Servlet Communications

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Servlet Communications as PDF for free.

More details

  • Words: 2,111
  • Pages: 46
Servlets: Servlet / Web Browser Communication II Ethan Cerami New York University

10/17/08

Browser/Servlet Communication II

1

Road Map      

Recap and Overview Reading HTTP Request Headers Reading Standard CGI Variables Generating the Server Response Case Study 1: Search Engines Case Study 2: Basic Web Security 

10/17/08

Restricting by User Name/Password Browser/Servlet Communication II

2

Changes to Syllabus 

This lecture refers to:   

10/17/08

Chapter 5 (skip sections 5.4 and 5.6). Chapter 6 Chapter 7 (skip sections 7.4 and 7.5)

Browser/Servlet Communication II

3

Recap and Overview

10/17/08

Browser/Servlet Communication II

4

Overview 

This lecture is the second in two lectures that discuss the interaction between web browsers and servlets. Request Web Browser

10/17/08

Response

Web Server

Browser/Servlet Communication II

5

Client Request Data 

When a user submits a browser request to a web server, it sends two categories of data: 

Form Data: Data that the user explicitly typed into an HTML form. 



HTTP Request Header Data: Data that is automatically appended to the HTTP Request from the client. 

 

For example: registration information.

For example: cookies, browser type, etc,

The last lecture examined Form Data; this lecture examines HTTP Data. We also examine the server response.

10/17/08

Browser/Servlet Communication II

6

Reading HTTP Request Headers

10/17/08

Browser/Servlet Communication II

7

Sample HTTP Request 

As a refresher, let’s take a look at a sample HTTP Request to Yahoo.com

GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) Host: www.yahoo.com Connection: Keep-Alive Tip: Check out: Cookie: B=2td79o0sjlf5r&b=2 http://www.web-sniffer.net 10/17/08

Browser/Servlet Communication II

8

Accessing HTTP Headers  

To access any of these Headers, the use the HTTPServletRequest getHeader() method. For example: 



To retrieve a list of all the Header Names, use the getHeaderNames() method. 



String connection = req.getHeader(“Connection”);

getHeaderNames() returns an Enumeration object.

For example: 

10/17/08

Enumeration enum = req.getHeaderNames(); Browser/Servlet Communication II

9

Additional HTTP Information 

getMethod() 



getRequestURI() 



Indicates the request method, e.g. GET or POST. Returns the part of the URL that comes after the host and port. For example, for the URL: http://randomhost.com/servlet/search, the request URI would be /servlet/search.

getProtocol() 

10/17/08

Returns the protocol version, e.g. HTTP/1.0 or HTTP/1.1

Browser/Servlet Communication II

10

Example 1  

Our first example echoes all of the HTTP Request Information. First, it outputs:   

 

Method RequestURI Protocol Version

Then, it calls getHeaderNames() to retrieve a list of all HTTP Header Names. For each header name, it then calls getHeader()

10/17/08

Browser/Servlet Communication II

11

package coreservlets; import import import import

java.io.*; javax.servlet.*; javax.servlet.http.*; java.util.*;

public class ShowRequestHeaders extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); String title = "Servlet Example: Showing Request Headers"; out.println(ServletUtilities.headWithTitle(title) + "\n" + "

" + title + "

\n" + "Request Method: " + request.getMethod() + "
\n" + "Request URI: " + request.getRequestURI() + "
\n" + "Request Protocol: " + request.getProtocol() + "

\n" + "\n" + "\n" + "
Header NameHeader Value"); Continued…. 10/17/08

Browser/Servlet Communication II

12

Enumeration headerNames = request.getHeaderNames(); while(headerNames.hasMoreElements()) { String headerName = (String)headerNames.nextElement(); out.println("
" + headerName); out.println(" " + request.getHeader(headerName)); } out.println("
\n"); } /** Let the same servlet handle both GET and POST. */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } }

10/17/08

Browser/Servlet Communication II

13

Reading Browser Types The User-Agent HTTP header indicates the browser and operating system.  For example: 





user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

You can use this header to differentiate browser types or simply log browser requests.

10/17/08

Browser/Servlet Communication II

14

Example User-Agents 

Internet Explorer: 



Mozilla 

 

user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624

For strange historical reasons, IE identifies itself as “Mozilla” To differentiate between the two, use “MSIE”, not “Mozilla”.

10/17/08

Browser/Servlet Communication II

15

Example 

Let’s take a look at BrowserInsult.java (Listing 5.4 in the text book)

10/17/08

Browser/Servlet Communication II

16

Reading Standard CGI Variables

10/17/08

Browser/Servlet Communication II

17

CGI Variables 

In addition to HTTP Request headers, you can also determine additional information about both the client and the server:      



IP Address of Client Host Name of Client Server Name Server Port Server Protocol Server Software

Additional information is also available (see text book for a complete list.)

