Thursday, April 3, 2008

SCWCD notes-set 2

1. The Servlet Model

1.1. Identify corresponding method in HttpServlet class for each of the followingHTTP methods:

1.1.1. GET: protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException,IOException

1.1.2. POST:protected void doPost(HttpServletRequest req,HttpServletResponse res) throws ServletException, IOException

1.1.3. PUT:protected void doPut(HttpServletRequest req,HttpServletResponse res) throws ServletException, IOException

1.2. GET, POST and HEAD

1.2.1. Identify triggers that might cause a browser to use:

1.2.1.1. GET: (a) typing url directly into a browser, (b) clicking on a hyperlink, (c)submitting html form with ‘method=get’ or no method attribute

1.2.1.2. POST:(a) submitting html form with ‘method=post’

1.2.1.3. HEAD:(a) may be used by a browser to check modification time for purposes of caching

1.2.2. Identify benefits or functionality of:

1.2.2.1. GET:

1.2.2.1.1. designed for getting information (e.g. document, chart, results of query)

1.2.2.1.2. caninclude a query string (some servers limit this to about 240 characters) forsending information to server

1.2.2.1.3. requested page can be bookmarked

1.2.2.2. POST:

1.2.2.2.1. designed for posting information (e.g. credit card #, info to be stored in a db)

1.2.2.2.2. passesall its data (of unlimited length) to server as part of its http request body

1.2.2.2.3. postscannot be bookmarked or, in some cases, even reloaded

1.2.2.2.4. hidessensitive information from server log by including it in the message bodyinstead of the url query string

1.2.2.3. HEAD:

1.2.2.3.1. sent by a client when it wants to see only the headers of the response, todetermine the document’s size, modification time, or generalavailability.

1.2.2.3.2. Theservice() method treats HEAD requests specially. It calls doGet with a modifiedresponse object, which suppresses any output but retains headers.

1.3. For each of the following operations, identify the interface and method namethat should be used:

1.3.1. Retrieve HTML form parameters from the request:

1.3.1.1. Enumeration ServletRequest.getParameterNames() - returns empty enum if no parameters

1.3.1.2. StringServletRequest.getParameter(String name) - returns nullif does not exist

1.3.1.3. String[]ServletRequest.getParameterValues(String name) - returnsnull if does not exist

1.3.2. Retrieve a servlet initialization parameter:

1.3.2.1. Enumeration ServletConfig.getInitParameterNames() - returns empty enum if no init parameters

1.3.2.2. StringServletConfig.getInitParameter(String name) - returnsnull if does not exist

1.3.3. Retrieve HTTP request header information:

1.3.3.1. Enumeration HttpServletRequest.getHeaderNames() - returns empty enum if no headers

1.3.3.2. StringHttpServletRequest.getHeader(String name) - returns nullif does not exist

1.3.3.3. Enumeration HttpServletRequest.getHeaders(String name) - returns empty enum if no headers

1.3.3.4. longgetDateHeader(String name) - returns -1 if does not exist

1.3.3.5. intgetIntHeader(String name) - returns -1 if does not exist

1.3.4. Set an HTTP response header; set the content type of the response

1.3.4.1. void HttpServletResponse.setHeader(String name, String value) - if header already exists, overwrites its value

1.3.4.2. voidHttpServletResponse.setIntHeader(String name, int value)

1.3.4.3. voidHttpServletResponse.setDateHeader(String name, longdate)

1.3.4.4. voidHttpServletResponse.addHeader(String name, String value)- if header already exists, adds an additional value

1.3.4.5. voidHttpServletResponse.addIntHeader(String name, int value)

1.3.4.6. voidHttpServletResponse.addDateHeader(String name, longdate)

1.3.4.7. voidHttpServletResponse.setContentType(String type) –if calling getWriter(), then setContentType should be called first

1.3.5. Acquire a text stream for the response

1.3.5.1. PrintWriter ServletResponse.getWriter() throws IOException - character encoding may be set bycalling setContentType, which must be called before calling getWriter()

1.3.6. Acquire a binary stream for the response

1.3.6.1. ServletOutputStream ServletResponse.getOutputStream() throws IOException

1.3.7. Redirect an HTTP request to another URL

1.3.7.1. void HttpServletResponse.sendRedirect(String location) throws IllegalStateException IOException

1.3.7.2. setsstatus to SC_MOVED_TEMPORARILY, sets the Location header, and performs an implicit reset on theresponse buffer before generating the redirect page; headers set beforesendRedirect() remain set

1.3.7.3. must becalled before response body is committed, else throws IllegalStateException

1.3.7.4. the pathmay be relative or absolute

1.3.7.5. tosupport clients without redirect capability, method writes a short response bodythat contains a hyperlink to the new location; so do not write your own msg body

1.4. Identify the interface and method to access values and resources and to setobject attributes within the following three Web scopes:

