generating dynamic content for the web university of georgia csci 4800/6800
TRANSCRIPT
Generating Dynamic Content for the Web
University of Georgia
CSCI 48006800
Technologies for generating dynamic content
CGIServletsJSPStrutsJSF
Web Content Types
Three types of content Static Dynamic Active
Static Content
1048708 defined in text file by page author1048708 remains unchanged until edited
Dynamic content
1048708 generated on demand by HTTP server1048708 program on server returns output to
client1048708 counters database searching search
engines questionnaires up-to-date info
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Technologies for generating dynamic content
CGIServletsJSPStrutsJSF
Web Content Types
Three types of content Static Dynamic Active
Static Content
1048708 defined in text file by page author1048708 remains unchanged until edited
Dynamic content
1048708 generated on demand by HTTP server1048708 program on server returns output to
client1048708 counters database searching search
engines questionnaires up-to-date info
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Web Content Types
Three types of content Static Dynamic Active
Static Content
1048708 defined in text file by page author1048708 remains unchanged until edited
Dynamic content
1048708 generated on demand by HTTP server1048708 program on server returns output to
client1048708 counters database searching search
engines questionnaires up-to-date info
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Static Content
1048708 defined in text file by page author1048708 remains unchanged until edited
Dynamic content
1048708 generated on demand by HTTP server1048708 program on server returns output to
client1048708 counters database searching search
engines questionnaires up-to-date info
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Dynamic content
1048708 generated on demand by HTTP server1048708 program on server returns output to
client1048708 counters database searching search
engines questionnaires up-to-date info
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Active content
executes code on the client computeruser interaction display updating remote
connections smart forms
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Dynamic Content
Server must be able to execute program The program generates the document dynamically
1048708 Server programs can be written in any language Shell scripts C C++ Java Perl Tcl PHP Python ASP etc
1048708 Program output returned to web client via HTTP server 1048708 Output must be in form of static page
eg Content-type texthtml imagegif etc Some types of content can contain dynamic components
1048708 Server needs to recognize dynamic document request On a per-directory basis eg cgi-bin Or via file names eg jsp
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Common Gateway Interface(CGI) 1048708 CGI standard defines server-program interaction
Developed at the National Center for Supercomputing Applications (NCSA)
1048708 CGI was the first way of generating dynamic content 1048708 Based on the Unix shell model
Parameters passed via stdinstdout and shell environment variables
1048708 Typically a special directory is used on the server for CGI programs 1048708 cgi-bin
1048708 URL selects program to run httphostcgi-binprogram
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
CGI
WWW Client
CGIprogram
WWWServer
request
response
Invoke CGI
CGI output
internet server
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
CGI Pros and Cons
Pros of CGI 1048708 Simple suitable for small once-off tasks 1048708 Supported by all web servers
1048708 Cons of CGI 1048708 Slow web server forks new process for every
request 1048708 Parameter decoding tedious
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTML Forms
Dynamic content is often generated in response to HTML forms
Example httpwwwrandomorgnformhtml
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTML Forms
ltform method=ldquogetrdquoaction=ldquohttpwwwrandomorgcgi-binrandbyterdquogt
ltpgtGenerate ltinput type=text name=nbytesgt random bytes (maximum16384)ltpgtltpgtFormatltpgtltinput type=radio name=format value=hex checkedgt Hexadecimalltbrgtltinput type=radio name=format value=decgt Decimal ltbrgtltinput type=radio name=format value=octgt Octal ltbrgtltinput type=radio name=format value=bingt Binary ltbrgtltinput type=radio name=format value=filegt Download to a fileltbrgtltinput type=submit value=Get Bytesgtltinput type=reset value=Reset Formgtltformgt
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTML Forms and Parameters
Each form field has a nameFields passed as (name value) pairs
Names and values separated by lsquo=rsquo Multiple pairs separated by lsquoamprsquo eg nbytes=256ampformat=hex Called the query string Non-printable characters are encoded
Space encoded as lsquo+rsquo or lsquo20rsquo Any character can be encoded as x where x is the
characterrsquos ASCII value in hex eg 26 for lsquoamprsquo
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTML Forms and Parameters
With GET requests the query string is appended to the base URL as follows 1048708 pathquerystring
