HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.

HTTP Requests & Responses 1

Servlets:HTTP Request Header Contentsand Responses


Road Map Recap and Overview Reading HTTP Request Headers Generating the Server Response Case Study 1: Search Engines Case Study 2: Basic Web Security

Restricting by User Name/Password


Recap and Overview


Overview Interaction between browser and

web server.

WebBrowser

WebServer

Request

Response


Client Request Data When a user submits a browser request

to a web server, it sends two categories of data: Form Data: Data that the user explicitly

typed into an HTML form. For example: registration information.

HTTP Request Header Data: Data that is automatically appended to the HTTP Request from the client.

For example: cookies, browser type, etc,


Reading HTTP Request Headers


Sample HTTP Request A sample HTTP Request to Yahoo.com

GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)Host: www.yahoo.comConnection: Keep-AliveCookie: B=2td79o0sjlf5r&b=2

Tip: Check out: http://www.web-sniffer.net


Accessing HTTP Headers

As in the SnoopServlet Example: To access any of these Headers, use the

HTTPServletRequest getHeader() method. For example:

String connection = req.getHeader(“Connection”); To retrieve a list of all the Header Names, use

the getHeaderNames() method. getHeaderNames() returns an Enumeration object.

For example: Enumeration enum = req.getHeaderNames();


Additional HTTP Information getMethod()

Indicates the request method, e.g. GET or POST.

getRequestURI() Returns the part of the URL that comes after

the host and port. For example, for the URL: http://randomhost.com/servlet/search, the request URI would be /servlet/search.

getProtocol() Returns the protocol version, e.g. HTTP/1.0 or

HTTP/1.1


Reading Browser Types The User-Agent HTTP header

indicates the browser and operating system.

For example: user-agent Mozilla/4.0 (compatible;

MSIE 6.0; Windows NT 5.1) You can use this header to

differentiate browser types or simply log browser requests.


Example User-Agents Internet Explorer:

user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Mozilla Mozilla/5.0 (Windows; U; Windows NT

5.1; en-US; rv:1.4) Gecko/20030624 For strange historical reasons, IE

identifies itself as “Mozilla”


Generating the Server Response


Sample HTTP Response As a refresher, here’s a sample HTTP response:

HTTP/1.1 200 OK

Date: Mon, 06 Dec 2004 20:54:26 GMT

Server: Apache/1.3.6 (Unix)

Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT

Content-length: 327

Connection: close

Content-type: text/html

<title>Sample Homepage</title>

<img src="/images/oreilly_mast.gif">

<h1>Welcome</h2>Hi there, this is a simple web page. Granted, it may…


Generating Responses Servlets can return any HTTP

response they want. Useful for lots of scenarios:

Redirecting to another web site. Restricting access to approved users. Specifying content-type other than

text/html. Return images instead of HTML.


Setting the HTTP Status Code

Normally, your Servlet will return an HTTP Status code of: 200 OK to indicate that everything went fine.

To return a different status code, use the setStatus() method of the HttpServletResponse object.

Be sure to set the status code before sending any document content to the client.


Using setStatus() setStatus takes an integer value. But, it’s best to use the

predefined integers in the HttpServletResponse. Here are a few:

SC_BAD_REQUEST Status code (400) indicating the request sent by the client

was syntactically incorrect. SC_FORBIDDEN

Status code (403) indicating the server understood the request but refused to fulfill it.

SC_INTERNAL_SERVER_ERROR Status code (500) indicating an error inside the HTTP server

which prevented it from fulfilling the request. SC_NOT_FOUND

Status code (404) indicating that the requested resource is not available.


Sending Redirects You can redirect the browser to a different URL

by issuing a Moved Temporarily Status Code: SC_MOVED_TEMPORARILY: Status code

(302) indicating that the resource has temporarily moved to another location.

Because this is so common, the HttpServletResponse interface also has a sendRedirect() method. Example: res.sendRedirect( “http://www.yahoo.com”);


Example: Search Engines


Multiple Search EnginesSearchEngines Servlet Enables users to submit a search query

to one of four search engines. Google AllTheWeb Yahoo AltaVista, etc.

The code exploits the HTTP Response Header to redirect the user to the correct search engine.


Architecture

WebBrowser

SearchEnginesServlet

“I want to search forBill Gates on Google”

“Go to Google”

Google

“I want to search forBill Gates on Google”

“Your results…”


SearchSpec.java The SearchSpec object contains

information about connecting to a specific search engine public String makeURL (String searchString,

String numResults) You provide this method with a search

string and the number of results, and it returns the URL and search query specific to Google, Yahoo, HotBot, etc.