1.4.1. Request (Interfaces: ServletRequest andHttpServletRequest)

1.4.1.1. Enumeration ServletRequest.getAttributeNames() - returns empty enumeration if no attributes

1.4.1.2. ObjectServletRequest.getAttribute(String name) - returns nullif does not exist

1.4.1.3. voidsetAttribute(String name, Object obj) - most often usedin conjunction with RequestDispatcher; attrib names should follow sameconvention as pkg names

1.4.1.4. voidremoveAttribute(String name)

1.4.1.5. StringServletRequest.getCharacterEncoding() - returns encodingused in request body, or null if not specified

1.4.1.6. intServletRequest.getContentLength() - returns length ofrequest body or -1 if unknown

1.4.1.7. StringServletRequest.getContentType() - returns mime type ofrequest body or null if unknown

1.4.1.8. StringServletRequest.getProtocol() - returns protocol/version,e.g. HTTP/1.1

1.4.1.9. StringServletRequest.getScheme() - scheme used to make thisrequest, e.g. ftp, http, https

1.4.1.10. StringServletRequest.getServerName()

1.4.1.11. intServletRequest.getServerPort()

1.4.1.12. StringHttpServletRequest.getAuthType() - e.g. BASIC, SSL, ornull if not protected

1.4.1.13. StringHttpServletRequest.getContextPath() - e.g.“/myservlet”

1.4.1.14. StringHttpServletRequest.getMethod() - e.g. GET, POST, HEAD,PUT

1.4.1.15. StringHttpServletRequest.getPathInfo() - returns extra pathinfo (string following servlet path but preceding query string); null if doesnot exist

1.4.1.16. StringHttpServletRequest.getPathTranslated() - translatesextra path info to a real path on the server

1.4.1.17. StringHttpServletRequest.getQueryString() - returns querystring; null if does not exist

1.4.1.18. StringHttpServletRequest.getRemoteUser() - returns null ifuser not authenticated

1.4.1.19. Principal HttpServletRequest.getUserPrincipal() - returns null if user not authenticated

1.4.1.20. StringHttpServletRequest.getRequestURI() - e.g. if request is“POST /some/path.html HTTP/1.1”, then returns “/some/path.html”

1.4.1.21. StringHttpServletRequest.getServletPath() - returns servletpath and name, but no extra path info

1.4.1.22. HttpSession HttpServletRequest.getSession(boolean create)

1.4.1.23. HttpSession HttpServletRequest.getSession() - calls getSession(true)

1.4.2. Session (Interface: HttpSession)

1.4.2.1. Enumeration HttpSession.getAttributeNames() - returns empty enumeration if no attributes; IllegalStateException ifsession invalidated

1.4.2.2. ObjectHttpSession.getAttribute(String name) - returns null ifno such object

1.4.2.3. voidHttpSession.setAttribute(java.lang.String name,java.lang.Object value)

1.4.2.4. voidHttpSession.removeAttribute(java.lang.String name)

1.4.2.5. StringHttpSession.getId() - returns unique session identifierassigned by servlet container

1.4.2.6. longHttpSession.getLastAccessedTime() - time when clientlast sent a request associated with this session

1.4.2.7. intHttpSession.getMaxInactiveInterval() - returns number ofseconds this session remains open between client requests; -1 if session shouldnever expire

1.4.2.8. voidHttpSession.setMaxInactiveInterval(int interval)

1.4.3. Context (Interface: ServletContext)

1.4.3.1. Enumeration getAttributeNames() - Returns an Enumeration containing the attribute names available within thisservlet context.

1.4.3.2. ObjectgetAttribute(String name) - Returns the servletcontainer attribute with the given name, or null if there is no attribute bythat name.

1.4.3.3. voidsetAttribute(String name, java.lang.Object object) -Binds an object to a given attribute name in this servlet context.

1.4.3.4. voidremoveAttribute(String name) - Removes the attributewith the given name from the servlet context.

1.4.3.5. ServletContext getContext(String uripath) -Returns a ServletContext object that corresponds to a specified URL on theserver.

1.4.3.6. StringgetInitParameter(String name) - Returns a Stringcontaining the value of the named context-wide initialization parameter, or nullif does not exist.

1.4.3.7. Enumeration getInitParameterNames() -Returns names of the context's initialization parameters as Enumeration ofString objects

1.4.3.8. intgetMajorVersion() - Returns the major version of theJava Servlet API that this servlet container supports.

1.4.3.9. intgetMinorVersion() - Returns the minor version of theServlet API that this servlet container supports.

1.4.3.10. StringgetMimeType(String file) - Returns the MIME type of thespecified file, or null if the MIME type is not known.

1.4.3.11. RequestDispatcher getNamedDispatcher(String name) - Returns a RequestDispatcher object that acts as a wrapper forthe named servlet.