GET cgi-binrandbytenbytes=256ampformat=hex HTTP10
1048708 Query string appears in browsers URL bar 1048708 Query string can be bookmarked 1048708 Query string can be contained in web pages
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTML Forms and Parameters
With POST requests the query string is sent in the optional data field of the HTTP request Unlimited query length Query string not part of URL Hyper-references w POST request containing
query strings cannot be bookmarked or used as hyperlinks
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Comparison hellip
In both cases server side program must decode the data supplied by the client
CGI just gives you the raw query stringDecoding can be tediousOther approaches to dynamic content
generation do this for you Example Java Servlets
HttpServletRequestgetParameter(name)
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
More about query strings
Query strings can be constructed as a fixed URL eg embedded in a page or bookmarked by the browser from a HTML form
Query strings constructed from forms follow the name-value pair format
Otherwise the format is defined by the programmer eg httpwwweboardcomshowjsp234873
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Parameter passing with CGI
When invoked with GET the query string is passed as a shell environment variable called QUERY_STRING 1048708 CGI program must evaluate the variable and parse
the string
When invoked with POST the query string is passed through standard input CGI program must read from stdin and parse the string
In both cases the CGI program outputs the response to stdout
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Simple CGI script example
binsh
echo ldquoContent-type texthtmlnnrdquo
echo ldquolthtmlgtltbodygtltpgtrdquo
echo ldquoYour query string was $QUERY_STRINGrdquo
echo ldquoltpgtltbodygtlthtmlgtrdquo
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP and State
1048708 Recall that HTTP is stateless Server maintains no state about clients between
successive HTTP requests Statelessness is an attractive feature because it makes
servers less vulnerable to client failures (and vice versa)
1048708 However state is useful Maintain a history of previous invocations or visits Correlate information from several requests Trace users through a web site
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP and State
State can take any form In HTTP typically one or more (name value)
pairs Short-term state can be encoded in a variety of
ways 1048708 in URL to browser (URL rewriting) 1048708 in HTML documents served (hidden fields) 1048708 in cookies
Long-term state can be encoded 1048708 Keep record of hosts addresses in file 1048708 Stored in cookies
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State URL Rewriting
1048708 Server stores state in URLs embedded in content 1048708 State encoded as GET-style HTTP parameters 1048708 Subsequent requests for those URLs will include the
parameters 1048708 eg httpwwwrandomorgessayphpid=212
1048708 Server generates content dynamically 1048708 All local links in the content (page) are translated by
the web server to include the specified state 1048708 eg parameter (name value) pair lsquoid=212rsquo
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
URL Rewriting Example
1048708 The request to wwwrandomorgGET essayphpid=212 HTTP10
1048708 Could result in the following pagelthtmlgtltheadgtltheadgtltbodygtltpgtThere is the lta href=usersphpid=212gtuserspageltagt there is the lta href=clientsid=212gtclientarchiveltagt and we here at lta href=id=212gtrandomorgare grateful to lta href=httpwwwtcdiegtTrinityCollegeltagtltpgtltbodygt
1048708 Note Only local links are rewritten
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
URL Rewriting Example
1048708 With URL rewriting you need a way of creating the first URL Typically done via a login procedure using an HTML
form
1048708 If the server receives a request without parameters it returns a login form instead of the content
1048708 If the login form is submitted (and details validate) the server returns the first page with rewritten URLs
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
URL Rewriting
1048708 With URL rewriting the hyperlinks are personalised
1048708 Support for URL rewriting in some technologies for dynamic content generation
1048708 eg Java ServletsHttpServletResponseencodeURL()
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
URL Rewriting Advantages
URL rewriting works just about everywhere especially when cookies are turned off
Multiple simultaneous sessions are possible for a single user Session information is local to each browser instance
since it is stored in URLs in each page being displayed
1048708 Entirely static pages cannot be used with URL rewriting since every link must be dynamically written with the session state
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
URL Rewriting Disadvantages
1048708 Every URL on a page which needs the session information must be rewritten each time a page is served 1048708 Computationally expensive 1048708 Can increase communication overhead
