hands-on java web passando por servlets, jsp, jstl, jdbc, hibernate, dao, mvc, etc
DESCRIPTION
Material sobre Java WEB super mão na massa. Vou construindo e alterando uma aplicação durante a apresentação os assuntos cobertos são: Java Servlet Java Server Pages - JSP JavaServer Pages Standard Tag Library - JSTL Expression Language - EL Java Database Connectivity - JDBC Data Access Object - DAO Model View Controller - MVC Hibernate ... Apresento também formas de fugir do sqlinjectionTRANSCRIPT
MVC/DAO JSP/JSTL/EL JDBC/ORM
java webMario Jorge Pereira
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
Agenda• Java Servlet
• Java Server Pages - JSP
• JavaServer Pages Standard Tag Library - JSTL
• Expression Language - EL
• Java Database Connectivity - JDBC
• Data Access Object - DAO
• Model View Controller - MVC
• Hibernate
JSP
login.jsp
<!DOCTYPE html><html><head><title>Login</title></head><body> <form method="post" action=“home.jsp"> Login: <input name="login" type="text"> <br> Senha: <input name="senha" type="password"><br> <input type="submit"> </form></body></html>
versão 1.0
home.jsp
<!DOCTYPE html><html><head><title>HOME</title></head><body> Bem vindo, <%=request.getParameter("login")%></body></html>
versão 1.0
Servlet
Aut
entic
ador
.java package br.com.mariojp;
!import java.io.*;import javax.servlet.*;import javax.servlet.annotation.*;import javax.servlet.http.*;!@WebServlet("/Autenticador")public class Autenticador extends HttpServlet {! protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String login = request.getParameter("login"); String senha = request.getParameter("senha"); if(login!=null && senha!=null && login.equalsIgnoreCase(senha)){ response.sendRedirect("home.jsp?user="+login); }else{ String erro = "Usuario ou Senha Invalidos!"; response.sendRedirect("login.jsp?erro="+erro); } }}
versão 2.0
Regra: Se o login igual a senha
esta ok!
login.jsp
<!DOCTYPE html><html><head><title>Login</title></head><body> <form method="post" action=“Autenticador"> Login: <input name="login" type="text"> <br> Senha: <input name="senha" type="password"><br> <input type="submit"> </form> <% String erro = request.getParameter("erro"); if(erro!=null && !erro.trim().equals("")){ out.print(erro); } %></body></html>
versão 2.0
Aciona o servlet
Apresenta o erro de login
home.jsp
<!DOCTYPE html><html><head><title>HOME</title></head><body> Bem vindo, <%=request.getParameter("user")%></body></html>
versão 2.0
MVC
Usuario.jav
a package br.com.mariojp;!public class Usuario { private Integer id; private String login; private String senha; public Integer getId() { return id; } public void setId(Integer id) { this.id = id; } public String getLogin() { return login; } public void setNome(String login) { this.login = login; } public String getSenha() { return senha; } public void setSenha(String senha) { this.senha = senha; }}
versão 3.0
Aut
entic
ador
.java @WebServlet("/Autenticador")public class Autenticador extends HttpServlet {
! protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Usuario user = new Usuario(); String login = request.getParameter("login"); String senha = request.getParameter("senha"); user.setLogin(login); user.setSenha(senha); if(autenticar(user)){ request.getSession().setAttribute("user", user); response.sendRedirect("home.jsp"); }else{ request.setAttribute("erro", "Usuario ou Senha Invalidos!"); RequestDispatcher d= request.getRequestDispatcher("login.jsp"); d.forward(request,response); } } private boolean autenticar(Usuario user) {...}!}
versão 3.0
Aut
entic
ador
.java
private boolean autenticar(Usuario user) {! boolean autenticado = false; if(user.getLogin()!=null && user.getSenha()!=null && user.getLogin().equals(user.getSenha())){ autenticado = true; } return autenticado; }
versão 3.0
login.jsp
<!DOCTYPE html><html><head><title>Login</title></head><body> <form method="post" action=“Autenticador"> Login: <input name="login" type="text"> <br> Senha: <input name="senha" type="password"><br> <input type="submit"> </form> <% String erro = (String) request.getAttribute(“erro”); if(erro!=null && !erro.trim().equals("")){ out.print(erro); } %></body></html>
versão 3.0
home.jsp
<!DOCTYPE html><%@page import="br.com.mariojp.Usuario"%><html><head><title>HOME</title></head><body> <% Usuario user = (Usuario) session.getAttribute("user");%> Bem vindo, <%=user.getLogin() %></body></html>
versão 3.0
Revisão Rapida
• Java Servlet
• Java Server Pages - JSP
• Model View Controller - MVC
E agora?