1.4.3.12. RequestDispatcher getRequestDispatcher(String path) - Returns a RequestDispatcher object that acts as a wrapper forthe resource located at the given path.

1.4.3.13. StringgetRealPath(String path) - Returns a String containingthe real path for a given virtual path.

1.4.3.14. java.net.URL getResource(String path) -Returns a URL to the resource that is mapped to a specified path.

1.4.3.15. InputStream getResourceAsStream(Stringpath) - Returns the resource located at the named path as an InputStream object.

1.4.3.16. StringgetServerInfo() - Returns the name and version of theservlet container on which the servlet is running.

1.5. For each of the following life-cycle method, identify its purpose and how andwhen it is invoked:

1.5.1. public void init() throws ServletException:

1.5.1.1. called after server constructs the servlet instance and before the serverhandles any requests

1.5.1.2. depending on the server and web app configuration, init() may be called at any ofthese times: (a) when server starts, (b) when the servlet is first requested,just before the service() method is invoked, (c) at the request of the serveradministrator

1.5.1.3. ifservlet specifies <load-on-startup/> in its web.xml file, then upon serverstartup, the server will create an instance of the servlet and call its init()method.

1.5.1.4. typically used to perform servlet initialization, e.g. loadingobjects used by servlet to handle requests, reading in servlet init parameters,starting a background thread.

1.5.1.5. servletcannot be placed into service if init method throws ServletException or does notreturn within a server-defined time period

1.5.1.6. init()can only be called once per servlet instance

1.5.2. public void service() throws ServletException, IOException:

1.5.2.1. called by the servlet container to allow the servlet to respond to a request.

1.5.2.2. thismethod is only called after the servlet's init() method has completedsuccessfully.

1.5.2.3. servlets typically run inside multithreaded servlet containers that can handlemultiple requests concurrently. developers must be aware to synchronize accessto any shared resources such as files and network connections, as well as the servlet's class and instance variables.

1.5.3. public void destroy():

1.5.3.1. called after the servlet has been taken out of service and all pending requeststo the servlet have been completed or timed out

1.5.3.2. givesthe servlet an opportunity to clean up any resources that are being held (forexample, memory, file handles, threads) and make sure that any persistent stateis synchronized with the servlet's current state in memory

1.5.3.3. callingsuper.destroy() causes GenericServlet.destroy() to write a note to the log thatthe servlet is being destroyed

1.5.3.4. destroy()called once per servlet instance; destroy() not called ifserver crashes, so should save state (if needed) periodically after servicingrequests

1.5.4. Note: servlet reloading

1.5.4.1. most servers automatically reload a servlet after its class file (under servletdir, e.g. WEB-INF/classes) changes. when a server dispatches a request to aservlet, it first checks whether the servlet’s class file has changed on disk. If it has, then the server creates a new custom class loader, andreloads the entire web application context.

1.5.4.2. classreloading is not based on support class changes or on changes in classes foundin the server’s classpath, which are loaded by the core, primordial classloader.

1.6. Use a RequestDispatcher to include or forward to a Web resource

1.6.1. include:

1.6.1.1. public void include(ServletRequest request, ServletResponse response) throwsServletException, IOException

1.6.1.2. Includesthe content of a resource (servlet, JSP page, HTML file) in the response. Inessence, this method enables programmatic server-side includes.

1.6.1.3. TheServletRequest object has its path elements (e.g. attributes request_uri,context_path, and servlet_path) and parameters remain unchanged from thecaller's.

1.6.1.4. Theincluded servlet cannot change the response status code or set headers; anyattempt to make a change is ignored.

1.6.1.5. Therequest and response parameters must be the same objects as were passed to thecalling servlet's service method.

1.6.1.6. Theincluded resource must use the same output mechanism (e.g. PrintWriter orServletOutputStream) as the caller’s

1.6.1.7. Information can be passed to target using attached query string orusing request attributes set with setAttribute() method.

1.6.2. forward:

1.6.2.1. public void forward(ServletRequest request, ServletResponse response) throwsServletException, IOException

1.6.2.2. Forwards a request from a servlet to another resource (servlet, JSP file, orHTML file) on the server. This method allows one servlet to do preliminaryprocessing of a request and another resource to generate the response. Theforwarding servlet generates no output, but may set headers.

1.6.2.3. TheServletRequest object has its path attributes adjusted to match the path of thetarget resource. Any new request parameters are added to the original.

1.6.2.4. forward() should be called before the response hasbeen committed to the client (before response body output has been flushed). Ifthe response already has been committed, this method throws anIllegalStateException. Uncommitted output in the response buffer isautomatically cleared before the forward.

1.6.2.5. Therequest and response parameters must be the same objects as were passed to thecalling servlet's service method.

1.6.2.6. Information can be passed to target using attached query string orusing request attributes set with setAttribute() method.

