1 Servlets: Leftover Odds and Ends (Most apply to JSPs as well, duh….)

1

Servlets:Servlets:Leftover Odds and EndsLeftover Odds and Ends(Most apply to JSPs as (Most apply to JSPs as

well, duh….)well, duh….)

2

A Warning: Don’t Panic…A Warning: Don’t Panic…• Many of the examples in this presentation are

using various features not discussed throughout this course.

• There is not need to understand them in a deeper extent than the understanding of the relevant examples.

• They are there to give you a general idea of what these feature names refer to and what can be done with them.

• Google these features if you want / ever need to...

3

ExceptionsExceptions

• Exceptions are caught by the server

• You can find them in the log file under

$CATALINA_BASE/logs/

• The result shown in the browser depends on the

buffer state

• Check the example on the next slide…

• Find the exceptions in the log

4

Run :

http://localhost/dbi/exception?nlines=10http://localhost/dbi/exception?nlines=1000

public class ExceptionServlet extends HttpServlet {

public void doGet(HttpServletRequest request,

HttpServletResponse response)

throws ServletException, IOException {

response.setContentType("text/html");

PrintWriter out = response.getWriter();

int nLines = Integer.parseInt(request.getParameter("nlines"));

out.println("<html><head></head><body>");

for (int i = 0; i < nLines; ++i) {

out.println("<p> bla bla bla " + i + "</p>"); }

out.println("</body></html>");

out.println(" " + 1/0 + " "); }}This line causes an

exception

5

Uploading Files with Uploading Files with ServletsServlets

Read more about the FileUpload API

6

Handling Uploads with Package Handling Uploads with Package Commons FileUploadCommons FileUpload

• Commons FileUpload is a package of Apache for

handling uploaded files in the Servlet side

• Files are sent in the body of post requests

• Using this package, uploaded files are

temporarily written into the memory or the disk

(depending on the file size)

• You can set the size threshold beyond which

files are written to disk This is not a configuration parameter in web.xml but a part of the API as we’ll

see in the next slides

7

Handling Uploads with Package Handling Uploads with Package Commons FileUploadCommons FileUpload

• Servlets read the file from the disk or memory

• In Tomcat, the default temporary directory is $CATALINA_BASE/temp/

• However, you can specify a temporary directory

of your own (e.g., /tmp)

• What if a very big file is uploaded?- You can define the maximal size of uploaded files

- Exception is thrown for larger files

8

Example 1Example 1<html> <head> <title>Upload Files and Parameters</title> </head> <body> <form action="upload1" method="post" enctype="multipart/form-data">

<h2>File:<input type="file" name="file1"/></h2><h2><input type="submit" value="send" /></h2> </form> </body></html>

upload1.htmlupload1.html

Sends the client the uploaded file

This is the right encoding type for files uploading

9

import org.apache.commons.fileupload.disk.*;import org.apache.commons.fileupload.servlet.*;import org.apache.commons.fileupload.*;public class Upload1 extends HttpServlet { public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

DiskFileItemFactory factory = new DiskFileItemFactory();

//factory.setRepository(new File("/tmp"));

factory.setSizeThreshold(1000);

ServletFileUpload upload = new ServletFileUpload(factory);

upload.setSizeMax(60000);

Upload1.javaUpload1.java

Sets the repository directory

Sets the memory vs. disk threshold (bytes)

Sets the maximum file size (bytes). Bigger files generate exceptions

10

try {

List items = upload.parseRequest(request);

Iterator it = items.iterator();

FileItem item = (FileItem) it.next();

response.setContentType(item.getContentType());

response.setContentLength((int)item.getSize());

InputStream is = item.getInputStream(); OutputStream os = response.getOutputStream(); byte[] buffer = new byte[4096]; int read = -1; while((read=is.read(buffer))>=0) os.write(buffer,0,read); } catch (FileUploadException exp) { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("<html><body><b>Error</b>: <i>" + exp.getMessage() + "</i></body></html>"); }}} Upload1.javaUpload1.java

In our example, we expect a single

parameter

We use an Output

stream and

not the out PrintWriter

(why?)

Makes life much easier

http://localhost/dbi/upload1.html

11

Example 2Example 2

<html> <head> <title>Upload Files and Parameters</title> </head> <body> <form action="upload2" method="post" enctype="multipart/form-data"> <h2>Parameter x: <input type="text" name="x" /></h2> <h2>File: <input type="file" name="file1" /></h2> <h2>Parameter y: <input type="text" name="y" /></h2> <h2><input type="submit" value="send" /></h2> </form> </body></html>


Mixed parameter types

12

List items = upload.parseRequest(request); Iterator it = items.iterator(); out.println("<ol>"); while (it.hasNext()) { FileItem item = (FileItem) it.next(); if (item.isFormField()) out.println("<li><b>Field</b>: " + item.getFieldName() + " = " + item.getString() + "</li>"); else out.println("<li><b>File</b>" + ": parameter name: " + item.getFieldName() + ", file name: " + item.getName() + ", file size: " + item.getSize() + " bytes, file type: " + item.getContentType() + "</li>"); } out.println("</ol>"); Upload2.javaUpload2.java

This time we use a loop since there are several

parameters

13

Example 3Example 3

• The latter example reflected a common design problem:

combining complex HTML code and Java code in a

Servlet or a JSP- Java code for processing parameters and uploaded files

- HTML code for generating the (dynamic) response

• An accepted solution is to process the parameters in a

Servlet, and forward the request to a JSP for generating

the response- Attributes can be sent to the JSP via the request object.

