Servlets:%20Servlet%20/%20Web%20Browser%20Communication%20II - PowerPoint PPT Presentation

About This Presentation

Title:

Servlets:%20Servlet%20/%20Web%20Browser%20Communication%20II

Description:

This lecture is the second in two lectures that discuss the ... When a user submits a browser request to a web server, it sends two ... gzip, deflate ... – PowerPoint PPT presentation

Number of Views:3067

Avg rating:3.0/5.0

Slides: 43

Provided by: Cer883

Learn more at: http://www.cs.rpi.edu

Category:

more less

Transcript and Presenter's Notes

Title: Servlets:%20Servlet%20/%20Web%20Browser%20Communication%20II

1
ServletsServlet / Web Browser Communication II

Ethan Cerami
New York University

2
Road Map

Recap and Overview
Reading HTTP Request Headers
Reading Standard CGI Variables
Generating the Server Response
Case Study 1 Search Engines
Case Study 2 Basic Web Security
Restricting by User Name/Password

3
Recap and Overview
4
Overview

This lecture is the second in two lectures that
discuss the interaction between web browsers and
servlets.

Request
Web Browser
Web Server
Response
5
Client Request Data

When a user submits a browser request to a web
server, it sends two categories of data
Form Data Data that the user explicitly typed
into an HTML form.
For example registration information.
HTTP Request Header Data Data that is
automatically appended to the HTTP Request from
the client.
For example cookies, browser type, etc,
The last lecture examined Form Data this lecture
examines HTTP Data.

6
Reading HTTP Request Headers
7
Sample HTTP Request

As a refresher, lets take a look at a sample
HTTP Request to Yahoo.com
GET / HTTP/1.1
Accept /
Accept-Language en-us
Accept-Encoding gzip, deflate
User-Agent Mozilla/4.0 (compatible MSIE 5.0
Windows NT DigExt)
Host www.yahoo.com
Connection Keep-Alive
Cookie B2td79o0sjlf5rb2

8
Accessing HTTP Headers

To access any of these Headers, the use the
HTTPServletRequest getHeader() method.
For example
String connection req.getHeader(Connection)
To retrieve a list of all the Header Names, use
the getHeaderNames() method.
getHeaderNames() returns an Enumeration object.
For example
Enumeration enum req.getHeaderNames()

9
Additional HTTP Information

getMethod()
Indicates the request method, e.g. GET or POST.
getRequestURI()
Returns the part of the URL that comes after the
host and port. For example, for the URL
http//randomhost.com/servlet/search, the request
URI would be /servlet/search.
getProtocol()
Returns the protocol version, e.g. HTTP/1.0 or
HTTP/1.1

10
Example 1

Our first example echoes all of the HTTP Request
Information.
First, it outputs
Method
RequestURI
Protocol Version
Then, it calls getHeaderNames() to retrieve a
list of all HTTP Header Names.
For each header name, it then calls getHeader()

11
package coreservlets import java.io. import
javax.servlet. import javax.servlet.http. impo
rt java.util. public class ShowRequestHeaders
extends HttpServlet public void
doGet(HttpServletRequest request,
HttpServletResponse response) throws
ServletException, IOException
response.setContentType("text/html")
PrintWriter out response.getWriter()
String title "Servlet Example Showing Request
Headers" out.println(ServletUtilities.headWit
hTitle(title) "ltBODY
BGCOLOR\"FDF5E6\"gt\n" "ltH1
ALIGNCENTERgt" title "lt/H1gt\n"
"ltBgtRequest Method lt/Bgt"
request.getMethod() "ltBRgt\n"
"ltBgtRequest URI lt/Bgt"
request.getRequestURI() "ltBRgt\n"
"ltBgtRequest Protocol lt/Bgt"
request.getProtocol() "ltBRgtltBRgt\n"
"ltTABLE BORDER1 ALIGNCENTERgt\n"
"ltTR BGCOLOR\"FFAD00\"gt\n"
"ltTHgtHeader NameltTHgtHeader Value")
Continued.
12
Enumeration headerNames request.getHeaderNames(
) while(headerNames.hasMoreElements())
String headerName (String)headerNames.nextElem
ent() out.println("ltTRgtltTDgt"
headerName) out.println(" ltTDgt"
request.getHeader(headerName))
out.println("lt/TABLEgt\nlt/BODYgtlt/HTMLgt")
/ Let the same servlet handle both GET and
POST. / public void doPost(HttpServletReques
t request,
HttpServletResponse response) throws
ServletException, IOException
doGet(request, response)
13
Reading Standard CGI Variables
14
CGI Variables

In addition to HTTP Request headers, you can also
determine additional information about both the
client and the server
IP Address of Client
Host Name of Client
Server Name
Server Port
Server Protocol
Server Software
Additional information is also available (see
Chapter 5 for a complete list.)