1.6.2.7. forwarding to an html page containing relative url’s included (e.g. <IMG> tags) is a bad idea, because forward() does not notifyclient about the directory from which the page is served, hence the links may bebroken. Instead, use sendRedirect().

1.6.3. Note: to get a request dispatcher object:

1.6.3.1. public RequestDispatcher ServletRequest.getRequestDispatcher(String path) - pathmay be relative, and cannot extend outside current servlet context

1.6.3.2. publicRequestDispatcher ServletContext.getNamedDispatcher(String name) - name is theregistered servlet name in web.xml file

1.6.3.3. publicRequestDispatcher ServletContext.getRequestDispatcher(String path) - acceptsonly absolute paths, and not relative paths

2. The Structure and Deployment of Modern Servlet Web Applications

2.1. Identify the following:

2.1.1. Structure of a Web Application

2.1.1.1. the following web application hierarchy is placed under a context root directorywithin the server’s webapps directory (or something similar, depending onthe server) :

2.1.1.1.1. /[any files to be served to the client, e.g. index.html, images/banner.gif]

2.1.1.1.2. /WEB-INF/web.xml

2.1.1.1.3. /WEB-INF/lib/[any required jar files]

2.1.1.1.4. /WEB-INF/classes/[servlet and support class files in theirpackage hierarchies, e.g. com/mycorp/frontend/CorpServlet.class]

2.1.2. Structure of a Web Archive file

2.1.2.1. this is a JAR archive of the Web Application structure above; it just has a WARextension so that people and tools know to treat it differently

2.1.2.2. a WARfile can be placed in a server’s webapps directory, and the server willextract it on startup

2.1.3. Name of Web App deployment descriptor: web.xml

2.1.4. Name ofdirectories where you place the following:

2.1.4.1. Web App deployment descriptor: see 2.1.1.2

2.1.4.2. Web Appclass file: see 2.1.1.4

2.1.4.3. Anyauxhiliary JAR files: see 2.1.1.3

2.2. Identify the purpose or functionality for each of the following deploymentdescriptor elements:

2.2.1. servlet instance:

2.2.1.1. <servlet> {servlet-name, servlet-class, init-param, etc.} </servlet>

2.2.1.2. declaresa servlet instance; included within <web-app> </web-app> tags

2.2.2. servlet name:

2.2.2.1. <servlet-name></servlet-name>

2.2.2.2. registers the servlet under a specific name

2.2.3. servlet class:

2.2.3.1. <servlet-class></servlet-class>

2.2.3.2. containsthe fully qualified class name of the servlet

2.2.4. initialization parameters:

2.2.4.1. <init-param> {param-name, param-value} </init-param>

2.2.4.2. definesvalues that can be set at deployment time and read at run-time viaServletConfig.getInitParameter(String name)

2.2.5. url to named servlet mapping

2.2.5.1. <servlet-mapping> <servlet-name> helloServlet </servlet-name> <url-pattern>/hello.html </url-pattern> </servlet-mapping>ß this maps http://server:port/context_root/hello.html to the helloServletservlet.

2.2.5.2. zero ormore mappings may be defined per web app

2.2.5.3. 4 typesof mappings, searched in the following order: (a) explicitmappings, e.g. /hello.html (b) path prefix mappings e.g. /dbfile/* (c)extension mappings e.g. *.jsp or *.gif (d) the default mapping “/”,identifying the default servlet for the web app

3. The Servlet Container Model

3.1. Servlet Context Init Parameters

3.1.1.1. purpose: defines init parameters accessible by all servlets in the webapplication context; set-able at deployment-time, but accessible at run-time

3.1.1.2. interfaces (or classes): javax.servlet.ServletContext

3.1.1.3. methods:public Enumeration getInitParameterNames() and public StringgetInitParameter(String name)

3.1.1.4. webappdeployment descriptor element name: <context-param> {param-name, param-value}</context-param>

3.1.1.5. behaviorin a distributable: Consider that a different instance of the ServletContext may exist on each different JVM and/or machine. Therefore, the context should not be used to store application state. Any stateshould be stored externally, e.g. in a database or ejb.

3.2. Servlet Context Listener

3.2.1.1. purpose: An object that implements the ServletContextListener interface is notifiedwhen its web app context is created or destroyed

3.2.1.2. interfaces (or classes): javax.servlet.ServletContextListener

3.2.1.3. methods:

3.2.1.3.1. void contextInitialized(ServletContextEvent e): called during web server startupor when context is added or reloaded; requests will not be handled until thismethod returns

3.2.1.3.2. voidcontextDestroyed(ServletContextEvent e): called during web server shutdown orwhen context is removed or reloaded; request handling will be stopped beforethis method is called

3.2.1.4. webapp deployment descriptor element name: <listener> <listener-class>{fully qualified class name} </listener-class> <listener>

3.2.1.5. behaviorin a distributable: Each context instance (on different jvm’s and/or machines) will have its own instance of the listener object. Therefore,if a context on one jvm/machine is initialized or destroyed, it will not triggera listener on any other jvm/machine.

