COMP9321 Web Applications Engineering: Java Servlets

(1)

COMP9321 Web Applications Engineering:

Java Servlets

Service Oriented Computing Group, CSE, UNSW

Week 2

(2)

Different Layers in an Application

Different solutions for each layer

Presentation Layer

I JSP, XSLT, CSS, HTML

Business logic

I Java classes

Data Access Layer

I Data Access Objects

Data Store

I RDBMS, OODBMS, XML Database

(3)

MVC pattern

Browser JSP (View) JavaBean (Model) Data request response Server Servlet (Controller) Container request 1 2 3 5 4

(4)

Java Servlets

A Java technology for generating dynamic content.

Used to process HTTP request and generate HTTP response. Servlets are executed by a servlet container

Servlet containers are web server extensions (eg., Apache Tomcat) that provide servlet functionality.

http://java.sun.com/products/servlet/index.jsp Web Browser <FORM> <INPUT> parameters... </INPUT> </FORM> Web Server Servlet Container Servlet classes DB HTTP Request (URL + data) HTTP Response: HTML (+javascript) request response (content produced from servlet)

(5)

Java Servlets

Used to process HTTP request and generate HTTP response.

Servlets are executed by a servlet container

(6)

Java Servlets

(7)

Java Servlets

(8)

Java Servlets

(9)

Tomcat Web container structure

bin (star/stop the server), common/lib (shared libraries, Tomcat-wide) conf (server configuration files)

webapps (Web application base directory)

The structure of a Web Application Archive (.war): simple.war\ index.html WEB-INF\ lib classes\myFirstServlet.class web.xml

To access the Web app:

http://localhost:8080/simple/index.html

(10)

Making servlets available in the Web container

1 _{Create the standard Web application directory structure} 2 _{Write a servlet}

3 Compile

4 Write a deployment descriptor (web.xml)

5 Package all up into an archive file and name it appname.war 6 Copy the war file into $CATALINA HOME/webapps

7 _{The server detects the application and makes it available to the users:}

http://localhost:8080/appname/

There are tools developed designed to assist the programmers with the series of tasks involved in writing Web applications.

e.g., Ant tasks for Tomcat, Eclipse Web Tools Platform (WTP)

(11)

How the Container handles a request

((HeadFirst) p.42)

Web Server Machine

Container Client HTTP Request HttpServletRequest HttpServletResponse Container Client Servlet Container Client Servlet thread request _response Servlet Servlet Servlet

(12)

How the Container handles a request

((HeadFirst) p.42) Container Client Servlet thread request response Container Servlet thread response Container Servlet thread request response service() service() doGet() Generated Content HTTP Response Generated Content

(13)

Your Servlet inherits ”lifecycle” methods

service(ServletRequest, ServletResponse) init(ServletConfig) destroy() getServletConfig() getServletInfo() <<interface>> Servlet service(ServletRequest, ServletResponse) init(ServletConfig) destroy() getServletConfig() getServletInfo() getInitParameter(String) getInitParameterNames() getServletContext() log(String) GenericServlet service(ServletRequest, ServletResponse) service(HttpServletRequest, HttpServletResponse) doGet(HttpServletRequest, HttpServletResponse) doPost(HttpServletRequest, HttpServletResponse) doHead(HttpServletRequest, HttpServletResponse) doPut(HttpServletRequest, HttpServletResponse) doOptions(HttpServletRequest, HttpServletResponse) HttpServlet doGet(HttpServletRequest,HttpServletResponse) myBusinessMethod() MyServlet javax.servlet.* javax.servlet.http.*

(14)

A typical Servlet looks like this

package com.comp9321;

import java.io.*; import javax.servlet.*; import javax.servlet.http.*;

public class OneServlet extends HttpServlet {

public void doGet (HttpServletRequest req, HttpServletResponse res)

throws ServletException, IOException {

res.setContentType("text/html"); PrintWriter out = res.getWriter();

java.util.Date today = new java.util.Date();

out.println("<HTML><BODY><H1>OneServlet says it is now: "); out.println(today + "</H1></BODY></HTML>");

out.close();

} }

Note: Nomain()- the container calls the servlet methods like doGet() through

service()... How does the container know which servlet to call?

