AO Servlet Filter Changelog


Release Notes


Release Notes

  • Updated dependencies.


Release Notes

  • Updated to Java™ EE 7 Web Profile (Servlet 3.1, JSP 2.3, EL 3.0, and JSTL 1.2).
  • Now supports Java 9+ modules. Due to still having filename-based automatic module dependencies, *-SNAPSHOT versions include module-info.class while releases include the Automatic-Module-Name manifest entry. To minimize the difference between these modes, does not perform any transitive requires.
  • Maven artifact relocated from com.aoindustries:ao-servlet-filter to com.aoapps:ao-servlet-filter.
  • Package renamed from com.aoindustries.servlet.filter to com.aoapps.servlet.filter.


Release Notes

  • LocaleFilter no longer redirects while within the ERROR dispatcher.
  • Added support for Web development file types *.less, *.sass, *.scss, *, and *
  • New init parameter com.aoindustries.servlet.filter.LocaleFilter.redirectStatusCode that sets the HTTP status code used for redirects. Defaults to 301, which is the value expected to be used in production. It is recommended to set to 302 in development mode, so that browser caches will not get in the way.


Release Notes


Release Notes

  • Minimum Java version changed from 1.7 to 1.8.
  • Reduced use of property substitutions in pom.xml. This is to help 3rd-party parsers that fail to perform full Maven-compatible substitutions.
  • Fixed ClassCastException in EncodeURIFilter.getActiveFilter(ServletRequest).
  • "Cache-Control" init parameters renamed to "cache-control". Old values still work for compatibility.
  • StripInvalidXmlCharactersFilter now supports the REQUEST dispatcher, too. It is recommended that all uses of this filter include <dispatcher>ERROR</dispatcher>
  • New filter ApacheAuthenticationFilter that parses Apache group file for role information while under Apache authentication.

    When tomcatAuthentication is set to false, user information is passed to Tomcat while group membership is not. The filter parses the Apache group file and grants access to the roles corresponding to group names.

  • Utf8RequestCharacterEncodingListener is now enabled via @WebListener annotation, and thus does not need to be included in web.xml or web-fragment.xml when metadata-complete="false".
  • Now activating the following filters by default within a META-INF/web-fragment.xml, with the fragment configured to be before all others:
    1. StripInvalidXmlCharactersFilter
    2. EncodeURIFilter
  • EncodeURIFilter configuration changed to <context-param> named com.aoindustries.servlet.filter.EncodeURIFilter.enableIRI. It is still off by default, but may be selectively enabled in development mode via META-INF/context.xml.
  • When EncodeURIFilter has IRI support enabled, it is now only activated when the current Doctype supports RFC 3987 IRI Unicode format URLs, which currently is only HTML5.
  • CountConcurrencyListener is now a @WebListener.
  • Optimized ServletContext attribute initialization and concurrency.


Release Notes

  • Case-insensitive matching of URL schemes. Previously, URL schemes were matched case-sensitive, while the spec is case-insensitive. This has been OK given we only use lower-case schemes within our code and tools, but this is now a correct implementation.
  • NoSessionFilter now passes the URL encoding up the filter chain after its modifications. Previously, the URL rewriting was stopped here. To obtain the previous behavior, use in conjunction with session-config.
  • New context init parameter com.aoindustries.servlet.filter.NoSessionFilter.cookieUrlParamPrefix that may be used to provide a custom cookie URL prefix. A fun alternative is Unicode Character 'COOKIE' (U+1F36A).
  • StripInvalidXmlCharactersFilter now removes parameters that have invalid names.
  • HideJspExtensionFilter no longer removes index.jsp(x) or .jsp(x) extensions from URLs that have a scheme. However, http:// and https:// links to the same host are still rewritten in order to handle absolute URLs.
  • HideJspExtensionFilter now sends redirect in UTF-8.
  • LocaleFilter now sends redirect in UTF-8.
  • Cookie names, values, comments, and paths are now URI-encoded.
  • New filter EncodeURIFilter which encodes the URL to either RFC 3986 URI US-ASCII format or RFC 3987 IRI Unicode format. If the URL begins with javascript:, cid:, or data:, (case-insensitive) it is not altered. Canonical URLs are always encoded to US-ASCII format.