3.3. Servlet Context Attribute Listener

3.3.1.1. purpose: An object that implements the ServletContextAttributeListener interfaceis notified when attributes are added to or removed from its web app context

3.3.1.2. interfaces (or classes):javax.servlet.ServletContextAttributeListener

3.3.1.3. methods:voidattributeAdded/attributeRemoved/attributeReplaced(ServletContextAttributeEvente)

3.3.1.4. webappdeployment descriptor element name: <listener> <listener-class> {fullyqualified class name} </listener-class> <listener>

3.3.1.5. behaviorin a distributable: Addition, removal or replacement of an attribute in acontext will only affect the listener for that context, and not other context“instances” on other jvm’s and/or machines.

3.4. HttpSession Attribute Listener

3.4.1.1. purpose: An object that implements the HttpSessionAttributeListener interface isnotified when a session attribute is added, removed or replaced

3.4.1.2. interfaces (or classes):javax.servlet.http.HttpSessionAttributeListener

3.4.1.3. methods: void attributeAdded/attributeRemoved/attributeReplaced(HttpSessionBindingEvente)

3.4.1.4. webappdeployment descriptor element name: <listener> <listener-class> {fullyqualified class name} </listener-class> <listener>

3.4.1.5. behaviorin a distributable: sessions may migrate from one jvm or machine to another;hence the session unbind event may occur on a different jvm/machine than thesession bind event.

3.5. Http Session Listener

3.5.1.1. purpose: An object that implementsthe HttpSessionListener interface is notified when a session is created ordestroyed in its web app context

3.5.1.2. interfaces (or classes): javax.servlet.http.HttpSessionListener

3.5.1.3. methods:

3.5.1.3.1. void sessionCreated(HttpSessionEvent e)

3.5.1.3.2. voidsessionDestroyed(HttpSessionEvent e) - called when session is destroyed(invalidated)

3.5.1.4. webapp deployment descriptor element name: <listener> <listener-class>{fully qualified class name} </listener-class> <listener>

3.5.1.5. behaviorin a distributable: sessions may migrate from one jvm or machine to another;hence the session destroy event may occur on a different jvm/machine than thesession create event.

4. Designing and Developing Servlets to Handle Server-Side Exceptions

4.1. For each of the following cases, identify correctly constructed code forhandling business logic exceptions, and match that code with correct statementsabout the code’s behavior:

4.1.1. return an http error using setStatus

4.1.1.1. public void HttpServletResponse.setStatus(int statusCode)

4.1.1.2. if thisis not called, the server by default sets the status code to SC_OK(200).

4.1.1.3. examplestatus codes: HttpServletResponse.SC_OK(200), SC_NOT_FOUND(404), SC_NO_CONTENT,SC_MOVED_TEMPORARILY/PERMANENTLY, SC_UNAUTHORIZED, SC_INTERNAL_SERVER_ERROR, SC_NOT_IMPLEMENTED,SC_SERVICE_UNAVAILABLE

4.1.1.4. callingsetStatus() on an error leaves a servlet with the responsibility of generatingthe error page

4.1.1.5. must becalled before the response is committed, otherwise call is ignored

4.1.2. return an http error using sendError

4.1.2.1. public void HttpServletResponse.sendError(int statusCode[, StringstatusMessage]) throws IllegalStateException, IOException

4.1.2.2. thesendError() method causes the server to generate and send an appropriateserver-specific page describing the error (unless <error-page> defined inweb.xml)

4.1.2.3. with thetwo argument version of this method, the server may include the status messagein the error page, depending on the server implementation

4.1.2.4. must becalled before response body is committed, else throws IllegalStateException

4.2. Given a set of business logic exceptions, identify the following:

4.2.1. configuring deployment descriptor for error handling

4.2.1.1. <web-app> … <error-page> <error-code> 404 </error-code> <location> /404.html </location></error-page> … </web-app>

4.2.1.2. thisspecifies that any call to sendError(), from within this web app, with 404 errorcode should display /404.html; this includes requests for static pages thatresult in 404 error code

4.2.1.3. thevalue of location must begin with ‘/’, is treated as based in thecontext root, and must refer to a resource within the context

4.2.1.4. <location> may be dynamic (e.g. jsp, servlet); for these, theserver makes available the following request attributes:javax.servlet.error.status_code and javax.servlet.error.message

4.2.2. configuring deployment descriptor for exception handling

4.2.2.1. <web-app> … <error-page> <exception-type> javax.servlet.ServletException</exception-type> <location> /servlet/ErrorDisplay </location></error-page> … </web-app>

4.2.2.2. how theserver handles exceptions thrown by a servlet is server-dependent, unless an<error-page> entry exists for a specific exception type or a superclass

