Servlet Communications

Servlets:
Servlet / Web Browser

Communication II
Ethan Cerami
New York University
10/17/08 Browser/Servlet Communication II 1

Road Map
 Recap and Overview
 Reading HTTP Request Headers
 Reading Standard CGI Variables
 Generating the Server Response
 Case Study 1: Search Engines
 Case Study 2: Basic Web Security
 Restricting by User Name/Password

Changes to Syllabus
 This lecture refers to:
 Chapter 5 (skip sections 5.4 and 5.6).
 Chapter 6
 Chapter 7 (skip sections 7.4 and 7.5)

Recap and Overview

Overview
 This lecture is the second in two
lectures that discuss the interaction
between web browsers and servlets.
Request
Web Web
Browser Response Server

Client Request Data
 When a user submits a browser request to a
web server, it sends two categories of data:
 Form Data: Data that the user explicitly typed into
an HTML form.
 For example: registration information.
 HTTP Request Header Data: Data that is
automatically appended to the HTTP Request
from the client.
 For example: cookies, browser type, etc,
 The last lecture examined Form Data; this
lecture examines HTTP Data.
 We also examine the server response.
Reading HTTP Request
Headers

Sample HTTP Request
 As a refresher, let’s take a look at a sample
HTTP Request to Yahoo.com
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows
NT; DigExt)
Host: www.yahoo.com
Connection: Keep-AliveTip: Check out:
Cookie: B=2td79o0sjlf5r&b=2
http://www.web-sniffer.net

Accessing HTTP Headers
 To access any of these Headers, the use the
HTTPServletRequest getHeader() method.
 For example:
 String connection = req.getHeader(“Connection”);
 To retrieve a list of all the Header Names, use
the getHeaderNames() method.
 getHeaderNames() returns an Enumeration
object.
 For example:
 Enumeration enum = req.getHeaderNames();

Additional HTTP Information
 getMethod()
 Indicates the request method, e.g. GET or POST.
 getRequestURI()
 Returns the part of the URL that comes after the
host and port. For example, for the URL:
http://randomhost.com/servlet/search, the request
URI would be /servlet/search.
 getProtocol()
 Returns the protocol version, e.g. HTTP/1.0 or
HTTP/1.1

Example 1
 Our first example echoes all of the HTTP
Request Information.
 First, it outputs:
 Method
 RequestURI
 Protocol Version
 Then, it calls getHeaderNames() to retrieve a
list of all HTTP Header Names.
 For each header name, it then calls
getHeader()

package coreservlets;
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;
public class ShowRequestHeaders extends HttpServlet {

public void doGet(HttpServletRequest request,
HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Servlet Example: Showing Request Headers";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=\"#FDF5E6\">\n" +
"<H1 ALIGN=CENTER>" + title + "</H1>\n" +
"<B>Request Method: </B>" +
request.getMethod() + "<BR>\n" +
"<B>Request URI: </B>" +
request.getRequestURI() + "<BR>\n" +
"<B>Request Protocol: </B>" +
request.getProtocol() + "<BR><BR>\n" +
"<TABLE BORDER=1 ALIGN=CENTER>\n" +
"<TR BGCOLOR=\"#FFAD00\">\n" +
"<TH>Header Name<TH>Header Value"); Continued….
Enumeration headerNames = request.getHeaderNames();
while(headerNames.hasMoreElements()) {
String headerName = (String)headerNames.nextElement();
out.println("<TR><TD>" + headerName);
out.println(" <TD>" + request.getHeader(headerName));
}
out.println("</TABLE>\n</BODY></HTML>");
}
/** Let the same servlet handle both GET and POST. */
public void doPost(HttpServletRequest request,

doGet(request, response);
}
}

Reading Browser Types
 The User-Agent HTTP header indicates
the browser and operating system.
 For example:
 user-agent Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)
 You can use this header to differentiate
browser types or simply log browser
requests.

Example User-Agents
 Internet Explorer:
 user-agent Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)
 Mozilla
 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.4) Gecko/20030624
 For strange historical reasons, IE identifies
itself as “Mozilla”
 To differentiate between the two, use “MSIE”,
not “Mozilla”.

Example
 Let’s take a look at BrowserInsult.java
(Listing 5.4 in the text book)

Reading Standard CGI
Variables

CGI Variables
 In addition to HTTP Request headers, you
can also determine additional information
about both the client and the server:
 IP Address of Client
 Host Name of Client
 Server Name
 Server Port
 Server Protocol
 Server Software
 Additional information is also available (see
text book for a complete list.)
Example 2
 Example 2 displays the most important
CGI Variables.
 ShowCGIVariables.java (Listing 5.7)
 Back to JCreator…

Generating the Server
Response

Sample HTTP Response
 As a refresher, here’s a sample HTTP
response:
HTTP/1.1 200 OK
Date: Mon, 06 Dec 1999 20:54:26 GMT
Server: Apache/1.3.6 (Unix)
Last-Modified: Fri, 04 Oct 1996 14:06:11 GMT
Content-length: 327
Connection: close
Content-type: text/html
<title>Sample Homepage</title>
<img src="/images/oreilly_mast.gif">
<h1>Welcome</h2>Hi there, this is a simple web page.
Granted, it may…

Generating Responses
 Servlets can return any HTTP response
they want.
 Useful for lots of scenarios:
 Redirecting to another web site.
 Restricting access to approved users.
 Specifying content-type other than
text/html.
 Return images instead of HTML.