(15)

Servlet Names

A servlet may have three names

I Name that the client uses

I Name that used at deployment time

I Actual class name (i.e., OneServlet.class)

All these names are declared and mapped in the deployment descriptor (web.xml)

Mapping servlet names improves your app’s flexibility and security in web.xml <web-app xmlns="http://java.sun.com/xml/ns/j2ee" ... <servlet> <servlet-name>OneServlet</servlet-name> <servlet-class>com.comp9321.OneServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>OneServlet</servlet-name> <url-pattern>/oneservlet</url-pattern> </servlet-mapping> ...

URL to the servlet - http://localhost:8080/myApplication/oneservlet

(16)

A Lifecycle of a Servlet

The Web container controls the lifecycle of a servlet class

Container

Web Container Servlet Class Servlet Object

100101 000001 1010 10 000101 initia lised initia lised load class Instantiate servlet init() service() destroy() handle client requests (doXX())

(17)

Servlet’s Life

((HeadFirst) p.99)

lifecycle calls

When it’s called What it’s for Override

it? init() Container calls init() after the

servlet instance is created but before the serlvet can service client’s requests

Gives you a chance to ini-tialise your servlet before han-dling any requests

No*

service() When the first client request comes in, the container starts a new thread and calls ser-vice() method

This one looks at the re-quest and determines the HTTP method and invokes the matching doXX() on the servlet

No.

doXX() The service() method invokes appropriate doXX()

This is where your Servlet code begins. This is the method that is responsible for whatever the servlet is sup-posed to be doing

Always

* Maybe ... (e.g., getting a database connection), but not always

(18)

Why care about this initialisation details?

(HeadFirst) p.104

Once the servlet is initialised, the servlet gets access to two important objects:

A ServletConfig object:

I One ServletConfig object per servlet

I Use it to pass deploy-time information to the servlet (any info. that you do not want to hard-code into the servlet)

I Use it to access the ServletContext

I Parameters are configured in the deployment descriptor

A ServletContext

I One ServletContext per Web application (they should have named it AppContext)

I Use it to access parameters that are Web application-wide

I _{Use it as a kind of application bulletin-board, where you can put up}

info (called attributes) that other parts of the application can access

I Use it to get server info, including the name and version of the container, etc.

(19)

Why care about this initialisation details?

(HeadFirst) p.104 does not exist Servlet (initialised) init(ServletConfig) service() destroy() constructor

By the time servlet is running doXX(), it's got

a ServletConfig

ServletConfig

Servlet A Servlet B Servlet C

JSP A ServletContext ServletConfig ServletConfig ServletConfig App.-Wide params Servlet-Wide params

(20)

ServletConfig: Passing servlet configuration information

The Web container can pass some configuration information (eg., initial parameters) for individual servlets .... in web.xml:

<web-app> <servlet> <servlet-name>DemoServlet</servlet-name> <servlet-class>com.comp9321.ConfigDemoServlet</servlet-class> <init-param> <param-name>WebMaster</param-name> <param-value>Helen Paik</param-value> </init-param> <init-param> <param-name>WebMasterEmail</param-name> <param-value>hpaik@webmaster.com</param-value> </init-param> </servlet> <servlet> <servlet-name>SecondDemoServlet</servlet-name> <servlet-class>com.comp9321.NextDemoServlet</servlet-class> <init-param> <param-name>language</param-name> <param-value>Italian</param-value> </init-param> </servlet> </web-app>

(21)

Who’s responsible for what?

Container or Servlet

Creates the request and response objects? Calls the service() method?

Adds HTML content to the response object?

Has a name that matches the <servlet-class>element in the DD? Has a reference to the response objects?

Finds the URLs in the DD?

Starts a new thread to handle requests? Setting the content type of the response?