1048708 State stored in URLs is not persistent 1048708 Can make sharing of URLs difficult 1048708 URL rewriting limits the clients interaction with
the server to HTTP GET requests 1048708 Unless used in combination with hidden fields
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Hidden Fields
If the content contains forms (eg a multi-form questionnaire) state can be saved in the form(s) 1048708 Special lsquohiddenrsquo form fields not displayed by
the browser Parameters encoded by the browser in the
same way as for ordinary fields
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Hidden Fields Example
First formltform method=post action=form-handlerphpgtltpgtEnter your nameltinput type=text name=user gtltpgt ltinput type=hidden name=stage value=1 gtltinput type=submit value=Next gtltformgt
1048708 Server encodes the state (including values submitted by the user) in the second form
ltform method=post action=form-handlerphpgtltpgtEnter your ageltinput type=text name=age gtltpgt ltinput type=hidden name=stage value=2 gt ltinput
type=hidden name=user value=Joe Random gtltinput type=submit value=Next gtltformgt
1048708 When at the last stage all data is processed
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Hidden Fields Pros and Cons
Pros 1048708 State processing on the server side easier
than URL rewriting hidden fields simply treated as ordinary fields
1048708 Supported by all browsers regardless of userrsquos (cookie) preferences
1048708 Cons 1048708 Requires forms not suitable for plain links 1048708 Others
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Cookies
1048708 Cookies are 1048708 Small pieces of information 1048708 Sent by web servers to web clients 1048708 Stored by the clients 1048708 Read back by the server who sent the cookie
1048708 Cookies are used to maintain state on the client side
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Cookies
1048708 Cookies are often used to store 1048708 User IDs and passwords 1048708 Info about preferences or start pages 1048708 Contents of shopping baskets
1048708 But also for 1048708 User tracking within a web site 1048708 Building user profiles 1048708 Targeted marketing (advertising)
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Cookies
Cookies are set (by the server) via HTTP Response headers
Set-Cookie NAME=VALUE expires=DATEpath=PATH domain=DOMAIN_NAME secure
And sent back (by the client) via HTTP Request headers
Cookie NAME=VALUE NAME=VALUE
Date format DAY DD-MMM-YYYY HHMMSS Path format separated Domain format hostnamesubdomaintld
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Cookies
1048708 A client will send along a cookie with an HTTP request provided that The server host name from the URL matches the
domain for the cookie The path name from the URL matches the path for the
cookie The cookie has not expired
Limitation Cookies are bound to the server that originally set them Limits cookies within that server domain
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Cookies Example
First requestPOST basket-addphp HTTP10uid=12amppid=9828
Could mean ldquouser 12 adds product 9828 to her shopping basketrdquo
Server responseHTTP10 200 OKSet-Cookie basket=uid=12amppid=9828amppid=7884expires=Tuesday 23-11-2005 144212path=books domain=wwwammozoncom securelthtmlgtltbodygtltpgtThe content of your shopping basketisltpgtltbodygtlthtmlgt
7884 was in the basket already
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Cookies Example
Second requestGET booksspecial-offersphp HTTP10Cookie uid=12amppid=9828amppid=7884
1048708 Third requestGET HTTP10
1048708 Fourth requestGET gnus HTTP10
No cookies are sent because the paths lsquorsquo and lsquognusrsquo do not match lsquobooksrsquo
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Cookies Pros and Cons
1048708 Pros 1048708 Highly transparent to user 1048708 Avoids server getting clogged with state 1048708 Great for personalizing content
1048708 Cons 1048708 Specific to the computer not the user 1048708 Privacy issues
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
HTTP State Cookies
1048708 Seemingly innocent 1048708 Originally designed by Netscape as a simple way of
letting users identify themselves 1048708 Has many uses
1048708 Also less friendly to users 1048708 Privacy Issues
1048708 Can track every single movement of a user through a web site
1048708 Can be used to analyze (and improve) web sites 1048708 But also to build profiles of users 1048708 Try surfing with cookie warnings enabled
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Dynamic Content
1048708 HTML in Code 1048708 CGI scripts (any language) 1048708 Java Servlets 1048708 AOLServerrsquos TCL support
1048708 Code in HTML 1048708 Java Server Pages (JSP) 1048708 Microsoft Active Server Pages (ASP) 1048708 PHP Hypertext Preprocessor (PHP) 1048708 AOLServer Dynamic Pages (ADP) 1048708 mod_perl
1048708 Others
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Java Servlets
1048708 Java on the server side 1048708 Requestresponse based API
1048708 More efficient than CGI 1048708 Loaded once stays resident 1048708 Multiple requests = multiple threads
