Introduction to Web App DevelopmentAllen Day
Notes
• This is a training NOT a presentation• Please ask questions• https://tech.lds.org/wiki/Java_Stack_Training• Prerequisites
– Basic Java and HTML skills.– Installed LDSTech IDE (or other equivalent).– Installed App Server (such as Tomcat).
Overview
• Basic Web App Architecture• HTTP• CGI Overview• Understanding the role of servlets• Maven Project Directory Structure• Servlet Life Cycle• Event Listeners• Servlet Filters• Servlet Response (Redirect, Request Dispatch)
Basic Web App Architecture
Request
WWW Browser Web Server
Response
Basic Web App Architecture
Request
WWW BrowserWeb Server
Response
HTTP
Request
WWW BrowserWeb Server
Response
HTTP
HTTP Request Methods
• GET• POST• HEAD• TRACE• PUT• DELETE• OPTIONS• CONNECT
GET Method
• Simple• The total amount of characters in a GET is
limited.• The data you send with the GET is appended to
the URL, so whatever you send is exposed.
POST Method
• Used for complex requests, such as form submissions.
• Parameters are stored in the body.
CGI Overview
1. Submit Form
WWW Browser Web Server Application Server
2. Call CGI
3. CGI Program’s response4. CGI Program’s response
CGI Process Formuse strict;main();sub main (){my $query;read( STDIN, $query, $ENV{CONTENT_LENGTH} );my @param = split( /&/, $query );my %pairs = ();foreach my $item ( @param ){my ($key, $value) = split( /=/, $item );$key =~ tr/+/ /;$value =~ tr/+/ /;$key =~ s/%([A-F\d]{2})/chr(hex($1))/ieg;$value =~ s/%([A-F\d]{2})/chr(hex($1))/ieg;$pairs{$key} = $value;}my $name = $pairs{name};my $email = $pairs{email};my $machine = $ENV{REMOTE_HOST};
print( STDOUT "Content-Type:text/html\r\n" );print( STDOUT "Status: 200 Ok\r\n" );print( STDOUT "\r\n" );print( STDOUT <<HTML );<html><head> <title>Form example output</title> </head><body><h1>welcome</h1><hr><p> Hi <em>$name</em> of <em>$email</em> from machine <em>$machine</em> </p><hr></body></html>HTML}
CGI Issues
• May intentionally or unintentionally leak information about the host system that will help hackers break in.
• Scripts may be vulnerable to attacks in which the remote user tricks them into executing commands.
• Susceptible to Buffer overflows.• Insufficient input validation.• Each call to a CGI script runs as a separate process.• Simultaneous CGI requests cause the CGI script to be
copied and loaded into memory as many times as there are requests.
Servlet Overview
Client Servlet ContainerWeb Server
Req
uest
Res
pons
e
Advantages of Servlets
• Efficient• Convenient• Powerful• Portable• Inexpensive• Secure• Mainstream
Advantages of Servlets
• Servlets stay loaded and client requests for a Servlet resource are handled as separate threads of a single running Servlet.
• A servlet can be run by a servlet engine in a restrictive environment, called a sandbox. This reduces security risks.
Maven Project Directory Structure
pom.xml
web.xml
pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>org.lds.training</groupId> <artifactId>MyServlet</artifactId> <packaging>war</packaging> <version>1.0</version> <dependencies> <dependency> <groupId>javax.servlet</groupId> <artifactId>servlet-api</artifactId> <version>2.5</version> </dependency> </dependencies> </project>
web.xml
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5">
<display-name>Welcome to Java Stack Training</display-name> <description>Introduction to Servlets</description>
<servlet> <display-name>HelloWorldServlet</display-name> <servlet-name>HelloWorldServlet</servlet-name> <servlet-class>org.lds.training.HelloWorldServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloWorldServlet</servlet-name> <url-pattern>/HelloWorldServlet</url-pattern> </servlet-mapping>
</web-app>
Lab 1: Simple Servlet
https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_1_Simple_Servlet
Servlet Life Cycle
1. Load class2. Instantiate servlet3. init4. service5. doGet, doPost, doTrace, doDelete, doPut…6. destroy
Servlet Container
Client Servlet ContainerWeb Server
Servlet Container
• Context (Web Application)• Session• Request
Servlet Container
1. Loads the servlet class.2. Creates an instance of the servlet class.3. Initializes the servlet instance by calling the init
method.4. Handles client requests.5. If the container needs to remove the servlet it
finalizes the servlet by calling the servlet's destroy method.