(22)

The difference between GET and POST

GET /myapp/selectBeerTaste.do?colour=dark&taste=malty HTTP/1.1 HOST:www.cse.unsw.edu.au

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US

Accept: text/xml, application/xml, application/xhtml+xml, text/html, video/x-mng, image/png Accept-Language: en-us

Connection: Keep-alive

POST /myapp/selectBeerTaste.do HTTP/1.1 HOST:www.cse.unsw.edu.au

User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US

Accept: text/xml, application/xml, application/xhtml+xml, text/html, video/x-mng, image/png Accept-Language: en-us

Connection: Keep-alive

colour=dark&taste=malty

New Empty Line BODY (payload)

(23)

The difference between GET and POST

Sensitive data should NOT be used with GET

I GET’s parameter data shows up in the browser’s input bar

POST cannot be bookmarked

I If you want to let users specify search parameters and save it for later, cannot use POST

GET is supposed to be used for getting things - information retrieval POST is supposed to be used for sending data to be processed -update or change something on the server

Servlet

DB POST

GET

Servlet uses the POST data to update the database Sends back a response

with a generated HTML page

Sends back a response with a generated HTML page

(24)

What determines whether the browser sends GET/POST

POST

<A HREF="http://www.cse.unsw.edu.au/myapp/index.html>click here</A> GET

<form method="POST" action="SelectBeer.do"> Select Beer<p> <option>light <option>amber <option>dark </select> <center> <input type="Submit"> </center> </form> <form action="SelectBeer.do"> Select Beer<p> <option>light <option>amber <option>dark </select> <center> <input type="Submit"> </center> </form> GET

What if I want to support both GET and POST? public void doPost( ...) throws { doGet(request, response) }

(HeadFirst) p.117

(25)

ServletRequest & ServletResponse Interfaces

getAttribute(String) getContentLength() getParameterNames() getParameter() // Many more methods ...

<<interface>> javax.servlet.ServletRequest getContextPath() getCookies() getHeader(String) getQueryString() getSession() //Many more methods

<<interface>>

javax.servlet.http.HttpServletRequest

getButfferSize() setContentType() getWriter()

// Many more methods ...

<<interface>> ServletResponse addCookies() addHeader() encodeRedirectURL() sendError() ...

//Many more methods

<<interface>>

javax.servlet.http.HttpServletResponse

The container implements HttpServletRequest and HttpServletRequest

All you should care about is when servlet is called the service() passes two objects that implements the two to your servlet

(26)

HttpServletRequest, HttpServletResponse

The service() method invokes appropriate doXXX() method when the servlet receives an HTTP request.

Typically, your (http) servlet code would have the following structure:

import java.io.*; import javax.servlet.*; import javax.servlet.http.*;

public class MyServlet extends HttpServlet {

public void doGet(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

// your code to generate response ... }

public void doPost(HttpServletRequest req, HttpServletResponse res) throws IOException, ServletException {

// your code to generate response ... }

HTTP request method determines whether doGet() or doPost() runs.

(27)

A simple servlet that generates a text message

import java.io.*;

import javax.servlet.*; import javax.servlet.http.*;

public class StaticServlet extends HttpServlet {

public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<HTML>"); out.println("<BODY>"); out.println("<HEAD>"); out.println("<TITLE>Static Servlet</TITLE>"); out.println("</HEAD>"); out.println("<body>"); out.println("<CENTER><H1>Hello folks!</H1></CENTER>"); out.println("</BODY>"); out.println("</HTML>"); } }

(28)

When you do not want to process the response yourself

if (worksForMe) { // handle the request } else { response.sendRedirect("http://www.cse.unsw.edu.au/myapp/newServlet"); } Redirection (sendRedirect()) Type in a URL Redirect Servlet The servlet decides that the request should go

to a different URL

The servlet calls sendRedirect(aString) on the response new URL (status code 301 and location) Sends request

for the new URL Another

Servlet final response

(HeadFirst) p.134-136

(29)

Request Dispatching

You may want to:

include the output from another servlet

delegate (forward) the request processing to another servlet include a static HTML content