• JavaServer Pages Standard Tag Library - JSTL
• Expression Language - EL
WEB-INF\lib
• javax-1.servlet.jsp.jstl-1.2.1.jar
• javax-1.servlet.jsp.jstl-api-1.2.1.jar
login.jsp
<!DOCTYPE html><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><html><head><title>Login</title></head><body> <form method="post" action=“Autenticador"> Login: <input name="login" type="text"> <br> Senha: <input name="senha" type="password"><br> <input type="submit"> </form> <c:out value="${erro}"/></body></html>
versão 3.1
home.jsp
<!DOCTYPE html><%@page import="br.com.mariojp.Usuario"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><html><head><title>HOME</title><jsp:useBean id="user" class="br.com.mariojp.Usuario" scope=“session” /></head><body> Bem vindo, <c:out value=“${user.login}" /></body></html>
versão 3.1
JDBC
HSQLDB
java -cp hsqldb.jar org.hsqldb.server.Server --database.0 file:mydb --dbname.0 banco
HSQL Database Manager
!
Type: HSQL Database Engine Server
Driver: org.hsqldb.jdbcDriver
URL: jdbc:hsqldb:hsql://localhost/banco
User: SA
HSQLDB
CREATE TABLE USUARIOS ( USUARIO_ID INTEGER IDENTITY, LOGIN varchar(100) NOT NULL , SENHA varchar(100) NOT NULL ) ; !INSERT INTO USUARIOS ( "LOGIN", "SENHA" ) VALUES ('user', ‘1234’); !SELECT * FROM USUARIOS;
WEB-INF\lib
• hsqldb.jar
Banc
oUtil
.java
package br.com.mariojp;!import java.sql.Connection;import java.sql.DriverManager;!public class BancoUtil { private static Connection connection; static { try { Class.forName("org.hsqldb.jdbc.JDBCDriver" ); connection = DriverManager.getConnection( "jdbc:hsqldb:hsql://localhost/banco", "SA", ""); } catch (Exception e) { e.printStackTrace(); } } public static Connection getConnection() { return connection; }}
versão 4.0
Aut
entic
ador
.java
private boolean autenticar(Usuario user) { boolean autenticado = false; Connection con = BancoUtil.getConnection(); try { Statement stmt = con.createStatement(); ResultSet resultSet = stmt.executeQuery( "select * from usuarios where "+ "login='"+user.getLogin().trim()+"' and "+ "senha='"+user.getSenha().trim()+"';" ); if(resultSet.next()){ autenticado = true; } resultSet.close(); stmt.close(); } catch (SQLException e) { e.printStackTrace(); } return autenticado;}
versão 4.0
Segurança
• Voce consegue acessar o home.jsp?
• Pela url
• Sql Injection
home.jsp
<!DOCTYPE html><%@page import="br.com.mariojp.Usuario"%><%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><html><head><title>HOME</title><jsp:useBean id="user" class="br.com.mariojp.Usuario" scope=“session” /></head><body> <c:if test="${user.login == null}"> <c:redirect url=“login.jsp" /> </c:if> Bem vindo, <c:out value=“${user.login}" /></body></html>
versão 4.1
Teste?
