trailing '/'</p>
   <p>Clarify when leading '/' is ommitted in HttpServletMapping.getMatchValue()</p>
   <p>Clarify multi-part config sizes are in bytes</p>
   <p>Clarify expected behaviour for CONNECT requests</p>
   <p>Deprecate and make optional support for HTTP/2 server push</p>
 </section>
 <section>
   <h3>Jakarta Servlet - In Progress</h3>
   <p>HttpSession access for WebSocket</p>
   <p>Require error dispatches to use GET</p>
   <p>Clarify behaviour of various methods for include / forward</p>
   <p>Support for 1xx responses - particularly early hints</p>
 </section>
 <section>
   <h3>Jakarta Pages - 4.0</h3>
   <p>Depreacted classes and methods have been removed</p>
   <p>Updated ErrorData to support the new request attribute jakarta.servlet.error.query_string
 </section>
 <section>
   <h3>Jakarta WebSocket - 2.2</h3>
   <p>Clarifed the responsibility for sending Ping messages</p>
   <p>Added getSession() method to SendResult</p>
 </section>
 <section>
   <h3>Expression Language - 6.0</h3>
   <p>Remove all deprecated classes and methods</p>
   <p>Dependency on JavaBeans API is now optional</p>
   <p>Added support for java.util.Optional via OptionalELResolver</p>
 </section>
 <section>
   <h3>Annotations - 3.0?</h3>
   <p>ManagedBean is deprecated</p>
 </section>
 <section>
   <h3>Jakarta Authentication - 3.1?</h3>
   <p>TBD</p>
 </section>
 <section>
   <h3>Tomcat 11</h3>
   <p>No major changes</p>
   <p>Specification / RFC updates</p>
   <p>Generally stricter with invalid input</p>
   <p>Enhancements and improvements</p>
   <p>32-bit Windows no longer supported (no JRE)</p>
 </section>
 <section>
   <h3>Tomcat 11 - Security I</h3>
   <p>BASIC authentication uses UTF-8 by default</p>
   <p>Update DIGEST auth to RFC 7616</p>
   <p>Documentation web application is only accessible from localhost by default</p>
   <p>Examples web application is only accessible from localhost by default</p>
 </section>
 <section>
   <h3>Tomcat 11 - Security II</h3>
   <p>rejectIllegalHeader hard-coded to true</p>
   <p>allowHostHeaderMismatch hard-coded to false</p>
   <p>Align AJP connector handling of invalid HTTP headers with HTTP connector</p>
   <p>Added RateLimitFilter</p>
 </section>
 <section>
   <h3>HTTP/2</h3>
   <p>RFC 9218 - HTTP/2 priority frame support</p>
   <p>Support for server push has been removed</p>
 </section>
 <section>
   <h3>Virtual threads</h3>
   <p>Virtual thread support - useVirtualThreads on the Connector</p>
   <p>Some internal refactoring</p>
 </section>
 <section>
   <h3>TLS</h3>
   <p>Log TLS cert info on startup</p>
   <p>Dedicated loggers for detailed TLS confguration info</p>
   <p>Added TLSCertificateReloadListener</p>
 </section>
 <section>
   <h3>Miscellaneaous</h3>
   <p>Expose the utility executor to web applications</p>
   <p>Tomcat no longer sets java.protocol.handler.pkgs when starting</p>
   <p>Added PropertiesRoleMappingListener</p>
   <p>Added ContextNamingInfoListener</p>
   <p>Add support for loading configuration resources from the web application</p>
 </section>
	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<section>
	<h3>Agenda</h3>
	<p>Jakarta EE 11</p>
	<p>Jakarta Servlet</p>
	<p>Jakarta Pages</p>
	<p>Jakarta WebSocket</p>
	<p>Jakarta Expression Language</p>
	<p>Jakarta Authentication</p>
	<p>Jakarta Annotations</p>
	<p>Tomcat specific changes</p>
	</section>
	<section>
	<h3>Jakarta EE 11</h3>
	<p>42 individual specifications - Tomcat implements 6</p>
	<p>Platform specification - Tomcat implements relevant sections</p>
	<p>Minimum of Java 21</p>
	<p>No SecurityManager support</p>
	<p>Testing and Compatibility Kits (TCKs) are being refactored</p>
	<p>First milestones due end of November</p>
	<p>Final release June/July 2024</p>
	</section>
	<section>
	<h3>Jakarta Servlet - 6.1</h3>
	<p>No major changes</p>
	<p>Clarification</p>
	<p>Clean-up</p>
	<p>Various improvements</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Headers</h3>
	<p>Calls using null for a header name will be NO-OPs</p>
	<p>Using null when setting a header value will remove all current values</p>
	<p>Calls using null when adding a header value will be NO-OPs</p>
	<p>The empty string is a valid value for a header</p>
	<p>Any method that sets a header is a NO-OP once the response is committed</p>