You can use methods in the RequestDispatcherinterface:

include: to include content from another resource

public void include(HttpServletRequest req, HttpServletResponse res)

forward: forward a request to another servlet

public void forward(HttpServletRequest req, HttpServletResponse res)

(30)

Request Dispatching

You may want to:

include the output from another servlet

delegate (forward) the request processing to another servlet include a static HTML content

You can use methods in the RequestDispatcherinterface: include: to include content from another resource

public void include(HttpServletRequest req, HttpServletResponse res)

forward: forward a request to another servlet

public void forward(HttpServletRequest req, HttpServletResponse res)

(31)

Forwarding a request to another servlet

Using include():

The called servlet can only alter the body of the response, and not the headers.

The path information of the request also continues to reflect the original request location.

Using forward():

no content may have been committed to the client (eg., flushBuffer()) the called servlet can adjust the headers as well as the body of the response (content produced up to the forward call is cleared from the buffer).

The path information of the request is altered to reflect the location of the called servlet, and no further output can occur after returning from a forward call (the output is committed upon returning from the call).

(32)

Forwarding a request to another servlet

Using include():

The called servlet can only alter the body of the response, and not the headers.

The path information of the request also continues to reflect the original request location.

Using forward():

no content may have been committed to the client (eg., flushBuffer()) the called servlet can adjust the headers as well as the body of the response (content produced up to the forward call is cleared from the buffer).

The path information of the request is altered to reflect the location of the called servlet, and no further output can occur after returning from a forward call (the output is committed upon returning from the call).

(33)

Attributes and Sharing Attributes

An attribute is an object bound to one of the following objects:

I ServletContext (web-app wide object!)

I HttpServletRequest

I HttpSession

an attribute is simply a name/value pair - name is a String and attribute is an Object.

Think of it an object pinned onto a board. Somebody sticks it on the board so that others can get it ...

Bulletin Board Attributes Customer Helen Course COMP9321 Choice DarkColour Servlet A Servlet B Servlet C Servlet D

(34)

Who has access to the board and how long does it live?

Context Attributes AdminEmail xx@xxxx ConcurrentUsers 42 Servlet DB Connection Servlet _read JSP read write read read

Everyone in the application has access Session Attributes UserName Helen Shopping Cart A Servlet Servlet JSP read write read

Accessible to only those with access to a specific HttpSession Request Attributes OptionChoice Dark Beer Servlet JSP read write

Accessible to only those with access to a specific (Http)ServletRequest

(HeadFirst, p.187)

(35)

Attributes API

(HeadFirst, p. 189) getInitParameters(String) getInitParameterNames() getAttribute(String) setAttribute(String, Object) removeAttribute(String) getAttributeNames() getMajorVersion() getServletInfo() // Many more methods ...

<<interface>> ServletContext getContextType() getParameter() getAttribute(String) setAttribute(String, Object) removeAttribute(String) getAttributeNames() // Many more methods ...

<<interface>> ServletRequest

//Nothing related to attributes here ... <<interface>> HttpServletRequest setMaxInactiveInterval() getLastAccessedTime() getAttribute(String) setAttribute(String, Object) removeAttribute(String) getAttributeNames() // Many more methods ...

<<interface>> HttpSession

Context

Request

Session

(36)

Attributes are not parameters

(HeadFirst, p. 186)

Attributes Parameters

Types

Context (Web App.) Request,

Session

context init params request params, servlet init params

Method to set setAttribute(String name, Object value)

In DD and via client input ...

Return type Object String

Method to get getAttribute(String name) getInitParameters(String name)

no such thing as Session parameters

Object returned from getAttribute() has to be casted.

(37)

Request attributes and Request dispatching

We use request attributes when you want some other component of the application take over all or part of your request.

// code in doGet()

String postcode = getPostcode(request.parameter("suburb"); request.setAttribute("pc", postcode);

RequestDispatcher view =

request.getRequestDispatcher("DisplayPostcode.jsp"); view.forward(request, response);

// the JSP will use the attribute pc to access the postcode.