• Use Login = 123 e Senha = ' or '1' = ‘1
• Use Login = ' OR 1=1 --
private boolean autenticar(Usuario user) { boolean autenticado = false; Connection con = BancoUtil.getConnection(); try { String sql = "select * from usuarios where " + "login=? and senha=?;"; PreparedStatement pstmt = con.prepareStatement(sql); pstmt.setString(1, user.getLogin()); pstmt.setString(2, user.getSenha()); ResultSet resultSet = pstmt.executeQuery(); if(resultSet.next()){ autenticado = true; } resultSet.close(); pstmt.close(); } catch (SQLException e) { e.printStackTrace(); } return autenticado;}
versão 4.1A
uten
ticad
or.ja
va
DAO
UsuarioDAO.java
package br.com.mariojp;!import java.sql.Connection;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;!public class UsuarioDAO {! public boolean autenticar(Usuario user) { boolean autenticado = false; Connection con = BancoUtil.getConnection(); try { String sql = "select * from usuarios where login=? and senha=?;"; PreparedStatement pstmt = con.prepareStatement(sql); pstmt.setString(1, user.getLogin()); pstmt.setString(2, user.getSenha()); ResultSet resultSet = pstmt.executeQuery(); if(resultSet.next()){ autenticado = true; } resultSet.close(); pstmt.close(); } catch (SQLException e) { e.printStackTrace(); } return autenticado; }}
versão 5.0
Aut
entic
ador
.java
@WebServlet("/Autenticador")public class Autenticador extends HttpServlet { private UsuarioDAO usuarioDAO = new UsuarioDAO(); protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Usuario user = new Usuario(); String login = request.getParameter("login"); String senha = request.getParameter("senha"); user.setLogin(login); user.setSenha(senha); if(usuarioDAO.autenticar(user)){ request.getSession().setAttribute("user", user); response.sendRedirect("home.jsp"); }else{ request.setAttribute("erro", "Usuario ou Senha Invalidos!"); RequestDispatcher d= request.getRequestDispatcher("login.jsp"); d.forward(request,response); } } }
versão 3.0
Hibernate
• Framework de mapeamento objeto relacional
WEB-INF\lib• hibernate-core-4.3.0.Final.jar
• antlr-2.7.7.jar
• dom4j-1.6.1.jar
• hibernate-commons-annotations-4.0.4.Final.jar
• hibernate-jpa-2.1-api-1.0.0.Final.jar
• jandex-1.1.0.Final.jar
• javassist-3.18.1-GA.jar
• jboss-logging-3.1.3.GA.jar
• jboss-logging-annotations-1.2.0.Beta1.jar
• jboss-transaction-api_1.2_spec-1.0.0.Final.jar
Usu
ario
.java
package br.com.mariojp;!import java.io.Serializable;!import javax.persistence.Entity;import javax.persistence.GeneratedValue;import javax.persistence.Id;import javax.persistence.Table;!@Entity@Table(name="usuarios")public class Usuario implements Serializable{ private static final long serialVersionUID = 1L;! @Id @GeneratedValue private Integer id;! private String login; private String senha; //get’s e set's}
versão 6.0
BancoUtil.java
package br.com.mariojp;!import org.hibernate.SessionFactory;import org.hibernate.boot.registry.StandardServiceRegistryBuilder;import org.hibernate.cfg.Configuration;import org.hibernate.service.ServiceRegistry;!public class BancoUtil { private static SessionFactory factory;! static { Configuration configuration = new Configuration().configure(); StandardServiceRegistryBuilder serviceRegistryBuilder; serviceRegistryBuilder = new StandardServiceRegistryBuilder(); serviceRegistryBuilder.applySettings(configuration.getProperties()); ServiceRegistry serviceRegistry = serviceRegistryBuilder.build(); factory = configuration.buildSessionFactory(serviceRegistry);! }! public static SessionFactory getFactory() { return factory; }!}
versão 6.0
UsuarioDAO.java
package br.com.mariojp;!import org.hibernate.Session;!public class UsuarioDAO {! public boolean autenticar(Usuario user) {! String query = "select u from Usuario as u where " + "u.login=:login and u.senha=:senha"; Session session = BancoUtil.getFactory().openSession(); session.beginTransaction(); Usuario usuario = (Usuario) session .createQuery(query) .setString("login", user.getLogin()) .setString("senha", user.getSenha()).uniqueResult(); session.getTransaction().commit(); session.close(); return usuario != null;! }!}
versão 6.0
hibernate.cfg.xml
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE hibernate-configuration PUBLIC "-//Hibernate/Hibernate Configuration DTD 3.0//EN" "http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd"><hibernate-configuration > <session-factory> <property name="hibernate.connection.driver_class">org.hsqldb.jdbc.JDBCDriver</property> <property name="hibernate.connection.url">jdbc:hsqldb:hsql://localhost/banco</property> <property name="hibernate.connection.username">SA</property> <property name="hibernate.connection.password"></property> <property name="hibernate.connection.pool_size">1</property> <property name="hibernate.dialect">org.hibernate.dialect.HSQLDialect</property> <property name="hibernate.current_session_context_class">thread</property> <property name="hibernate.cache.provider_class">org.hibernate.cache.internal.NoCacheProvider</property> <!-- Echo all executed SQL to stdout --> <property name="hibernate.show_sql">true</property> <!-- Drop and re-create the database schema on startup --> <property name="hibernate.hbm2ddl.auto">create</property> <mapping class="br.com.mariojp.Usuario"/> </session-factory></hibernate-configuration>
versão 6.0
Esta obra está licenciada sob a licença Creative Commons Atribuição-CompartilhaIgual 3.0 Não Adaptada. Para ver uma cópia desta licença, visite http://creativecommons.org/licenses/by-sa/3.0/.
Java webMario Jorge Pereira
Como me encontrar? http://www.mariojp.com.br twitter.com/@mariojp [email protected]