    IRI support is disabled by default, and only recommended for development or internal systems. IRI may result in slightly smaller output, and more readable HTML source, but for interoperability should be off in production systems.

    RFC 7231 - 7.1.2. Location refers only to RFC 3986 URI for URI-reference, thus redirects are always formatted as RFC 3986 URI.

  • No longer URL rewriting file: and data: URLs.
  • Removed NoEncodeUrlFilter in favor of Servlet 3.0 session-config in WEB-INF/web.xml:
        <!-- <secure>true</secure> -->
    See also:
    1. Tomcat - Disable JSESSIONID in URL
    2. How to enable HttpOnly and Secure Session Cookies in EAP 6.x
    3. Disable URL Rewriting by default with Servlet 3.0 config
  • No longer URL rewriting *.dia URLs.
  • NoSessionFilter will now not write cookie parameters into Canonical URLs.
  • New filter LastModifiedCacheControlFilter that adds a Cache-Control header to any request with a LAST_MODIFIED_PARAMETER_NAME parameter. Defaults to a very aggressive setting of public, one-year, allowing stale, and immutable.
  • New optional init parameter allowMultiple on AddResponseHeaderFilter allows multiple headers of the same name. When true, the header will not be added when a header of the same name already exists on the response. Defaults to true for compatibility.
  • Changed CountConcurrencyFilter from a <filter> to a <listener> named CountConcurrencyListener.
  • Changed Utf8RequestCharacterEncodingFilter from a <filter> to a <listener> named Utf8RequestCharacterEncodingListener.
  • Removed deprecated com.aoindustries.servlet.filter.TempFileContext in favor of new ServletTempFileContext that does not require web.xml configuration, supports additional scopes (application and session), and registers a shutdown hook to delete on JVM exit.


Release Notes

  • Using managed dependencies:
    1. This project uses managed dependencies.
    2. This project's managed dependencies may also be imported by other projects.


Release Notes

  • Minimum Java version changed from 1.6 to 1.7.
  • Deprecated com.aoindustries.servlet.filter.TempFileContext in favor of new ServletTempFileContext that does not require web.xml configuration, supports additional scopes (application and session), and registers a shutdown hook to delete on JVM exit.
  • Aligned the session URL rewriting excluded path extensions to match other projects. The list is now:
    1. *.bmp (added this release)
    2. *.css
    3. *.exe (added this release)
    4. *.gif
    5. *.ico
    6. *.jpeg
    7. *.jpg
    8. *.js
    9. *.png
    10. *.svg (added this release)
    11. *.txt
    12. *.zip


Release Notes

  • Updated dependencies.
  • New AddResponseHeaderFilter filter to add response headers. For when filter mappings are not expressive enough, supports both lightning-fast WildcardPatternMatcher and standard Java Pattern.


Release Notes

  • New AO OSS Parent POM to simplify pom.xml files.
  • Project documentation moved to per-project book in SemanticCMS format.
  • Added changelog as top-level project link.


Release Notes

  • Improved Javadoc formatting.
  • Improved README formatting.


Release Notes

  • Improved Javadoc formatting.
  • Now automatically maintains some ThreadLocal values between caller and executor during concurrent processing, and provides wrapper hook for subclasses to extend.
  • May now provide temp file list.
  • Tracks the request concurrency.
  • Added a hook for subclasses to take further action based on concurrency.
  • Now only setting encoding when not provided by client. Also removed ThreadLocale stuff that was unnecessary and never belonged here.
  • Each lock object now a small empty class to help identify lock contention.

    The lock contention profiler in NetBeans is just showing "java.lang.Object" all over, and can't seem to get from the lock object id to the actual object in the heap dump using OQL (id not found).

  • Trim on includes is just unnecessary filter invocation.
  • Avoiding setting ThreadLocal when value has not changed.
  • Using ServletContextCache for more throughput on Tomcat.


Release Notes

  • Improved Maven configuration for Java EE 6 dependencies.


Release Notes

  • Improved Javadoc formatting.


Release Notes

  • Now also hiding .jspx extension in addition to .jsp.


Release Notes

  • Reverted to Java 1.6 for Android and Java EE 6 compatibility.


Release Notes

  • Project moved to GitHub and Maven.