Core servlets chapter 6 Generating server response: http status codes.
HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.
-
Upload
stella-robbins -
Category
Documents
-
view
245 -
download
8
Transcript of HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.
HTTP Requests & Responses 1
Servlets:HTTP Request Header Contentsand Responses
HTTP Requests & Responses 2
Road Map Recap and Overview Reading HTTP Request Headers Generating the Server Response Case Study 1: Search Engines Case Study 2: Basic Web Security
Restricting by User Name/Password
HTTP Requests & Responses 3
Recap and Overview
HTTP Requests & Responses 4
Overview Interaction between browser and
web server.
WebBrowser
WebServer
Request
Response
HTTP Requests & Responses 5
Client Request Data When a user submits a browser request
to a web server, it sends two categories of data: Form Data: Data that the user explicitly
typed into an HTML form. For example: registration information.
HTTP Request Header Data: Data that is automatically appended to the HTTP Request from the client.
For example: cookies, browser type, etc,
HTTP Requests & Responses 6
Reading HTTP Request Headers
HTTP Requests & Responses 7
Sample HTTP Request A sample HTTP Request to Yahoo.com
GET / HTTP/1.1Accept: */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)Host: www.yahoo.comConnection: Keep-AliveCookie: B=2td79o0sjlf5r&b=2
Tip: Check out: http://www.web-sniffer.net
HTTP Requests & Responses 8
Accessing HTTP Headers
As in the SnoopServlet Example: To access any of these Headers, use the
HTTPServletRequest getHeader() method. For example:
String connection = req.getHeader(“Connection”); To retrieve a list of all the Header Names, use
the getHeaderNames() method. getHeaderNames() returns an Enumeration object.
For example: Enumeration enum = req.getHeaderNames();
HTTP Requests & Responses 9
Additional HTTP Information getMethod()
Indicates the request method, e.g. GET or POST.
getRequestURI() Returns the part of the URL that comes after
the host and port. For example, for the URL: http://randomhost.com/servlet/search, the request URI would be /servlet/search.
getProtocol() Returns the protocol version, e.g. HTTP/1.0 or
HTTP/1.1
HTTP Requests & Responses 10
Reading Browser Types The User-Agent HTTP header
indicates the browser and operating system.
For example: user-agent Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1) You can use this header to
differentiate browser types or simply log browser requests.
HTTP Requests & Responses 11
Example User-Agents Internet Explorer:
user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:1.4) Gecko/20030624 For strange historical reasons, IE
identifies itself as “Mozilla”
HTTP Requests & Responses 12
Generating the Server Response
HTTP Requests & Responses 13
Sample HTTP Response As a refresher, here’s a sample HTTP response:
HTTP/1.1 200 OK
Date: Mon, 06 Dec 2004 20:54:26 GMT
Server: Apache/1.3.6 (Unix)
Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT
Content-length: 327
Connection: close
Content-type: text/html
<title>Sample Homepage</title>
<img src="/images/oreilly_mast.gif">
<h1>Welcome</h2>Hi there, this is a simple web page. Granted, it may…
HTTP Requests & Responses 14
Generating Responses Servlets can return any HTTP
response they want. Useful for lots of scenarios:
Redirecting to another web site. Restricting access to approved users. Specifying content-type other than
text/html. Return images instead of HTML.
HTTP Requests & Responses 15
Setting the HTTP Status Code
Normally, your Servlet will return an HTTP Status code of: 200 OK to indicate that everything went fine.
To return a different status code, use the setStatus() method of the HttpServletResponse object.
Be sure to set the status code before sending any document content to the client.
HTTP Requests & Responses 16
Using setStatus() setStatus takes an integer value. But, it’s best to use the
predefined integers in the HttpServletResponse. Here are a few:
SC_BAD_REQUEST Status code (400) indicating the request sent by the client
was syntactically incorrect. SC_FORBIDDEN
Status code (403) indicating the server understood the request but refused to fulfill it.
SC_INTERNAL_SERVER_ERROR Status code (500) indicating an error inside the HTTP server
which prevented it from fulfilling the request. SC_NOT_FOUND
Status code (404) indicating that the requested resource is not available.
HTTP Requests & Responses 17
Sending Redirects You can redirect the browser to a different URL
by issuing a Moved Temporarily Status Code: SC_MOVED_TEMPORARILY: Status code
(302) indicating that the resource has temporarily moved to another location.
Because this is so common, the HttpServletResponse interface also has a sendRedirect() method. Example: res.sendRedirect( “http://www.yahoo.com”);
HTTP Requests & Responses 18
Example: Search Engines
HTTP Requests & Responses 19
Multiple Search EnginesSearchEngines Servlet Enables users to submit a search query
to one of four search engines. Google AllTheWeb Yahoo AltaVista, etc.
The code exploits the HTTP Response Header to redirect the user to the correct search engine.
HTTP Requests & Responses 20
Architecture
WebBrowser
SearchEnginesServlet
“I want to search forBill Gates on Google”
“Go to Google”
“I want to search forBill Gates on Google”
“Your results…”
HTTP Requests & Responses 21
SearchSpec.java The SearchSpec object contains
information about connecting to a specific search engine public String makeURL (String searchString,
String numResults) You provide this method with a search
string and the number of results, and it returns the URL and search query specific to Google, Yahoo, HotBot, etc.
