Introduction to Web App DevelopmentAllen Day

Notes

• This is a training NOT a presentation• Please ask questions• https://tech.lds.org/wiki/Java_Stack_Training• Prerequisites

– Basic Java and HTML skills.– Installed LDSTech IDE (or other equivalent).– Installed App Server (such as Tomcat).

Overview

• Basic Web App Architecture• HTTP• CGI Overview• Understanding the role of servlets• Maven Project Directory Structure• Servlet Life Cycle• Event Listeners• Servlet Filters• Servlet Response (Redirect, Request Dispatch)

Basic Web App Architecture

Request

WWW Browser Web Server

Response

Basic Web App Architecture

Request

WWW BrowserWeb Server

Response

HTTP

Request

WWW BrowserWeb Server

Response

HTTP

HTTP Request Methods

• GET• POST• HEAD• TRACE• PUT• DELETE• OPTIONS• CONNECT

GET Method

• Simple• The total amount of characters in a GET is

limited.• The data you send with the GET is appended to

the URL, so whatever you send is exposed.

POST Method

• Used for complex requests, such as form submissions.

• Parameters are stored in the body.

CGI Overview

1. Submit Form

WWW Browser Web Server Application Server

2. Call CGI

3. CGI Program’s response4. CGI Program’s response

CGI Process Formuse strict;main();sub main (){my $query;read( STDIN, $query, $ENV{CONTENT_LENGTH} );my @param = split( /&/, $query );my %pairs = ();foreach my $item ( @param ){my ($key, $value) = split( /=/, $item );$key =~ tr/+/ /;$value =~ tr/+/ /;$key =~ s/%([A-F\d]{2})/chr(hex($1))/ieg;$value =~ s/%([A-F\d]{2})/chr(hex($1))/ieg;$pairs{$key} = $value;}my $name = $pairs{name};my $email = $pairs{email};my $machine = $ENV{REMOTE_HOST};

print( STDOUT "Content-Type:text/html\r\n" );print( STDOUT "Status: 200 Ok\r\n" );print( STDOUT "\r\n" );print( STDOUT <<HTML );<html><head> <title>Form example output</title> </head><body><h1>welcome</h1><hr><p> Hi <em>$name</em> of <em>$email</em> from machine <em>$machine</em> </p><hr></body></html>HTML}

CGI Issues

• May intentionally or unintentionally leak information about the host system that will help hackers break in.

• Scripts may be vulnerable to attacks in which the remote user tricks them into executing commands.

• Susceptible to Buffer overflows.• Insufficient input validation.• Each call to a CGI script runs as a separate process.• Simultaneous CGI requests cause the CGI script to be

copied and loaded into memory as many times as there are requests.

Servlet Overview

Client Servlet ContainerWeb Server

Req

uest

Res

pons

e

Advantages of Servlets

• Efficient• Convenient• Powerful• Portable• Inexpensive• Secure• Mainstream

Advantages of Servlets

• Servlets stay loaded and client requests for a Servlet resource are handled as separate threads of a single running Servlet.

• A servlet can be run by a servlet engine in a restrictive environment, called a sandbox. This reduces security risks.

Maven Project Directory Structure

pom.xml

web.xml

pom.xml

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.lds.training</groupId> <artifactId>MyServlet</artifactId> <packaging>war</packaging> <version>1.0</version> <dependencies> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> </dependency> </dependencies> </project>

web.xml

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">

<display-name>Welcome to Java Stack Training</display-name> <description>Introduction to Servlets</description>

<servlet> <display-name>HelloWorldServlet</display-name> <servlet-name>HelloWorldServlet</servlet-name> <servlet-class>org.lds.training.HelloWorldServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloWorldServlet</servlet-name> <url-pattern>/HelloWorldServlet</url-pattern> </servlet-mapping>

</web-app>

Lab 1: Simple Servlet

https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_1_Simple_Servlet

Servlet Life Cycle

1. Load class2. Instantiate servlet3. init4. service5. doGet, doPost, doTrace, doDelete, doPut…6. destroy

Servlet Container

Client Servlet ContainerWeb Server

Servlet Container

• Context (Web Application)• Session• Request

Servlet Container

1. Loads the servlet class.2. Creates an instance of the servlet class.3. Initializes the servlet instance by calling the init

method.4. Handles client requests.5. If the container needs to remove the servlet it

finalizes the servlet by calling the servlet's destroy method.