15
Example 2

Example 2 displays the most important CGI
Variables.
This is a slightly shorter version of Listing 5.1
from the book.
I have modified the code to only show the most
important variables.
To see all the other CGI variables, see Listing
5.1 on page 120 of our text book.

16
package coreservlets import java.io. import
javax.servlet. import javax.servlet.http. impo
rt java.util. public class ShowCGIVariables
extends HttpServlet public void
doGet(HttpServletRequest request,
HttpServletResponse response) throws
ServletException, IOException
response.setContentType("text/html")
PrintWriter out response.getWriter()
String variables
"REMOTE_ADDR", request.getRemoteAddr() ,
"REMOTE_HOST", request.getRemoteHost() ,
"SERVER_NAME", request.getServerName() ,
"SERVER_PORT", String.valueOf(request.getServerPor
t()) , "SERVER_PROTOCOL",
request.getProtocol() ,
"SERVER_SOFTWARE", getServletContext().getServerIn
fo()
Continued.
17
String title "Servlet Example Showing CGI
Variables" out.println(ServletUtilities.headW
ithTitle(title) "ltBODY
BGCOLOR\"FDF5E6\"gt\n" "ltH1
ALIGN\"CENTER\"gt" title "lt/H1gt\n"
"ltTABLE BORDER1 ALIGN\"CENTER\"gt\n"
"ltTR BGCOLOR\"FFAD00\"gt\n"
"ltTHgtCGI Variable NameltTHgtValue")
for(int i0 iltvariables.length i)
String varName variablesi0 String
varValue variablesi1 if (varValue
null) varValue "ltIgtNot specifiedlt/Igt"
out.println("ltTRgtltTDgt" varName "ltTDgt"
varValue) out.println("lt/TABLEgtlt/BODYgtlt
/HTMLgt")
18
Generating the Server Response
19
Sample HTTP Response

As a refresher, heres a sample HTTP response
HTTP/1.1 200 OK
Date Mon, 06 Dec 1999 205426 GMT
Server Apache/1.3.6 (Unix)
Last-Modified Fri, 04 Oct 1996 140611 GMT
Content-length 327
Connection close
Content-type text/html
lttitlegtSample Homepagelt/titlegt
ltimg src"/images/oreilly_mast.gif"gt
lth1gtWelcomelt/h2gtHi there, this is a simple web
page. Granted, it may

20
Generating Responses

Servlets can return any HTTP response they want.
Useful for lots of scenarios
Redirecting to another web site.
Restricting access to approved users.
Return images instead of HTML.

21
Setting the HTTP Status Code

Normally, your Servlet will return an HTTP Status
code of 200 OK to indicate that everything went
fine.
To return a different status code, use the
setStatus() method of the HttpServletResponse
object.
Be sure to set the status code before sending any
document content to the client.

22
Using setStatus()

setStatus takes an integer value. But, its best
to use the predefined integers in the
HttpServletResponse. Here are a few
SC_BAD_REQUEST
Status code (400) indicating the request sent by
the client was syntactically incorrect.
SC_FORBIDDEN
Status code (403) indicating the server
understood the request but refused to fulfill it.
SC_INTERNAL_SERVER_ERROR
Status code (500) indicating an error inside the
HTTP server which prevented it from fulfilling
the request.
SC_NOT_FOUND
Status code (404) indicating that the requested
resource is not available.

23
Sending Redirects

You can redirect the browser to a different URL
by issuing a Moved Temporarily Status Code
SC_MOVED_TEMPORARILY Status code (302)
indicating that the resource has temporarily
moved to another location.
Because this is so common, the HttpServletResponse
interface also has a sendRedirect() method.
Example
res.sendRedirect( http//www.yahoo.com)

24
Case Study 1Search Engines
25
Multiple Search Engines

Our first case study enables users to submit a
search query to one of four search engines.
Google
InfoSeek
Lycos
HotBot
The code exploits the HTTP Response Header to
redirect the user to the correct search engine.