Class is contained in SearchEngines.java on acad
HTTP Requests & Responses 22
SearchUtilities.java The SearchUtilities.java code has
an array of SearchSpec objects: one for Google, one for Yahoo, etc.
It also provides a makeUrl method…
HTTP Requests & Responses 23
SearchEngines.java The main servlet code. This code:
Extracts the searchEngine parameter. If no such parameter exists, it sends
an HTTP Error. Otherwise, it calls SearchUtilities to
construct the correct URL. Finally, it redirects the user to this
new URL.
HTTP Requests & Responses 24
Example: Basic Web Security
HTTP Requests & Responses 25
HTTP Authentication The HTTP Protocol Includes a built-in
authentication mechanism. Useful for protecting web pages or
servlets that require user name / password access.
First, let’s examine the basic mechanism and the HTTP Headers involved.
Then, let’s figure out how to build a servlet that exploits this mechanism.
HTTP Requests & Responses 26
Basic Authentication1) If a web page is protected, the Web Server
will issue an authentication “challenge”:HTTP/1.1 401 Authorization RequiredDate: Sun, 27 Aug 2000 17:51:25 GMTServer: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6
OpenSSL/0.9.5aWWW-Authenticate: BASIC realm="privileged-few"Keep-Alive: timeout=90, max=150Connection: Keep-AliveTransfer-Encoding: chunkedContent-Type: text/html
HTTP Requests & Responses 27
WWW-Authenticate: BASIC realm=“realm" When you issue a return status code of 401,
“Authorization Required”, you need to tell the browser what type of authentication is required.
You do this via the WWW-Authenticate Header. This header has two parameters: BASIC: Basic authorization requiring user
name and password. Realm: you can create multiple “realms” of
authentication for different users, e.g. “Admin”, “User”, “Super_User”, etc.
WWW-Authenticate
HTTP Requests & Responses 28
Basic Authentication Cont.2) Upon receiving an authentication challenge,
the browser will prompt the user with a pop-up box requesting the user name and password.
3) Browser takes the “username:password” from the user and encrypts it using the Base 64 Encoding Algorithm.
For example: if the string is “marty:martypd”, the Base 64 string is “bWFydHk6bWFydHlwdw==”
We will not cover the details of Base 64, but remember that Base 64 is easy to decode. Therefore, even if your page is protected, someone can easily intercept your Base 64 string and decode it.
HTTP Requests & Responses 29
Basic Authentication Cont.4) The browser reissues the request for the
page. In the HTTP request, the browser indicates the Authorization string:
GET /servlet/coreservlets.ProtectedPage HTTP/1.1Accept: image/gif, */*Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)Host: www.ecerami.comConnection: Keep-AliveAuthorization: Basic bWFydHk6bWFydHlwdw==
HTTP Requests & Responses 30
Basic Authentication Cont.
5. Web Server checks the user name and password.
If User Name/Password is correct, web server displays the protected page.
If the User Name/Password is incorrect, web server issues a second authentication challenge.
HTTP Requests & Responses 31
Almost there… Before we examine the actual
servlet code, there are two pieces of Java coding we need to examine: sun.misc.BASE64Decoder. java.util.Properties
HTTP Requests & Responses 32
Base 64 Encoding Sun provides a class called:
sun.misc.BASE64Decoder. You can use the decodeBuffer() method to
decode the Base 64 String sent from the user:
String userInfo = “bWFydHk6bWFydHlwdw==”BASE64Decoder decoder = new BASE64Decoder();String nameAndPassword = new String(decoder.decodeBuffer(userInfo));
After this code, nameAndPassword will be set to “marty:martypd”
HTTP Requests & Responses 33
java.util.Properties A utility class for reading in property files. For example, suppose you have the
following password.properties file:#Passwords#Sat Aug 26 11:15:42 EDT 2000nathan=nathanpwmarty=martypwlindsay=lindsaypwbj=bjpw
HTTP Requests & Responses 34
java.util.Properties You can easily and automatically
load the password file and parse its contents:
passwordFile = "passwords.properties";passwords = new Properties();passwords.load(new FileInputStream(passwordFile)); Then, you can extract the
password for a specific user name:String password = properties.getProperty ("marty“);
HTTP Requests & Responses 35
ProtectedPage.java Here’s how the Servlet Works:
1) Initialization: Read in a Password file of valid user names and passwords.
2) Check for the HTTP Authorization Header.3) Decode the Authorization Header using
Base 64 to obtain user name and password.4) Check the User Name and Password against
the valid names list. If valid, show protected page. Else, issue another authentication challenge.
HTTP Requests & Responses 36
Form Authentication System BASE64 not secure
Need secure solution! Use HTML form
Example: FormAuthenticate Access of servlet attempts to access protected
data User redirected to login form web page
Example takes any combination Once authenticated, redirected to desired page
Session object used to store desired destination during login diversion
HTTP Requests & Responses 37
Summary Lots of hidden HTTP data, including
headers and cookies are sent from browser to the server.
HTTP Header data can also be sent from server to the browser, e.g. error codes, redirection codes, etc.