Setting the HTTP Status Code
 Normally, your Servlet will return an HTTP
Status code of: 200 OK to indicate that
everything went fine.
 To return a different status code, use the
setStatus() method of the
HttpServletResponse object.
 Be sure to set the status code before sending
any document content to the client.

Using setStatus()
 setStatus takes an integer value. But, it’s best to use the
predefined integers in the HttpServletResponse. Here are a
few:
 SC_BAD_REQUEST
 Status code (400) indicating the request sent by the client
was syntactically incorrect.
 SC_FORBIDDEN
 Status code (403) indicating the server understood the
request but refused to fulfill it.
 SC_INTERNAL_SERVER_ERROR
 Status code (500) indicating an error inside the HTTP server
which prevented it from fulfilling the request.
 SC_NOT_FOUND
 Status code (404) indicating that the requested resource is
not available.
Sending Redirects
 You can redirect the browser to a different URL by
issuing a Moved Temporarily Status Code:
 SC_MOVED_TEMPORARILY: Status code
(302) indicating that the resource has
temporarily moved to another location.
 Because this is so common, the
HttpServletResponse interface also has a
sendRedirect() method.
 Example:
res.sendRedirect( “http://www.yahoo.com”);

ckage coreservlets;
port java.io.*;
port javax.servlet.*;
port javax.servlet.http.*;
blic class WrongDestination extends HttpServlet {

ublic void doGet(HttpServletRequest request,
String userAgent = request.getHeader("User-Agent");
f ((userAgent != null) &&
(userAgent.indexOf("MSIE") != -1)) {
response.sendRedirect("http://home.netscape.com");
} else {
response.sendRedirect("http://www.microsoft.com");
}

Case Study 1:
Search Engines

Multiple Search Engines
 Our first case study enables users to submit a
search query to one of four search engines.
 Google
 AllTheWeb
 Yahoo
 AltaVista, etc.
 The code exploits the HTTP Response
Header to redirect the user to the correct
search engine.

Architecture
“I want to search for
Bill Gates on Google”
SearchEngines
Servlet
“Go to Google”
Web
Browser “I want to search for
Bill Gates on Google”
Google
“Your results…”

SearchSpec.java
 The SearchSpec object contains information
about connecting to a specific search engine
 public String makeURL (String searchString,
String numResults)
 You provide this method with a search string and
the number of results, and it returns the URL and
search query specific to Google, Yahoo, HotBot,
etc.
 Let’s take a look…

SearchUtilities.java
 The SearchUtilities.java code has an
array of SearchSpec objects: one for
Google, one for Yahoo, etc.
 It also provides a makeUrl method…
 Let’s take a look.

SearchEngines.java
 The main servlet code.
 This code:
 Extracts the searchEngine parameter.
 If no such parameter exists, it send an HTTP
Error.
 Otherwise, it calls SearchUtilities to make the
correct URL.
 Redirects the user to this new URL.
 Let’s take a look…

Case Study 2:
Basic Web Security

HTTP Authentication
 The HTTP Protocol Includes a built-in
authentication mechanism.
 Useful for protecting web pages or servlets
that require user name / password access.
 First, let’s examine the basic mechanism
and the HTTP Headers involved.
 Then, let’s figure out how to build a servlet
that exploits this mechanism.

Basic Authentication
1) If a web page is protected, the Web Server
will issue an authentication “challenge”:
HTTP/1.1 401 Authorization Required
Date: Sun, 27 Aug 2000 17:51:25 GMT
Server: Apache/1.3.12 (Unix) ApacheJServ/1.1
PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a
WWW-Authenticate: BASIC
realm="privileged-few"
Keep-Alive: timeout=90, max=150
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
WWW-Authenticate
WWW-Authenticate: BASIC realm=“realm"
 When you issue a return status code of 401,
“Authorization Required”, you need to tell the browser
what type of authentication is required.
 You do this via the WWW-Authenticate Header. This
header has two parameters:
 BASIC: Basic authorization requiring user name
and password.
 Realm: you can create multiple “realms” of
authentication for different users, e.g. “Admin”,
“User”, “Super_User”, etc.