Class is contained in SearchEngines.java on acad


SearchUtilities.java The SearchUtilities.java code has

an array of SearchSpec objects: one for Google, one for Yahoo, etc.

It also provides a makeUrl method…


SearchEngines.java The main servlet code. This code:

Extracts the searchEngine parameter. If no such parameter exists, it sends

an HTTP Error. Otherwise, it calls SearchUtilities to

construct the correct URL. Finally, it redirects the user to this

new URL.


Example: Basic Web Security


HTTP Authentication The HTTP Protocol Includes a built-in

authentication mechanism. Useful for protecting web pages or

servlets that require user name / password access.

First, let’s examine the basic mechanism and the HTTP Headers involved.

Then, let’s figure out how to build a servlet that exploits this mechanism.


Basic Authentication1) If a web page is protected, the Web Server

will issue an authentication “challenge”:HTTP/1.1 401 Authorization RequiredDate: Sun, 27 Aug 2000 17:51:25 GMTServer: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6

OpenSSL/0.9.5aWWW-Authenticate: BASIC realm="privileged-few"Keep-Alive: timeout=90, max=150Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html


WWW-Authenticate: BASIC realm=“realm" When you issue a return status code of 401,

“Authorization Required”, you need to tell the browser what type of authentication is required.

You do this via the WWW-Authenticate Header. This header has two parameters: BASIC: Basic authorization requiring user

name and password. Realm: you can create multiple “realms” of

authentication for different users, e.g. “Admin”, “User”, “Super_User”, etc.

WWW-Authenticate


Basic Authentication Cont.2) Upon receiving an authentication challenge,

the browser will prompt the user with a pop-up box requesting the user name and password.

3) Browser takes the “username:password” from the user and encrypts it using the Base 64 Encoding Algorithm.

For example: if the string is “marty:martypd”, the Base 64 string is “bWFydHk6bWFydHlwdw==”

We will not cover the details of Base 64, but remember that Base 64 is easy to decode. Therefore, even if your page is protected, someone can easily intercept your Base 64 string and decode it.


Basic Authentication Cont.4) The browser reissues the request for the

page. In the HTTP request, the browser indicates the Authorization string:

GET /servlet/coreservlets.ProtectedPage HTTP/1.1Accept: image/gif, */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)Host: www.ecerami.comConnection: Keep-AliveAuthorization: Basic bWFydHk6bWFydHlwdw==


Basic Authentication Cont.

5. Web Server checks the user name and password.

If User Name/Password is correct, web server displays the protected page.

If the User Name/Password is incorrect, web server issues a second authentication challenge.


Almost there… Before we examine the actual

servlet code, there are two pieces of Java coding we need to examine: sun.misc.BASE64Decoder. java.util.Properties


Base 64 Encoding Sun provides a class called:

sun.misc.BASE64Decoder. You can use the decodeBuffer() method to

decode the Base 64 String sent from the user:

String userInfo = “bWFydHk6bWFydHlwdw==”BASE64Decoder decoder = new BASE64Decoder();String nameAndPassword = new String(decoder.decodeBuffer(userInfo));

After this code, nameAndPassword will be set to “marty:martypd”


java.util.Properties A utility class for reading in property files. For example, suppose you have the

following password.properties file:#Passwords#Sat Aug 26 11:15:42 EDT 2000nathan=nathanpwmarty=martypwlindsay=lindsaypwbj=bjpw


java.util.Properties You can easily and automatically

load the password file and parse its contents:

passwordFile = "passwords.properties";passwords = new Properties();passwords.load(new FileInputStream(passwordFile)); Then, you can extract the

password for a specific user name:String password = properties.getProperty ("marty“);


ProtectedPage.java Here’s how the Servlet Works:

1) Initialization: Read in a Password file of valid user names and passwords.

2) Check for the HTTP Authorization Header.3) Decode the Authorization Header using

Base 64 to obtain user name and password.4) Check the User Name and Password against

the valid names list. If valid, show protected page. Else, issue another authentication challenge.


Form Authentication System BASE64 not secure

Need secure solution! Use HTML form

Example: FormAuthenticate Access of servlet attempts to access protected

data User redirected to login form web page

Example takes any combination Once authenticated, redirected to desired page

Session object used to store desired destination during login diversion


Summary Lots of hidden HTTP data, including

headers and cookies are sent from browser to the server.

HTTP Header data can also be sent from server to the browser, e.g. error codes, redirection codes, etc.

HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.

Documents

Transcript of HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.