Professional Documents
Culture Documents
Focus
Application Model
Servlet Requests and Response
Servlet Servlets and Servlet Context
Session Tracking
Programming Filter
Securing Web Application
By Võ Văn Hải
http://vovanhai.wordpress.com
1 2
1
01/10/2010
Component A
Component B Database M
I
Component C Component A D
D
Component B L Database
E
W
Application object broken into components that can communicate with Component C
A
each other, through interfaces R
E
JDBC-ODBC Bridge,
perhaps
7 8
2
01/10/2010
Communication/ Protocols
HTTP Protocol
Hypertext Transfer Protocol (HTTP) is an application level
protocol
Enables Web servers and browsers to send and receive data
Http Protocol HTTP Request – Client sends a request to the Web server
using HTTP request methods:
GET – Enables to access static resources
POST – Enables to access dynamic resources
HEAD – Enables to view the headers of HTTP response
HTTP Response – Web server sends response to the client
after processing the request
Request Message structures
Disadvantages
•Reduced efficiency
•Reloading Perl interpreter
11 12
3
01/10/2010
Servlets
Example of Servlets
import java.io.*;
Enables the user to run Java code on the import Java
import javax.servlet.*;
Web server class
import javax.servlet.http.*;
public class Example extends HttpServlet
Enables to develop Web pages and process {
public void doGet(HttpServletRequest
inputs from the Web pages request, HttpServletResponse response) throws
Enables to add dynamic content to Web ServletException, IOException{
PrintWriter out = response.getWriter();
pages HTML out.println(“<html><body>”);
A single servlet instance can process code in
servlets
out.println(“ Example of Servlets”);
out.println(“</body></html>”);
multiple requests }
Contains built-in functionality for reading }
public void init(ServletConfig config) throws
HTML form data, handling cookies, tracking ServletException {
user sessions, and setting HTTP headers super.init(config);
String param =
config.getInitParameter(“param");
}
15 16
4
01/10/2010
</servlet>
17 18
GenericServlet Class
Web Development Process
Includes six stages:
Planning – Implies the stage at which the user needs to gather
requirements and define target audience
Analysis – Implies the stage at which the user needs to evaluate the
information and verify the correctness and consistency of information
Design – Implies the stage at which the user needs to create sample
layout and send the layout for approval
Implementation – Implies the stage at which the user needs to
establish the framework of site, create template and standard HTML
pages
Promotion – Implies the stage at which re-engineering and re-
designing of the Web site is done
Site maintenance and updating – Implies the stage at which bug
fixing and improvement of site is done
20
5
01/10/2010
21 22
ServletRequest Interface
The ServletRequest Interface
Provides access to specific information about the request
Contains both actual request (as protocol, URL, and type) and
Servlet Requests and Response raw request (as headers and input stream), and client specific
request parameters (entered data on web form)
The ServletRequest Interface methods
public String getParameter(String name)
public Enumeration getParameterNames()
public String[] getParameterValues()
public Object getAttribute(String name)
public int getContentLength()
public ServletInputStream getInputStream() throws IOException
public String getServerName()
Public void setAttribute(String name, Object value)
23 24
6
01/10/2010
getHeaders()
HttpServletRequest Interface methods
public Cookie[] getCookies()
public String getHeader(String
name) getHeaderNames()
public String getMethod()
public String getPathInfo()
public String getAuthType()
25 26
27 28
7
01/10/2010
getOutputStream()
getWriter()
print(boolean b)
println(char c)
29 30
addDateHeader()
addIntHeader() encodeRedirectURL
containsHeader()
31 32
8
01/10/2010
Initialising servlets
Need for initialising servlet context
◦ To pass parameters form client to
servlets
◦ To setup communication
Initialising servlets
Servlets and Servlet Context
◦ Container locate the servlet class
◦ Container load the servlet
◦ Create an instance of the servlet
◦ Invoke init() method to initialise the
servlet.
35 36
9
01/10/2010
RequestDispatcher (1)
forward(): used to
forward request from
one servlet to another
servlet.
37 38
39 40
10
01/10/2010
Reporting Errors
•public void sendError (int sc) throws IOException
•public void HttpServletResponse.setStatus (int sc)
Logging Errors: public void log (String msg[, Throwable t])
41 42
RequestDispatcher dispatch =
request.getRequestDispatcher ("/Billing");
if(dispatch == null){
response.sendError (404);
}else {
dispatch.forward (request, response);
}
web.xml
<error-page>
<error-code>404</error-code>
<location>/FileNotFound.html</location>
</error-page>
43 44
11
01/10/2010
Session Tracking
Protocol
• Is a set of rules, which governs
the syntax, semantics and
synchronisation of
Session Tracking communication
• Stateless Protocol: not tracked
• HTTP Protocol
• Client – server Model
• Request – response
• Stateless Protocol
The session tracking mechanism serves the purpose tracking the client
identity and other state information required throughout the session
45 46
47 48
12
01/10/2010
49 50
51 52
13
01/10/2010
Filter
HttpSession
session=request.getSession(true);
Object
value=session.getAttribute("name");
53 54
data
Authenticating the user,
comprising files, encrypting
data and converting images
55 56
14
01/10/2010
Filter Example
Filters Chain
There can be more than one filter between the user and the
endpoint - Invoke a series of filters
A request or a response is passed through one filter to the
next in the filter chain. So each request and response has to
be serviced by each filter forming a filter chain
If the Calling filter is last filter, will invoke web resource
57 58
Configuring Filters
In Web Deployment Descriptor (web.xml)
<web-app>
….
<filter>
<icon>icon file name</icon>
<filter-name>Name of Filters</filter-name>
<display-name>displayed name</display-name>
<description>describe filter</description>
<filter-class>implemented Filter Class</filter-class>
<init-param>
<param-name>parameter name</param-name>
<param-value>value </param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>FilterName</filter-name>
<url-pattern>/context</url-pattern>
</filter-mapping>
….
59 59 60
</web-app>
15
01/10/2010
Configuring FilterChain
FilterMapping elements
<filter-name>: name of the filter
<url-pattern>: pattern useed to resolve URLs to
which filter applies.
<servlet-name>: name of servlet whose request
and response will be serviced by the filter
61 62
63 64
16
01/10/2010
67 68
17
01/10/2010
69 69 70
Sender – SSL Client Tomcat users using View Admin Console in Tomcat
Recipient – SSL server Reference %TOMCAT_HOME%\conf\tomcat-
71 72
18
01/10/2010
73 74
75 76
19
01/10/2010
web.xml (cont.)
web.xml
or INTEGRAL
79 80
20
01/10/2010
programming environment
the user has authenticates earlier
Updating the mechanism does not require total change in Security Advantages
model
Ensue total portability
It is easily maintainable
Limitation
Allowed password matching strategies
Access is provided to all or denied Limitation
Access is provided by the Server only if the password matches
Much harder to code and maintain
All the pages use same authentication mechanism
Every resource must use the code
It can not use both form-based and basic authentication for
different page
81 82
Any questions?
83 84
21
01/10/2010
22