26
Architecture
SearchEngines Servlet
I want to search for Bill Gates on Google
Web Browser
Go to Google
I want to search for Bill Gates on Google
Google
Your results
27
The Code

We are only going to examine the code briefly.
We will focus on the HTTP Return Status Code.
For an examination of the full code, please see
Listing 6.1-6.2 in the Text Book.

28
SearchSpec.java

Complete code is available in Listing 6.2
For our purposes, we only need to know about one
method
public String makeURL (String searchString,
String numResults)
You provide this method with a search string and
the number of results, and it returns the URL and
search query specific to Google, InfoSeek,
HotBot, etc.
The SearchEngines.java code has an array of these
objects one for Google, one for InfoSeek, etc.

29
Get the searchEngine Param
Get the Array of SearchSpec Objects

String searchEnginerequest.getParameter("searchEn
gine")
SearchSpec commonSpecs SearchSpec.getCommonSpe
cs()
for(int i0 iltcommonSpecs.length i)
SearchSpec searchSpec commonSpecsi
if (searchSpec.getName().equals(searchEngine
))
String url searchSpec.makeURL(searchString,
numResults)
response.sendRedirect(url)
return

Iterate through the array, looking for a match.
Get the Search URL and Redirect Browser
30
Case Study 2 Basic Web Security
31
HTTP Authentication

The HTTP Protocol Includes a built-in
authentication mechanism.
Useful for protecting web pages or servlets that
require user name / password access.
First, lets examine the basic mechanism and the
HTTP Headers involved.
Then, lets figure out how to build a servlet
that exploits this mechanism.

32
Basic Authentication

If a web page is protected, the Web Server will
issue an authentication challenge
HTTP/1.1 401 Authorization Required
Date Sun, 27 Aug 2000 175125 GMT
Server Apache/1.3.12 (Unix) ApacheJServ/1.1
PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a
WWW-Authenticate BASIC realm"privileged-few"
Keep-Alive timeout90, max150
Connection Keep-Alive
Transfer-Encoding chunked
Content-Type text/html

33
WWW-Authenticate

WWW-Authenticate BASIC realmrealm"
When you issue a return status code of 401,
Authorization Required, you need to tell the
browser what type of authentication is required.
You do this via the WWW-Authenticate Header.
This header has two parameters
BASIC Basic authorization requiring user name
and password.
Realm you can create multiple realms of
authentication for different users, e.g. Admin,
User, Super_User, etc.

34
Basic Authentication Cont.

Upon receiving an authentication challenge, the
browser will prompt the user with a pop-up box
requesting the user name and password.
Browser takes the usernamepassword from the
user and encrypts it using the Base 64 Encoding
Algorithm.
For example if the string is martymartypd,
the Base 64 string is bWFydHk6bWFydHlwdw
We will not cover the details of Base 64, but
remember that Base 64 is easy to decode.
Therefore, even if your page is protected,
someone can easily intercept your Base 64 string
and decode it.

35
Basic Authentication Cont.

The browser reissues the request for the page.
In the HTTP request, the browser indicates the
Authorization string
GET /servlet/coreservlets.ProtectedPage HTTP/1.1
Accept image/gif, /
Accept-Language en-us
Accept-Encoding gzip, deflate
User-Agent Mozilla/4.0 (compatible MSIE 5.0
Windows NT DigExt)
Host www.ecerami.com
Connection Keep-Alive
Authorization Basic bWFydHk6bWFydHlwdw

36
Basic Authentication Cont.

Web Server checks the user name and password.
If User Name/Password is correct, web server
displays the protected page.
If the User Name/Password is incorrect, web
server issues a second authentication challenge.

37
Almost there

Before we examine the actual servlet code, there
are two pieces of Java coding we need to examine
sun.misc.BASE64Decoder.
java.util.Properties

38
Base 64 Encoding

Sun provides a class called sun.misc.BASE64Decod
er.
You can use the decodeBuffer() method to decode
the Base 64 String sent from the user
String userInfo bWFydHk6bWFydHlwdw
BASE64Decoder decoder new BASE64Decoder()
String nameAndPassword
new String(decoder.decodeBuffer(userInfo))
After this code, nameAndPassword will be set to
martymartypd

39
java.util.Properties