1048708 Java Servlet Development Kit (JSDK)1048708 Java Servlet API Specification v23
1048708 August 2001 Final Version 1048708 Implemented by Tomcat 51 Jigsaw amp others
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Basic Servlet Interaction
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Basic Servlet Interaction
Web client
Servlet
Web Server
HTTP request
HTTP response
Servlet API
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Java Servlets
Servlets can be used to extend web servers in a modular fashion
1048708 Extra functionality are kept outside the web server core 1048708 Increased web server reliability 1048708 Increased modularity
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Java Servlets
Servlets can use the entire Java language 1048708 In particular the Java Database Connectivity
(JDBC) APIStandard API means
1048708 Servlets once written can be used with any web server implementing the Java Servlet API
1048708 Apache iPlanet Microsoft IIS etc 1048708 This is an advantage over some other server-
side languages (eg ASP) which are (often) bound to a particular server
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet Basics
Servlets work with three types of objects 1048708 Requests 1048708 Responses 1048708 Sessions
1048708 Request objects 1048708 Methods to parse out namevalue parameters 1048708 HTTP request header fields available
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet Basics
1048708 Response objects 1048708 Can set HTTP response status codes and
content
1048708 HTTP session objects 1048708 Methods to identify requests from same client 1048708 Implemented with cookies 1048708 Unique identifier allocated for each session
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet API and Lifecycle
A servlet is an instance of a class implementing the javaxservletServlet interface
1048708 Most servlets extend one of the two classes 1048708 javaxservletGenericServlet 1048708 javaxservlethttpHttpServlet
1048708 The servlet API include these methods 1048708 init() is called when the servlet is loaded 1048708 service() processes requests (concurrently) 1048708 destroy() is called when the servlet is unloaded
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Example Servlet Lifecycle
init
service
service
serviceservice
serviceservice
service
service
Thread 1 Thread 2 Thread 3
destroy
Time
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet API
The service() method dispatches service requests to one of four methods 1048708 doGet doPut doPost doDelete
1048708 These methods are passed two parameters 1048708 One of type HttpServletRequest 1048708 One of type HttpServletResponse
1048708 The parameters are objects that can be invoked to 1048708 Read info about the HTTP request 1048708 Generate the HTTP response
1048708 Sessions are maintained via HttpSession objects 1048708 Accessed via the HttpServletRequest object
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet Example 1import javaioimport javaxservletimport javaxservlethttppublic class Hello extends HttpServletpublic void doGet (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Snoop ServletString ua = requestgetHeader(User-Agent)String ref = requestgetHeader(Referer)responsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHelloltpgt)outprintln(ltpgtYour browser is + ua + and + you got here via + ref + ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet Example 2
Consider the following form used on a site accepting payment via credit cards
ltform method=ldquopostrdquo action=ldquoservletspayrdquogtltinput type=ldquotextrdquo name=ldquonamerdquo gtltinput type=ldquotextrdquo name=ldquoamountrdquo gtltinput type=ldquotextrdquo name=ldquocardnumberrdquo gtltinput type=ldquotextrdquo name=ldquoexpirydaterdquo gtltinput type=ldquosubmitrdquo value=ldquoPayrdquo gtltformgt
1048708 Would we want to use this with a GET request Why or why not
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet Example 2 imports omittedpublic class Hello extends HttpServletpublic void doPost (HttpServletRequest requestHttpServletResponse response)throws ServletException IOExceptionPrintWriter outString title = Payment ServletString n = requestgetParameter(name)String a = requestgetParameter(amount)String cc = requestgetParameter(cardnumber)String ed = requestgetParameter(expirydate) TODO credit card transaction hereresponsesetContentType(texthtml)out = responsegetWriter()outprintln(lthtmlgtltheadgtlttitlegt)outprintln(title)outprintln(lttitlegtltheadgtltbodygt)outprintln(lth1gt + title + lth1gt)outprintln(ltpgtHello + n + ltpgt)outprintln(ltpgtYour card + cc + has been charged euro + a ltpgt)outprintln(ltbodygtlthtmlgt)outclose()
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet API
1048708 ServletRequestHttpServletRequest 1048708 getInputStream 1048708 getProtocol 1048708 getRemoteAddr 1048708 getHeader 1048708 getMethod 1048708 getQueryString 1048708 getRemoteUser 1048708 getSession 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc
Servlet API
1048708 ServletResponseHttpServletResponse 1048708 getOutputStream 1048708 setContentType 1048708 getWriter 1048708 sendRedirect 1048708 etc