Servlet Container

• Communications support• Lifecycle Management• Multithreading Support• Declarative Security• JSP Support

Servlet Container

Servlet ContainerWeb Server

request

response

Servlet

Servlet Container

Servlet Container

request response

Servlet thread

Servlet Container

Servlet Container

request

response

Servlet thread

Service()

Servlet Container

Servlet Container

response

Servlet thread

Service()

doGet()

Servlet Container

Servlet ContainerWeb Server

request

response

X

HttpServletRequest

Method Description

getCookies() Obtain array of cookies

getHeader() Returns the value of the specified request header as a String.

getParameter() Returns the value of a request parameter as a String.

getRequestURL() Reconstructs the URL the client used to make the request.

getSession() Returns the current valid session associated with this request or creates a new session

HttpServletRequest

String name = request.getParameter("fullName“);

String requestMethod = request.getMethod();

String userAgent = request.getHeader("User-Agent");

String host = request.getHeader("host");

HttpServletResponse

Method Description

addCookie() Adds the specified cookie to the response

encodeURL() Encodes the URL by including the session id in it if needed

sendError() Sends an error response to the user with the specified error code

sendRedirect() Sends a redirect request to the user

HttpServletResponse

response.setContentType("text/html"); PrintWriter out = response.getWriter(); Date today = new Date();

out.print("<html> " + "<body> " + "<h1 align=center>Hello World</h1> " + "<br> " + today + "</body> " +"</html>");

Servlet Class

Extends java.servlet.http.HttpServlet

• init()• service()• doGet()• doPost()• destroy()

init()

public void init() throws ServletException { // custom code goes here}

public void init(ServletConfig config) throws ServletException { super.init(ServletConfig) // custom code goes here}

service()

public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom code goes here}

doGet()

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom Code goes here}

doPost()

public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom Code goes here}

destroy()

public void destroy() { // custom code goes here}

Lab 2: Page Hit Counter

https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_2_Page_Hit_Coun

ter

Event Listeners

Event Listeners

• javax.servlet.ServletContextListener• javax.servlet.ServletContextAttributeListener• javax.servlet.http.HttpSessionListener• javax.servlet.http.HttpSessionAttributeListener• javax.servlet.http.HttpSessionActivationListener• javax.servlet.http.HttpSessionBindingListener• javax.servlet.http.HttpRequestListener• javax.servlet.http.HttpRequestAttributeListener

Event Listeners

• javax.servlet.ServletContextListener• javax.servlet.http.HttpSessionListener• javax.servlet.http.HttpSessionActivationListener• javax.servlet.http.HttpRequestListener

web.xml

<listener> <listener-class>org.lds.training.HelloWorldSessionListener</listenerclass> </listener> <listener> <listener-class>org.lds.training.HelloWorldContextListener</listener-class> </listener>

Servlet Filters

Servlet Filters

Client Servlet ContainerWeb Server

Re

qu

est

Re

spo

nse

Filter 1

Filter 2

Servlet Filter

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {

// preprocessing code goes here HttpServletResponse res = (HttpServletResponse)response; String name = request.getParameter("fullName");

if (name.equals("")) { res.sendRedirect("index.html"); return; }

// pass the request along the filter chain chain.doFilter(request, response);

// postprocessing code goes here}

web.xml

<filter> <filter-name>timer</filter-name> <filter-class>filter.TimerFilter</filter-class> </filter>

<filter-mapping> <filter-name>timer</filter-name> <servlet-name>myservlet</servlet-name> <url-pattern>/mypath/*</url-pattern> </filter-mapping>

Redirect

response.sendRedirect(http://lds.org/?lang=eng);

Request Dispatch

// from a ServletRequestRequestDispatcher view = request.getRequestDispatcher(“MyOtherServlet”);

// from a ServletContextRequestDispatcher view = getServletContext().getRequestDispatcher(“/MyOtherServlet”);

view.forward(request, response);

Lab 3: Login Filter

https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_3_Login_Filter

Credit where credit is due

• http://en.wikipedia.org/wiki/Common_Gateway_Interface• http://en.wikipedia.org/wiki/Java_Servlet• Head First Servlets & JSP Bryan Basham, Kathy Sierra & Bert Bates

• More Servlets and JavaServer Pages Marty Hall• http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html

• http://download.oracle.com/javaee/5/api/• http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/filters.htm

• Images from the Microsoft Clip Art gallery