There is no reason to use context or session attributes, since it only applies to this request (so request scope is enough).

(38)

Managing the user state

In most web applications:

The user needs to have continuousone-on-one interactions with the application. The user builds up “data” which may have to be shared across multiple pages in the application.

eg., Think of a shopping cart or a flight booking ...

(39)

Managing the user state

A problem in HTTP request/response:

Web applications need to maintain a user + his/her data.

HTTP is a stateless protocol.

I A single request/response

I Nothing is remembered ’between requests’ from the same user

It is a programmer’s responsibility:

The term “session” is used to represent the data associated with one user while s/he navigates around a Web applicaiton.

A web application may concurrently host several sessions (i.e., multiple users).

(40)

Session Management

Thread c (HeadFirst) p.226 Web container Beer Servlet Thread a Data for Diane Request to recommend a Dark Beer

setAttribute(): Stores "Dark Beer" for Diane request 1.

request 2.

response: What price range?

Web container Thread b Data for Diane Selects "Expensive" response: Guiness response: Guiness Diane Beer Servlet request 1. Request to recommend a Wheat Beer

Data for Terri

Diane

Terri

response: What price range?

(41)

How does the container know who the client is?

The client needs a unique Session ID

Web container ID#4123 Session request, dark setAttribute(): Stores "Dark Beer" for Diane request 1. request 2. response, ID#4123 Web container ID#4123 Session request, Expensive, ID#4123

response, ID#4123 Diane request 1. request, wheat Diane Terri new! - generate an ID new! - generate ID request, ID#4123 HttpServletRequest existing ID! ID#5555 Session setAttribute(): Stores "Wheat Beer" for Terri response, ID#5555

(42)

Session Management

There are a number of ways to deal with sessions. The basic idea:

When a user request comes in, besides sending the response, the container also sends an identifier

the identifier is recorded by the server

When the container receives a request with the same identifier, it can treat the request as belonging to the same user

There are four techniques available: Without the container’s help:

I URL rewriting

I HTML hidden fields

I Cookies

With the container’s help:

I HTTP Session objects

(43)

URL Rewriting

In this method, you append a token or identifier of the session to the URL of the next servlet (or resource).

http://myserver:port/COMP9321/nextservlet?userId=22987600 (inside nextservlet)

request.getParameter("userId"); You need to consider several things:

URL cannot be longer than 2,000 characters

Special characters such as &, ? or spaces should be encoded The values you pass can be seen in the URL

(44)

HTML hidden fields

A token or identifier is passed as the value for an HTML hidden field in a form.

(inside nextservlet)

request.getParameter("token"); request.getParameter("allowed");

URL cannot be seen by the user

but you still can read them from viewing the HTML source. an HTML form is always required in every page

(45)

Cookies

A cookie is a small data item that was introduced to maintain HTTP state by Netscape around 1994.

A cookie is created by the server and sent to a browser inside a header. It is subsequently used by the server

The browser does not interpret cookies

Cookies are kept in the browser’s memory, or can be written to a file for future references

Eg., Inside a cookie file

Set-Cookie: username="joe"; path="/"; domain="www.comp9321.com"; expires="2003-06-01 00:00:00GMT"; version=0

(46)

Cookies

In servlet programming, a cookie is represented by the Cookie class in the javax.servlet.http package.

Cookie c1 = new Cookie("myCookie", "secret"); You then can add the cookie to the HTTP response using the addCookie method of the HttpServletResponse interface: response.addCookie(c1);

Note that because cookies are carried in the request and response headers, you must not add a cookie after an output has been written to the HttpServletResponse object.

setDomain() getDomain() setMaxAge()

getMaxAge() setPath() getPath()

getName() setValue()

(47)

HTTP Sessions with JSESSIONID cookie

The most convenient way of managing sessions is through theSession object, represented by thejavax.servlet.http.HttpSession interface For each user, the container creates an HttpSession object to be associated with that user

The HttpSession object acts like a Hashtable into which you can store any number of key/object pairs (called HttpSession Attributes) An HttpSession object relies on a cookie or URL rewriting to send a token to the client.