Servlet Container
• Communications support• Lifecycle Management• Multithreading Support• Declarative Security• JSP Support
Servlet Container
Servlet ContainerWeb Server
request
response
Servlet
Servlet Container
Servlet Container
request response
Servlet thread
Servlet Container
Servlet Container
request
response
Servlet thread
Service()
Servlet Container
Servlet Container
response
Servlet thread
Service()
doGet()
Servlet Container
Servlet ContainerWeb Server
request
response
X
HttpServletRequest
Method Description
getCookies() Obtain array of cookies
getHeader() Returns the value of the specified request header as a String.
getParameter() Returns the value of a request parameter as a String.
getRequestURL() Reconstructs the URL the client used to make the request.
getSession() Returns the current valid session associated with this request or creates a new session
HttpServletRequest
String name = request.getParameter("fullName“);
String requestMethod = request.getMethod();
String userAgent = request.getHeader("User-Agent");
String host = request.getHeader("host");
HttpServletResponse
Method Description
addCookie() Adds the specified cookie to the response
encodeURL() Encodes the URL by including the session id in it if needed
sendError() Sends an error response to the user with the specified error code
sendRedirect() Sends a redirect request to the user
HttpServletResponse
response.setContentType("text/html"); PrintWriter out = response.getWriter(); Date today = new Date();
out.print("<html> " + "<body> " + "<h1 align=center>Hello World</h1> " + "<br> " + today + "</body> " +"</html>");
Servlet Class
Extends java.servlet.http.HttpServlet
• init()• service()• doGet()• doPost()• destroy()
init()
public void init() throws ServletException { // custom code goes here}
public void init(ServletConfig config) throws ServletException { super.init(ServletConfig) // custom code goes here}
service()
public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom code goes here}
doGet()
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom Code goes here}
doPost()
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Custom Code goes here}
destroy()
public void destroy() { // custom code goes here}
Lab 2: Page Hit Counter
https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_2_Page_Hit_Coun
ter
Event Listeners
Event Listeners
• javax.servlet.ServletContextListener• javax.servlet.ServletContextAttributeListener• javax.servlet.http.HttpSessionListener• javax.servlet.http.HttpSessionAttributeListener• javax.servlet.http.HttpSessionActivationListener• javax.servlet.http.HttpSessionBindingListener• javax.servlet.http.HttpRequestListener• javax.servlet.http.HttpRequestAttributeListener
Event Listeners
• javax.servlet.ServletContextListener• javax.servlet.http.HttpSessionListener• javax.servlet.http.HttpSessionActivationListener• javax.servlet.http.HttpRequestListener
web.xml
<listener> <listener-class>org.lds.training.HelloWorldSessionListener</listenerclass> </listener> <listener> <listener-class>org.lds.training.HelloWorldContextListener</listener-class> </listener>
Servlet Filters
Servlet Filters
Client Servlet ContainerWeb Server
Re
qu
est
Re
spo
nse
Filter 1
Filter 2
Servlet Filter
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
// preprocessing code goes here HttpServletResponse res = (HttpServletResponse)response; String name = request.getParameter("fullName");
if (name.equals("")) { res.sendRedirect("index.html"); return; }
// pass the request along the filter chain chain.doFilter(request, response);
// postprocessing code goes here}
web.xml
<filter> <filter-name>timer</filter-name> <filter-class>filter.TimerFilter</filter-class> </filter>
<filter-mapping> <filter-name>timer</filter-name> <servlet-name>myservlet</servlet-name> <url-pattern>/mypath/*</url-pattern> </filter-mapping>
Redirect
response.sendRedirect(http://lds.org/?lang=eng);
Request Dispatch
// from a ServletRequestRequestDispatcher view = request.getRequestDispatcher(“MyOtherServlet”);
// from a ServletContextRequestDispatcher view = getServletContext().getRequestDispatcher(“/MyOtherServlet”);
view.forward(request, response);
Lab 3: Login Filter
https://tech.lds.org/wiki/Introduction_To_Servlets#Lab_3_Login_Filter
Credit where credit is due
• http://en.wikipedia.org/wiki/Common_Gateway_Interface• http://en.wikipedia.org/wiki/Java_Servlet• Head First Servlets & JSP Bryan Basham, Kathy Sierra & Bert Bates
• More Servlets and JavaServer Pages Marty Hall• http://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html
• http://download.oracle.com/javaee/5/api/• http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/filters.htm
• Images from the Microsoft Clip Art gallery
Top Related