4.2.2.3. <location> may be dynamic (e.g. jsp, servlet); for these, the server makesavailable the following request attributes: javax.servlet.error.exception_type &javax.servlet.error.message; the exception object itself is not made available;hence no way to get a stack trace

4.2.2.4. servlets must catch all exceptions except those that subclass ServletException,IOException and RuntimeException (IOException may be caused by client closingthe socket by exiting the browser)

4.2.2.5. aServletException may be created with a message and a “root cause”, bothoptional, e.g. { throw new ServletException(“execution interrupted”,InterruptedException); }

4.2.2.6. publicThrowable ServletException.getRootCause() returns the root cause exception

4.2.2.7. javax.servlet package also defines a subclass of ServletExceptioncalled UnavailableException(String msg[, int seconds]), which causes server totake servlet out of service

4.2.3. using RequestDispatcher to forward to an error page: see section 1.6above

4.3. Identify the method used for the following:

4.3.1. writing a message to the Web App log:

4.3.1.1. void log(String msg) - Writes the specified message to a servlet log file,usually an event log.

4.3.1.2. voidlog(String message, java.lang.Throwable throwable) - Writes an explanatorymessage and a stack trace for a given Throwable exception to the servlet logfile.

4.3.1.3. theseare methods are available in GenericServlet and ServletException

4.3.2. writing a message and an exception to the Web App log:

4.3.2.1. public void GenericServlet.log(String msg, Throwable t)

4.3.2.2. writesthe given message and the Throwable’s stack trace to a servlet log; exactoutput format and location of log are server specific

5. Designing and Developing Servlets Using Session Management

5.1. Identify the interface and method for each of the following:

5.1.1. retrieve a session object across multiple requests to the same or differentservlets within the same webapp

5.1.1.1. public HttpSession HttpServletRequest.getSession([boolean create])

5.1.1.2. if noargument provided, then server will automatically create a new session object ifnone exists for the user in the web app context

5.1.1.3. to makesure the session is properly maintained, getSession must be called at least oncebefore committing the response

5.1.1.4. sessionsare scoped at the web application level; so a servlet running inside one contextcannot access session information saved by another context.

5.1.1.5. behindthe scenes, the client’s session id is usually saved on the client in acookie called JSESSIONID. For client that don’t support cookies, the session ID can be sent as part of a rewritten URL,encoded using a jsessionid path parameter.

5.1.1.6. notethat a requested session id may not match the id of the session returned by the getSession() method, such as when the id isinvalid. one can call req.isRequestedSessionIDValid() to test if the requestedsession id (that which was defined in the rewritten url or the persistentcookie) is valid.

5.1.2. store objects into a session object

5.1.2.1. public void HttpSession.setAttribute(String name, Object value) throwsIllegalStateException

5.1.2.2. bindsthe specified object under the specified name. Any existing binding with thesame name is replaced.

5.1.2.3. IllegalStateException thrown if session being accessed is invalid

5.1.3. retrieve objects from a session object

5.1.3.1. public Object HttpSession.getAttribute(String name) throws IllegalStateException-- returns the object bound under the specified name or null if there is nobinding

5.1.3.2. publicEnumeration HttpSession.getAttributeNames() throws IllegalStateException --returns all bound attribute names as an enumeration of Strings (empty enum if nobindings)

5.1.3.3. publicvoid HttpSession.removeAttribute(String name) throws IllegalStateException --removes binding or does nothing if binding does not exist

5.1.4. respond to the event when a particular object is added to a session

5.1.4.1. any object that implements the javax.servlet.http.HttpSessionBindingListener interface is notified when it is bound to or unbound from asession.

5.1.4.2. publicvoid valuBound(HttpSessionBindingEvent event) is called when the object is boundto a session

5.1.4.3. publicvoid valuUnbound(HttpSessionBindingEvent event) is called when the object isunbound from a session, by being removed or replaced, or by having the sessioninvalidated

5.1.5. respond to the event when a session is created or destroyed: seesection 3.5

5.1.6. expunge asession object

5.1.6.1. public void HttpSession.invalidate() – causes the session to be immediately invalidated. All objects stored in thesession are unbound. Call this method to implement a “logout”.

5.2. given a scenario, state whether a session object will be invalidated

5.2.1. ideally, a session would be invalidated as soon as the user closed his browser,browsed to a different site, or stepped away from his desk. Unfortunately,there’s no way for a server to detect any of these events.

5.2.2. sessionmay expire automatically, after a set timeout of inactivity (tomcat default is30 minutes)

5.2.3. timeoutcan be overridden in web.xml file by specifying<web-app>…<session-config><session-timeout>e.g.60</session-timeout></session-config> </web-app>

5.2.4. timeoutcan be overridden for a specific session by callingHttpSession.setMaxInactiveInterval(int secs) – negative value indicatessession should never time out.