Basic Authentication Cont.
 Upon receiving an authentication challenge, the
browser will prompt the user with a pop-up box
requesting the user name and password.
 Browser takes the “username:password” from
the user and encrypts it using the Base 64
Encoding Algorithm.
 For example: if the string is
“marty:martypd”, the Base 64 string is
“bWFydHk6bWFydHlwdw==”
 We will not cover the details of Base 64,
but remember that Base 64 is easy to
decode. Therefore, even if your page is
protected, someone can easily intercept
10/17/08 your BaseBrowser/Servlet
64 string and decode
Communication II it. 37
1) The browser reissues the request for the
page. In the HTTP request, the browser
indicates the Authorization string:
GET /servlet/coreservlets.ProtectedPage HTTP/1.1

Accept: image/gif, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0;
Windows NT; DigExt)
Host: www.ecerami.com
Connection: Keep-Alive
Authorization: Basic bWFydHk6bWFydHlwdw==
1. Web Server checks the user name
and password.
 If User Name/Password is correct, web
server displays the protected page.
 If the User Name/Password is incorrect,
web server issues a second
authentication challenge.

Almost there…
 Before we examine the actual servlet
code, there are two pieces of Java
coding we need to examine:
 sun.misc.BASE64Decoder.
 java.util.Properties

Base 64 Encoding
 Sun provides a class called:
sun.misc.BASE64Decoder.
 You can use the decodeBuffer() method to
decode the Base 64 String sent from the
user:
String userInfo = “bWFydHk6bWFydHlwdw==”
BASE64Decoder decoder = new
BASE64Decoder();
String nameAndPassword =
new
String(decoder.decodeBuffer(userInfo));
 After this code,

10/17/08 nameAndPassword
Browser/Servlet Communication II will be set 41
java.util.Properties
 A utility class for reading in property files.
 For example, suppose you have the following
password.properties file:
#Passwords
#Sat Aug 26 11:15:42 EDT 2000
nathan=nathanpw
marty=martypw
lindsay=lindsaypw
bj=bjpw
java.util.Properties
 You can easily and automatically load
the password file and parse its
contents:
passwordFile = "passwords.properties";
passwords = new Properties();
passwords.load(new
FileInputStream(passwordFile));
 Then, you can extract the password for
a specific user name:
String password = properties.getProperty
("marty“);
ProtectedPage.java
 Here’s how the Servlet Works:
1) Initialization: Read in a Password file of valid
user names and passwords.
2) Check for the HTTP Authorization Header.
3) Decode the Authorization Header using Base 64
to obtain user name and password.
4) Check the User Name and Password against the
valid names list.
 If valid, show protected page.
 Else, issue another authentication challenge.

The Code
 Let’s examine the code.
 (Source code is also available on the
course web site)

Summary
 Lots of hidden HTTP data, including
headers and cookies are sent from
browser to the server.
 HTTP Header data can also be sent
from server to the browser, e.g. error
codes, redirection codes, etc.
 Make sure you understand the Search
and web security examples.

Servlet Communications

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Servlet Communications

Uploaded by

Copyright:

Available Formats

Servlets:

Servlet / Web Browser

10/17/08 Browser/Servlet Communication II 1

10/17/08 Browser/Servlet Communication II 2

10/17/08 Browser/Servlet Communication II 3

10/17/08 Browser/Servlet Communication II 4

10/17/08 Browser/Servlet Communication II 5

10/17/08 Browser/Servlet Communication II 7

10/17/08 Browser/Servlet Communication II 8

10/17/08 Browser/Servlet Communication II 9

10/17/08 Browser/Servlet Communication II 10

10/17/08 Browser/Servlet Communication II 11

public class ShowRequestHeaders extends HttpServlet {

public void doPost(HttpServletRequest request,

10/17/08 Browser/Servlet Communication II 13

10/17/08 Browser/Servlet Communication II 14

10/17/08 Browser/Servlet Communication II 15

10/17/08 Browser/Servlet Communication II 16

10/17/08 Browser/Servlet Communication II 17

10/17/08 Browser/Servlet Communication II 19

10/17/08 Browser/Servlet Communication II 20

10/17/08 Browser/Servlet Communication II 21

10/17/08 Browser/Servlet Communication II 22

10/17/08 Browser/Servlet Communication II 23

10/17/08 Browser/Servlet Communication II 25

blic class WrongDestination extends HttpServlet {

10/17/08 Browser/Servlet Communication II 26

10/17/08 Browser/Servlet Communication II 27

10/17/08 Browser/Servlet Communication II 28

10/17/08 Browser/Servlet Communication II 29

10/17/08 Browser/Servlet Communication II 30

10/17/08 Browser/Servlet Communication II 31

10/17/08 Browser/Servlet Communication II 32

10/17/08 Browser/Servlet Communication II 33

10/17/08 Browser/Servlet Communication II 34

10/17/08 Browser/Servlet Communication II 36

GET /servlet/coreservlets.ProtectedPage HTTP/1.1

10/17/08 Browser/Servlet Communication II 39

10/17/08 Browser/Servlet Communication II 40

 After this code,

10/17/08 Browser/Servlet Communication II 44

10/17/08 Browser/Servlet Communication II 45

10/17/08 Browser/Servlet Communication II 46

You might also like