The token is usually a unique number called the session identifier (JSESSIONID). This session identifier is used to associate a user with a Session object in the server.

(48)

HTTP Sessions Interface

Web container HTTP/1.1 200 OK Set-Cookie: JSESSIONID=0AAB6C8DE415 Content-Type: text/html Content-Lengh: 397

Date: Wed, 19 Nov 2005 03:25:40 GMT Server: Apache 1.1 Connection: close <html> ... </html> Request Set Cookie Web container POST /select/BeerPriceRange HTTP/1.1 Host: www.cse.unsw.edu.au User-Agent: Mozilla 5.0 Cookie: JSESSION=0AAB6C8DE415 Accept: next/xml,application/xml,application/xhtml Accept-Language: en-us Next Request

(49)

An example of using HttpSession object: the scenario

Issue Welcome Start Session Display Choices Add Choice to Journey Show Journey so far Close Session Welcome Servlet Create a Journey object

for the user

Menu Servlet Control Servlet Enough Servlet

(50)

The Journey Object

In a Journey object, a record of the user’s proposed travel destinations is maintained.

import java.util.*;

import java.io.Serializable;

public class Journey implements Serializable {

private Vector Places;

public Journey() { Places = new Vector(); }

public Iterator getPlaces() { return this.Places.iterator(); }

public boolean addPlace(String place) { return Places.add(place); }

public String toString() { return "Journey to "; } }

(51)

Using a Journey Object

The following segment of code:

1 initialises a new Journey object,

2 adds VIC then NSW then QLD to the journey, 3 then (iii) print out the all the places on the route.

Journey jny = new Journey(); jny.addPlace("VIC"); jny.addPlace("NSW"); jny.addPlace("QLD"); Iterator i = jny.getPlaces(); while (i.hasNext()) System.out.println("- "+ i.next());

(52)

How session tracking works ...

User Travel-Application WelcomeServlet MenuServlet ControlServlet EnoughServlet request response request response (sessID=50) request (sessID=50) response (sessID=50) request (sessID=50) response SessionTable s25 s29 s36 s50

(In the servlet container)

new entry for the new user

SessionData s25 s29 s36 "JourneyFlag" "Queue" "Patron" s50 "JourneyFlag" id attribute address SA WA jny obj Memory jny2 obj user1 user2 user3 user4

(53)

When Cookie is disabled by the client ...

The container uses URL rewriting as a fall back method.

public class MenuServlet extends HttpServlet { public void doPost (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {

res.setContentType("text/html"); PrintWriter out = res.getWriter(); HttpSession session = req.getSession(); out.println("<HTML><BODY>");

out.println("<A HREF=" + response.encodeURL("/ControlerServlet") + ">Next Page</A>"); out.println("</BODY></HTML>");

encodeURL() adds the extra sessionID info to the given URL (e.g., http:// ... /ControlerServlet;JSESSIONID=AJKN88809) you need to use encodeURL for all URLs.

(54)

Getting rid of Sessions

Three ways a session can die: It times out

You can call invalidate() on the session object

The application goes down (e.g., crashed or undeployed) Configuring session timeout in DD (in minutes)

<web-app ...> <servlet> ... </servlet> <session-config> <session-timeout>15</session-timeout> </session-config> </web-app>

Setting session timeout for a specific session (in seconds)

session.setMaxInactiveInterval(20*60);

(55)

Servlets ...

Web Browser <FORM> <INPUT> parameters... </INPUT> </FORM> Web Server Servlet Container Servlet classes DB HTTP Request (URL + data) HTTP Response: HTML (+javascript) request response (content produced from servlet)

Is Java-based technology for generating dynamic HTTP content. A servlet lifecycle is managed by Servlet Container

Follows the request/response paradigm

Implements methods (eg., doGet()) to processHTTP requests Session tracking using HttpSession objects

http://java.sun.com/products/servlet/index.jsp

http://myserver:port/COMP9321/nextservlet?userId=22987600