The end
The exam and end of the course
• Don’t forget the course evaluation! • Closing tomorrow, Friday
• Project upload deadline tonight
The exam
• Correction has started
• Easy to score some points – Hard to nail everything
– Frequently specific questions posed in the exam text that are simply not answered
Question 1.
• The Java Architecture for XML Binding (JAXB) and the Java Persistence API (JPA) are two components in
JavaEE. They are both used for interacting with other technologies outside of Java. Discuss the similarities between these components, their respective use
(including which other JavaEE components rely on them), and how you can maintain a specified contract or schema against a non-Java user in the two cases. Also discuss what other components there are in
JavaEE for interacting with the same external technologies, and compare them. (6p)
Answer 1
• Java Persistence API – database tables modelled as Java classes
• Java Architecture for XML Binding – XML elements modelled as Java
classes
– Note the similarity?
• JAX-WS and JAX-RS rely on JAXB
• JDBC is another option for database access (slightly more low-level, JPA implementations in fact tend to use JDBC)
• Expected answer for other XML APIs: DOM, SAX, StAX
– A lot of you mentioned XSLT, that’s relevant, but a bit off the point
• Both JPA and JAXB support
– Generate classes from existing schema (database structure or XSD file)
– Generate schema (SQL statements or XSD file) from annotated classes
Question 2
a) DocumentationConfiguration in JavaEE can frequently be stored in XML files, as well as in annotations. What is an annotation? Why would one choose one over the other in a JavaEE application? (2p)
b) We have also used annotations to define injection of specific resources. What is resource
injection? Why would one choose to use resource injection over having something like the following in a program? (1p)
@Stateless
public class DemoEjb implements DemoLocal {
private DataSource ds = null;
@PostConstruct
public void initMethod() { ctx = new InitialContext(); ds = (DataSource)ctx.lookup("jdbc/fastCoffeeDB"); } // ... }
Answer 2
• Sorry about messup documentation/configuration. • Not an obvious effect on most answers
– Most answers look like you read “Configuration” • A good answer assuming that it really should read
Answer 2
• Annotations are specific additional meta-data added in a type-safe way to language elements (classes,
methods, arguments, variables)
– Parsed and stored by the compiler
– Inspected at runtime (here: by the Java container) – @ sign
• A really short description is OK, mentioning @ sign or some example is almost required for full score, unless the “theoretical” description is very thorough
Where to put configuration?
• Do you expect it to change?
– I.e. dependent on specific container/server environment
• Is it used by many classes? – Put in XML!
• Is it very specifically tied to the workings of the code – Put as Java annotations
Resource injection
• The code example is also an example of using a container-managed resource
• Therefore, many answers relating to connection pools, why the container should manage resources etc are correct, but somewhat off the point
• The core aspect here is what we want to focus on in our code – Resource injection is a compact declarative way to request a
container-managed resource, allowing the container to manage dependencies.
– A single line showing the intent.
• The actual intent of retrieving the resource is less clear in the example code in the exam.
Question 3
• In the servlet API, a servlet has to be reentrant. What does this mean, and what are the consequences? In the EJB API, it is stated that the bean classes do not have to be reentrant. How is concurrent access
handled instead? Also, in this context, describe the difference between a stateless and a stateful session EJB. (4p)
Reentrant servlets
• Servlets are reentrant
– The same instance is used to serve all requests
– A method can be called to service a new request, on a new thread, while another request is being
processed
– What does this mean?