10/17/08

Browser/Servlet Communication II

18

Example 2 Example 2 displays the most important CGI Variables.  ShowCGIVariables.java (Listing 5.7)  Back to JCreator… 

10/17/08

Browser/Servlet Communication II

19

Generating the Server Response

10/17/08

Browser/Servlet Communication II

20

Sample HTTP Response 

As a refresher, here’s a sample HTTP response:

HTTP/1.1 200 OK Date: Mon, 06 Dec 1999 20:54:26 GMT Server: Apache/1.3.6 (Unix) Last-Modified: Fri, 04 Oct 1996 14:06:11 GMT Content-length: 327 Connection: close Content-type: text/html Sample Homepage

Welcome

Hi there, this is a simple web page. Granted, it may… 10/17/08

Browser/Servlet Communication II

21

Generating Responses Servlets can return any HTTP response they want.  Useful for lots of scenarios: 

   

10/17/08

Redirecting to another web site. Restricting access to approved users. Specifying content-type other than text/html. Return images instead of HTML.

Browser/Servlet Communication II

22

Setting the HTTP Status Code 





Normally, your Servlet will return an HTTP Status code of: 200 OK to indicate that everything went fine. To return a different status code, use the setStatus() method of the HttpServletResponse object. Be sure to set the status code before sending any document content to the client.

10/17/08

Browser/Servlet Communication II

23

Using setStatus() 









setStatus takes an integer value. But, it’s best to use the predefined integers in the HttpServletResponse. Here are a few: SC_BAD_REQUEST  Status code (400) indicating the request sent by the client was syntactically incorrect. SC_FORBIDDEN  Status code (403) indicating the server understood the request but refused to fulfill it. SC_INTERNAL_SERVER_ERROR  Status code (500) indicating an error inside the HTTP server which prevented it from fulfilling the request. SC_NOT_FOUND  Status code (404) indicating that the requested resource is not available.

10/17/08

Browser/Servlet Communication II

24

Sending Redirects 

You can redirect the browser to a different URL by issuing a Moved Temporarily Status Code: 

SC_MOVED_TEMPORARILY: Status code

(302) indicating that the resource has temporarily moved to another location. 

Because this is so common, the HttpServletResponse interface also has a sendRedirect() method.  Example: res.sendRedirect( “http://www.yahoo.com”);

10/17/08

Browser/Servlet Communication II

25

ckage coreservlets;

port java.io.*; port javax.servlet.*; port javax.servlet.http.*;

blic class WrongDestination extends HttpServlet { ublic void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String userAgent = request.getHeader("User-Agent"); f ((userAgent != null) && (userAgent.indexOf("MSIE") != -1)) { response.sendRedirect("http://home.netscape.com"); } else { response.sendRedirect("http://www.microsoft.com"); } 10/17/08

Browser/Servlet Communication II

26

Case Study 1: Search Engines

10/17/08

Browser/Servlet Communication II

27

Multiple Search Engines 

Our first case study enables users to submit a search query to one of four search engines.    



Google AllTheWeb Yahoo AltaVista, etc.

The code exploits the HTTP Response Header to redirect the user to the correct search engine.

10/17/08

Browser/Servlet Communication II

28

Architecture “I want to search for Bill Gates on Google” SearchEngines Servlet “Go to Google” Web Browser “I want to search for Bill Gates on Google” Google “Your results…”

10/17/08

Browser/Servlet Communication II

29

SearchSpec.java 

The SearchSpec object contains information about connecting to a specific search engine  



public String makeURL (String searchString, String numResults) You provide this method with a search string and the number of results, and it returns the URL and search query specific to Google, Yahoo, HotBot, etc.

Let’s take a look…

10/17/08

Browser/Servlet Communication II

30

SearchUtilities.java The SearchUtilities.java code has an array of SearchSpec objects: one for Google, one for Yahoo, etc.  It also provides a makeUrl method…  Let’s take a look. 

10/17/08

Browser/Servlet Communication II

31

SearchEngines.java  

The main servlet code. This code:  







Extracts the searchEngine parameter. If no such parameter exists, it send an HTTP Error. Otherwise, it calls SearchUtilities to make the correct URL. Redirects the user to this new URL.