5.2.5. sessionmay expire manually, when it is explicitly invalidated by a servlet by callinginvalidate()

5.2.6. a servershutdown may or may not invalidate a session, depending on the capabilities ofthe server

5.2.7. when asession expires (or is invalidated), the HttpSession object and the data valuesit contains are removed from the system; if you need to retain information beyond a sessionlifespan, you should keep it in an external location (e.g. a database)

5.3. given that url-rewriting must be used for session management, identify thedesign requirement on session-related html pages

5.3.1. For a servlet to support session tracking via URL rewriting, it has to rewriteevery local URL before sending it to the client.

5.3.2. publicString HttpServletResponse.encodeURL(String url)

5.3.3. publicString HttpServletResponse.encodeRedirectURL(String url)

5.3.4. both methods encode the given url to include the session id and returns the newurl, or, if encoding is not needed or is not supported, it leaves the urlunchanged. The rules for when and how to encode are server-specific.

5.3.5. note that when using session tracking based on url rewriting that multiplebrowser windows can belong to different sessions or the same session, dependingon how the windows were created and whether the link creating the windows wasurl rewritten.

5.4. Note: Using Cookies:

5.4.1.1. To send a cookie to a client: {Cookie cookie = newCookie(“name”,“value”); res.addCookie(cookie);}.

5.4.1.2. Toretrieve cookies: {Cookie[] cookies = req.getCookies();}

5.5. Note: Http Session Activation Listener

5.5.1. purpose: Objects that are bound to a session may listen to container eventsnotifying them when that session will be passivated and when that session hasbeen activated. A container that migrates sessions between VMs or persistssessions is required tonotify all attributes bound to sessions implementingHttpSessionActivationListener.

5.5.2. voidsessionWillPassivate(HttpSessionEvent e) - session is about to move; it willalready be out of service when this method is called

5.5.3. voidsessionDidActivate(HttpSessionEvent e) - session has been activated on newserver; session will not yet be in service when this method is called

6. Designing and Developing Secure Web Applications

6.1. identify correct descriptions or statements about the security issues:

6.1.1. Authentication: Being able to verify the identities of the partiesinvolved

6.1.2. Authorization: Limiting access to resources to a select set of usersor programs

6.1.3. Integrity:Being able to verify that the content of the communication is not changed duringtransmission

6.1.4. Auditing: Keeping a record of resource access that was granted or denied mightbe useful for audit purposes later. To that end, auditing and logs serve theuseful purposes of preventing a break-in or analyzing a break-in post mortem.

6.1.5. MaliciousCode:

6.1.6. Web SiteAttacks:

6.1.7. Confidentiality: Ensuring that only the parties involved canunderstand the communication

6.2. Identify deployment descriptor element names, and their structures, that declarethe following

6.2.1. <web-app>

6.2.1.1. <servlet> <servlet-name>secretSalary<servlet-name><servlet-class>SalaryServer</servlet-class> </sevlet>

6.2.1.2. <security-constraint>ß indicates certain pages in a web app are to be accessed by users in a certainrole (role-to-user mappings stored in server-specific format)

6.2.1.2.1. <web-resource-collection>

6.2.1.2.1.1. <web-resource-name>protectedResource</web-resource-name>

6.2.1.2.1.2. <url-pattern>/servlet/SalaryServer</url-pattern>ß same wildcards allowed as forservlet mappings

6.2.1.2.1.3. <url-pattern>/servlet/secretSalary</url-pattern>

6.2.1.2.1.4. <http-method>GET</http-method>ß if no methods specified, then all methods are protected

6.2.1.2.1.5. <http-method>POST</http-method>

6.2.1.2.2. </web-resource-collection>

6.2.1.2.3. <auth-constraint><role-name>manager</role-name><role-name>ceo</role-name></auth-constraint>ß if no role-name, then not viewable by anyuser; if role-name = “*” then viewable by all roles

6.2.1.2.4. <user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint>ß optional, indicates SSL security

6.2.1.3. </security-constraint>

6.2.1.4. <login-config>

6.2.1.4.1. <auth-method>BASIC/DIGEST/FORM/CLIENT-CERT</auth-method>

6.2.1.4.2. <realm-name>Default </realm-name>ß optional, only useful for BASIC authentication

6.2.1.4.3. <form-login-config> ß optional, only useful for FORM based authentication

6.2.1.4.3.1. <form-login-page>/loginpage.html</form-login-page><form-error-page>/errorpage.html</form-error-page>

6.2.1.4.4. </form-login-config>

6.2.1.5. </login-config>

6.2.1.6. <security-role><role-name>manager</role-name></security-role>ß not req’d; explicitly declaring the webapp’s roles supports tool-based manipulation of the file

6.2.2. </web-app>

6.3. For each of the following authentication types, identify the correct definition of itsmechanism

6.3.1. BASIC

6.3.1.1. web server maintains a db of usernames and passwords, and identifies certain webresources as protected. When these are accessed, web server requests username and password; this information is sent back to the server, whichchecks it against its database; and either allows or denies access.