• Instance variables and other data are shared, unless you use other means to store them
Non-reentrant EJBs
• EJBs are not reentrant
– (Unless you go some length to explicitly ask it to be) – Instead, many instances are created
– These can be shared in pools, but only a single client (object using the EJB) is using a specific instance at any single time – Only a single method call going on
– For stateless EJBs, the “ownership” by the client starts and ends with every single method call
– For stateful EJBs, the same instance is locked to a specific client from the time it is retrieved until it goes out of context
Question 4
• What is a web service? Web services are designed to be independent of language, technology vendor, and platform. How is this achieved? What is the difference between SOAP-based and RESTful web services? How are web services handled in JavaEE? (4p)
Answer 4
• Web services
– Providing programmatic access to data and services in our application
– Other code talking to our code over the Internet • SOAP
– General way to send synchronous messages • Basically stateless method calls
– HTTP is one of many transport
– Typically XML-formatting of messages, rather verbose syntax
Answer 4
• SOAP
– Interface of endpoint defined by WSDL • REST
– Using the basic verbs of HTTP
– The URL represents the request (combined with the request content)
– Different objects have different URLs – Frequently JSON or XML data
– Just representing the object itself
Answer 4
• JAX-WS and JAX-RS are used to interact with and provide web services in JavaEE
Question 5
• The model-view-controller paradigm is a common way to design and look at web applications. Using JSP,
servlets and (possible Enterprise Java) beans, what is the role of each component in this paradigm? What kind of code/logic would you ideally want to have on each level? How could you use JSF instead?
Answer 5
• Model view controller
– Crucial architectural concept in the course!
• Model – the world and what can happen in the world – Implemented as beans
– Not only containing data, also the actions we can take on data
• Create objects, modify objects, delete objects – in different ways
Answer 5
• View
– Present actual HTML pages to the user
– In JSP, try to use very little scriptlets, stick to EL and JSTL
– Present the information stored in the beans served by the controller
Controller
• Servlet
– Parsing requests – Calling model
– Populating state from the model into contexts – Directing rendering to the correct view
• Rules of thumb
– Keep actions that modify data out of views – Keep external resource out of controller
– Keep explicit HTML out of model, ideally out of controller as well
JSF instead
• JSF is a general modularized framework for multiple HTTP request/response interactions within the same view
– The controller is managed by the JSF servlet
• View actions can map directly to bean action methods • Control flow also defined by navigation rules
Question 6
• a) A web application developer can easily create SQL injection and cross-site scripting problems. Describe what these are and how you can avoid them. Why would the JSTL tag c:out be relevant in this? (2p) b) We talk about programmatic versus declarative security. What do we mean by this, and how can the container help us in maintaining authentication and
authorization? Why should the full session, not only the login process, be encrypted - even if the information
Answer 6
• SQL injection – adding (unverified) data into a SQL command – Can result into data being parsed as SQL code, by data
including apostrophes etc
– Can result in data loss, data being exposed, data being modified, exploits of other parts of the system
• Avoided by
– Prepared statements/parametrized queries (or stored procedures, if those are called in a safe manner!)
– “Escaping” any dangerous characters or character combinations (not preferable)
Cross-site scripting (XSS)
• Input from user or another website being run as a script or intepreted as HTML in the context of your web-site
– Example scenario
• Unvalidated “comment” form on a news post • Result
– Arbitrary code/script being run in the context of the users’ web browser
– Can access cookie, can redraw the web page to give the
impression of the user doing something else than what is really happening
– “Only” client-side, but
– If the exploit affects an admin user, your whole application can be threatened
Cross-site scripting
• Avoid it by
– Validating all input – Escaping output
– c:out tag has a default setting of escaping being active, i.e. string <script> would be rendered as <script>script
Programmatic and
declarative security
• Declarative security
– You specify what pages to protect
– The container maintains specific roles
– Even EJB methods can be protected based on such roles – Form-based and other methods
• Programmative security
– The developer maintains security
• Checks if the user identity is appropriate for a specific action
– However, you can ask the container to authenticate programmatically
– In short: you can use container-based authentication even if you have programmatic authorization
Programmative and
declarative security
• As in many other cases in the course
– If a declarative approach matches what you want to do, it is probably the safer and more clear way to do it
– Less things that can go wrong (in your code)
– Relying more on the code already written and tested by others
– More clear to a future person who is going to implement changes
All-https
• Why would we want to encrypt login? – To protect user name and password
– Can be done with hashes over a “clear” channel (digest-style authentication)
• Why would we want to stay logged in?
– The user gets a cookie for identifying the session – Every single request contains that cookie
– Gaining access to the user’s account is just a matter of capturing that cookie over an unencrypted
Project demonstrations
• If you demonstrate now, no requirement to demonstrate in person later
Your questions?
• Related to – The exam – The project