Let’s take a look…

10/17/08

Browser/Servlet Communication II

32

Case Study 2: Basic Web Security

10/17/08

Browser/Servlet Communication II

33

HTTP Authentication    

The HTTP Protocol Includes a built-in authentication mechanism. Useful for protecting web pages or servlets that require user name / password access. First, let’s examine the basic mechanism and the HTTP Headers involved. Then, let’s figure out how to build a servlet that exploits this mechanism.

10/17/08

Browser/Servlet Communication II

34

Basic Authentication 1)

If a web page is protected, the Web Server will issue an authentication “challenge”:

HTTP/1.1 401 Authorization Required Date: Sun, 27 Aug 2000 17:51:25 GMT Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a WWW-Authenticate: BASIC realm="privileged-few" Keep-Alive: timeout=90, max=150 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html 10/17/08

Browser/Servlet Communication II

35

WWW-Authenticate WWW-Authenticate: BASIC realm=“realm"  When you issue a return status code of 401, “Authorization Required”, you need to tell the browser what type of authentication is required.  You do this via the WWW-Authenticate Header. This header has two parameters:  BASIC: Basic authorization requiring user name and password.  Realm: you can create multiple “realms” of authentication for different users, e.g. “Admin”, “User”, “Super_User”, etc.

10/17/08

Browser/Servlet Communication II

36

Basic Authentication Cont. Upon receiving an authentication challenge, the browser will prompt the user with a pop-up box requesting the user name and password. Browser takes the “username:password” from the user and encrypts it using the Base 64 Encoding Algorithm.









10/17/08

For example: if the string is “marty:martypd”, the Base 64 string is “bWFydHk6bWFydHlwdw==” We will not cover the details of Base 64, but remember that Base 64 is easy to decode. Therefore, even if your page is protected, someone can easily intercept your BaseBrowser/Servlet 64 string and decode it. Communication II

37

Basic Authentication Cont. 1)

The browser reissues the request for the page. In the HTTP request, the browser indicates the Authorization string:

GET /servlet/coreservlets.ProtectedPage HTTP/1.1 Accept: image/gif, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) Host: www.ecerami.com Connection: Keep-Alive Authorization: Basic bWFydHk6bWFydHlwdw== 10/17/08

Browser/Servlet Communication II

38

Basic Authentication Cont. Web Server checks the user name and password.

1. 



10/17/08

If User Name/Password is correct, web server displays the protected page. If the User Name/Password is incorrect, web server issues a second authentication challenge.

Browser/Servlet Communication II

39

Almost there… 

Before we examine the actual servlet code, there are two pieces of Java coding we need to examine:  

10/17/08

sun.misc.BASE64Decoder. java.util.Properties

Browser/Servlet Communication II

40

Base 64 Encoding  

Sun provides a class called: sun.misc.BASE64Decoder. You can use the decodeBuffer() method to decode the Base 64 String sent from the user:

String userInfo = “bWFydHk6bWFydHlwdw==” BASE64Decoder decoder = new BASE64Decoder(); String nameAndPassword = new String(decoder.decodeBuffer(userInfo)); Browser/Servlet Communication II After this code, nameAndPassword will be set 41

10/17/08 

java.util.Properties  

A utility class for reading in property files. For example, suppose you have the following password.properties file:

#Passwords #Sat Aug 26 11:15:42 EDT 2000 nathan=nathanpw marty=martypw lindsay=lindsaypw bj=bjpw 10/17/08

Browser/Servlet Communication II

42

java.util.Properties 

You can easily and automatically load the password file and parse its contents:

passwordFile = "passwords.properties"; passwords = new Properties(); passwords.load(new FileInputStream(passwordFile));



Then, you can extract the password for a specific user name:

String password = properties.getProperty ("marty“); 10/17/08 Browser/Servlet Communication II

43

ProtectedPage.java 

Here’s how the Servlet Works: 1) Initialization: Read in a Password file of valid user names and passwords. 2) Check for the HTTP Authorization Header. 3) Decode the Authorization Header using Base 64 to obtain user name and password. 4) Check the User Name and Password against the valid names list.  

10/17/08

If valid, show protected page. Else, issue another authentication challenge.

Browser/Servlet Communication II

44

The Code Let’s examine the code.  (Source code is also available on the course web site) 

10/17/08

Browser/Servlet Communication II

45

Summary Lots of hidden HTTP data, including headers and cookies are sent from browser to the server.  HTTP Header data can also be sent from server to the browser, e.g. error codes, redirection codes, etc.  Make sure you understand the Search and web security examples. 

10/17/08

Browser/Servlet Communication II

46

Related Documents

Servlet Communications
November 2019 26
Servlet
May 2020 23
Servlet
May 2020 21
Servlet
November 2019 60
Servlet Communication
November 2019 43
Servlet+jsp
December 2019 86