6.3.1.2. Disadvantage: provides no confidentiality, no integrity, and onlythe most basic authentication.

6.3.1.3. Disadvantage: Transmitted passwords are encoded using easilyreversable Base64 encoding, unless additional SSL encryption employed.

6.3.1.4. Disadvantage: plus, passwords are often stored on server in cleartext

6.3.1.5. Advantage: very easy to set up; useful for low-securityenvironments, e.g. subscription-based online newspaper

6.3.2. DIGEST

6.3.2.1. variation to BASIC scheme; instead of transmitting password over networkdirectly, digest of password used instead, produced by taking a hash ofusername, password, uri, http method, and a randomly generated nonce value provided by server. Server computes digest as well, and compares with usersubmitted digest.

6.3.2.2. Advantage: transactions are somewhat more secure than with basicauthentication, since each digest is valid for only a single uri request andnonce value.

6.3.2.3. Disadvantage: server must still maintain a database of the originalpasswords

6.3.2.4. Disadvantage: digest authentication is not supported by very manybrowsers

6.3.3. FORM

6.3.3.1. the login page must include a form with a POST to the URL “j_security_check” with a username sent as j_username and a passwordj_password.

6.3.3.2. any timethe server receives a request for a protected resource, the server checks if theuser hasalready logged in, e.g. server might look for Principal object in HttpSessionobject. If Principal found, then roles are checked against security contraints;if Principal not authorized, then client redirected to <form-error-page>

6.3.3.3. Advantage: allows users to enter your site through a well-designed,descriptive and friendly login page

6.3.3.4. Disadvantage: similar to BASIC, password is transmitted in cleartext, unless SSL used

6.3.3.5. Disadvantage: similar to BASIC, no standard logout mechanism(calling session.invalidate() may work for FORM, but no guarantees), would needto close browser

6.3.3.6. Disadvantage: error page does not have access to any specialinformation reporting why access was denied or even which page it should pointthe user at to try again

6.3.3.7. Disadvantage: similar to BASIC, relies on server to authenticate,so only captures username and password, not custom fields e.g. PIN #.

6.3.4. CLIENT-CERT

6.3.4.1. BASIC, even with SSL encryption, does not ensure strong client authenticationsince anyone could have guessed or gotten hold of client’s username andpassword

6.3.4.2. uponaccessing a protected resource, the server requests the client’scertificate; the client then sends its signed certificate (many browsers require the client userenter a password before they will send the certificate), and the server verifiesthe certificate. If browser has no certificate, or if it is not authorized, thenaccess is denied.

6.3.4.3. Advantage: the client will never see a login page, although thebrowser may prompt for a password to unlock their certificate before it is sent

6.3.4.4. Disadvantages: users must obtain and install signed certificates,servers must maintain a database of all accepted public keys, and servers mustsupport SSL 3.0 in the first place.

7. Designing and Developing Thread-Safe Servlets

7.1. Identify which attribute scopes are thread-safe:

7.1.1. local variables: yes, thread-safe

7.1.2. instancevariables: not thread-safe, since a single servlet instance may be handlingmultiple service requests at any given time

7.1.3. classvariables: not thread-safe, since multiple servlets and/or service requests maytry to access a class variable concurrently

7.1.4. requestattributes: yes, thread-safe, since the request object is a local variable

7.1.5. sessionattributes: not thread-safe, since sessions are scoped at the web applicationlevel, hence the same session object can be accessed concurrently by multiple servlets and their service requests

7.1.6. contextattributes: not thread-safe, since the same context object can be accessedconcurrently by multiple servlets and their service requests

7.2. Identify correct statements about differences between multi-threaded and single-threaded servlet models

7.2.1. multi-thread model servlet:

7.2.1.1. one servlet instance per registered name

7.2.1.2. for eachservlet request, the server spawns a separate thread which executes theservlet’s service() method

7.2.1.3. mustsynchronize access to instance variables

7.2.2. single-thread model servlet:

7.2.2.1. has a pool of servlet instances per registered name (depending on the serverimplementation, the pool size may be configurable or not, and may be as littleas one.)

7.2.2.2. guaranteed by server “that no two threads will executeconcurrently in the servlet’s service method”

7.2.2.3. considered thread-safe and isn’t required to synchronizeaccess to instance variables

7.2.2.4. does notprevent synchronization problems that result from servlets accessing shared resources such as static variables orobjects outside the scope of the servlet (e.g. ServletContext, HttpSession)

7.2.2.5. servermight end up creating more instances than the system can handle, e.g. eachinstancemight have its own db connection, hence in total there may be more dbconnections than the db server can handle.

7.3. Identify the interface used to declare that a servlet must use the single threadmodel

7.3.1. interface javax.servlet.SingleThreadModel { // this is an empty“tag” interface }

No comments:

Post a Comment