	<p>Align getDateHeader() and getIntHeader() with getHeader() for multiple values</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Async</h3>
	<p>dispatch() and complete() close non-blocking output streams</p>
	<p>write(), print(), println() and flush() are "write operations"</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Redirects</h3>
	<p>Status code can be specified</p>
	<p>Response body can be specified</p>
	<p>Relative redirects are allowed</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Security</h3>
	<p>Clarify that all ServletContext methods that accept a path bypass security constraints</p>
	<p>Remove sensitive HTTP headers from TRACE responses</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Parameters</h3>
	<p>Invalid parameters will always trigger an Exception</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Miscellaneous I</h3>
	<p>Update HTTP RFC references to latest versions</p>
	<p>HTTPS support is now mandatory</p>
	<p>New constants for status codes 308, 421, 422 and 426</p>
	<p>New request attribute jakarta.servlet.error.query_string</p>
	<p>Add ByteBuffer support to ServletInputStream and ServletOutputStream</p>
	<p>Charset support for setCharacterEncoding()</p>
	</section>
	<section>
	<h3>Jakarta Servlet - Miscellaneous II</h3>
	<p>Context root mapping occurs with or without the trailing '/'</p>
	<p>Clarify when leading '/' is ommitted in HttpServletMapping.getMatchValue()</p>
	<p>Clarify multi-part config sizes are in bytes</p>
	<p>Clarify expected behaviour for CONNECT requests</p>
	<p>Deprecate and make optional support for HTTP/2 server push</p>
	</section>
	<section>
	<h3>Jakarta Servlet - In Progress</h3>
	<p>HttpSession access for WebSocket</p>
	<p>Require error dispatches to use GET</p>
	<p>Clarify behaviour of various methods for include / forward</p>
	<p>Support for 1xx responses - particularly early hints</p>
	</section>
	<section>
	<h3>Jakarta Pages - 4.0</h3>
	<p>Depreacted classes and methods have been removed</p>
	<p>Updated ErrorData to support the new request attribute jakarta.servlet.error.query_string
	</section>
	<section>
	<h3>Jakarta WebSocket - 2.2</h3>
	<p>Clarifed the responsibility for sending Ping messages</p>
	<p>Added getSession() method to SendResult</p>
	</section>
	<section>
	<h3>Expression Language - 6.0</h3>
	<p>Remove all deprecated classes and methods</p>
	<p>Dependency on JavaBeans API is now optional</p>
	<p>Added support for java.util.Optional via OptionalELResolver</p>
	</section>
	<section>
	<h3>Annotations - 3.0?</h3>
	<p>ManagedBean is deprecated</p>
	</section>
	<section>
	<h3>Jakarta Authentication - 3.1?</h3>
	<p>TBD</p>
	</section>
	<section>
	<h3>Tomcat 11</h3>
	<p>No major changes</p>
	<p>Specification / RFC updates</p>
	<p>Generally stricter with invalid input</p>
	<p>Enhancements and improvements</p>
	<p>32-bit Windows no longer supported (no JRE)</p>
	</section>
	<section>
	<h3>Tomcat 11 - Security I</h3>
	<p>BASIC authentication uses UTF-8 by default</p>
	<p>Update DIGEST auth to RFC 7616</p>
	<p>Documentation web application is only accessible from localhost by default</p>
	<p>Examples web application is only accessible from localhost by default</p>
	</section>
	<section>
	<h3>Tomcat 11 - Security II</h3>
	<p>rejectIllegalHeader hard-coded to true</p>
	<p>allowHostHeaderMismatch hard-coded to false</p>
	<p>Align AJP connector handling of invalid HTTP headers with HTTP connector</p>
	<p>Added RateLimitFilter</p>
	</section>
	<section>
	<h3>HTTP/2</h3>
	<p>RFC 9218 - HTTP/2 priority frame support</p>
	<p>Support for server push has been removed</p>
	</section>
	<section>
	<h3>Virtual threads</h3>
	<p>Virtual thread support - useVirtualThreads on the Connector</p>
	<p>Some internal refactoring</p>
	</section>
	<section>
	<h3>TLS</h3>
	<p>Log TLS cert info on startup</p>
	<p>Dedicated loggers for detailed TLS confguration info</p>
	<p>Added TLSCertificateReloadListener</p>
	</section>
	<section>
	<h3>Miscellaneaous</h3>
	<p>Expose the utility executor to web applications</p>
	<p>Tomcat no longer sets java.protocol.handler.pkgs when starting</p>
	<p>Added PropertiesRoleMappingListener</p>
	<p>Added ContextNamingInfoListener</p>
	<p>Add support for loading configuration resources from the web application</p>
	</section>