• The next example also uses JSTL

14

JSTLJSTL

• JSTL stands for JSP Standard Tag Library

• This is a regular tag library that can be imported

to your page, like the ones we created in the past

• This library includes some standard actions that

are common in JSP, like iteration and conditions

over EL expressions, parsing/manipulation of

XML and database access

• More details can be found in Sun's J2EE Tut.

http://java.sun.com/j2ee/1.4/docs/tutorial/doc/

15

Example 3Example 3

<html> <head> <title>Upload Files and Parameters</title> </head> <body> <form action="upload3" method="post" enctype="multipart/form-data"> <h2>Parameter x: <input type="text" name="x" /></h2> <h2>File: <input type="file" name="file1" /></h2> <h2>Parameter y: <input type="text" name="y" /></h2> <h2><input type="submit" value="send" /></h2> </form> </body></html>


16

List formParams = new LinkedList();List files = new LinkedList();

List items = upload.parseRequest(request);Iterator it = items.iterator();

while (it.hasNext()) { FileItem item = (FileItem) it.next(); if (item.isFormField())formParams.add(item); else files.add(item); }

request.setAttribute("formParams",formParams);request.setAttribute("files",files);

this.getServletContext().getRequestDispatcher ("/WEB-INF/jsp/upload3.jsp").forward(request,response);

Upload3.javaUpload3.javaWe’ll store parameters and

fileitems in those lists

Attach the lists to the request

17

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %><%@ page isELIgnored="false" %><html><head><title>Submitted Parameters</title></head> <body><h1>Submitted Parameters:</h1><ol>

<c:forEach var="item" items="${formParams}"> <li><b>Parameter</b>: name:<i>${item.fieldName}</i>, value:<i>${item.string}</i></li> </c:forEach> <c:forEach var="item" items="${files}"> <li><b>File</b>: name:<i>${item.name}</i>, length:<i>${item.size}</i>, size:<i>type:${item.contentType}</i></li> </c:forEach> </ol></body></html> /WEB-INF/jsp/upload3.jsp/WEB-INF/jsp/upload3.jsp

18

A QuestionA Question

• What is the advantage of redirecting to JSP

pages that are under WEB-INF?- Pages under the WEB-INF are not accessible

- You can make sure no one invokes the JSP directly

- You can hide the implementation

19

Programmatic Security Programmatic Security with Servletswith Servlets

20

Programmatic-Security MethodsProgrammatic-Security Methods

• The Servlet API contains several accessories for

handling programmatic security:- getRemoteUser()

- isUserInRole(String role)

- getAuthType()

• These are all methods of HttpServletRequest

• To enable user authentication (even for public URLs),

provide a link to some protected page

Returns the authenticated user

or null if none exists

21

An Example: Security Constraints An Example: Security Constraints in web.xmlin web.xml

<security-constraint>

<web-resource-collection>

<web-resource-name>Firm People</web-resource-name>

<url-pattern>/login.html</url-pattern>

</web-resource-collection>

<auth-constraint>

<role-name>employees</role-name>

<role-name>managers</role-name>

</auth-constraint>

</security-constraint> web.xml

Roles, some users and their roles are defined in /conf/tomcat-users.xml

Some secured

resources

Roles that can view those

resources

22

<login-config>

<auth-method>FORM</auth-method>

<form-login-config>

<form-login-page>/login</form-login-page>

<form-error-page>/login?fail=fail</form-error-page>

</form-login-config>

</login-config>

<security-role>

<role-name>managers</role-name>

</security-role>

<security-role>

<role-name>employees</role-name>

</security-role> web.xml

An Example: Security Constraints An Example: Security Constraints in web.xmlin web.xml

Roles used in this

application

(not required)

23

public class FirmServlet extends HttpServlet {

public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {

res.setContentType("text/html");

PrintWriter out = res.getWriter();

out.println("<html><head><title>Firm</head><body>");

out.println("<h1>Hello.</h1>");

String username = req.getRemoteUser();

if(username==null) {

out.println("<p><img src=\"images/visitor.gif\"/></p>");

out.println("<h3><a href=\"login.html\">Login</a></h3>");


return; } FirmServlet

Returns the authenticated user

or null if none exists

24

if(req.isUserInRole("employees")) {

out.println("<p><img src=\"images/employee.gif\"/></p>");

out.print("<h2>Welcome Employee " + username + "!</h2>");

}

if(req.isUserInRole("managers")) {

out.println("<p><img src=\"images/manager.gif\"/></p>");

out.print("<h2>Executive average salary: 42764NIS!</h2>");

}

out.print("<h3><a href=\"endsession\">Log Out</a></h3>");


}

} FirmServlet

This is ugly. This is why attributes in HTML can be single- or

double-quoted. Same goes for strings in many scripting

languages (watch out for escaping differences, though!)

25

public class LoginServlet extends HttpServlet {

public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {



out.println("<html><head><title>Login</title></head><body>");

if(req.getParameter("fail")!=null)

out.print("<h2>Login Failed. Try Again.</h2>");

out.println("<form action=\"j_security_check\" method=\"post\">" +

"<p>Login: <input type=\"text\" name=\"j_username\"/></p>" +

"<p>Password: <input type=\"password\" name=\"j_password\"/></p>" +

"<p><input type=\"submit\" value=\"Log In\"/></p>" +

"</form></body></html>");

}

LoginServlet.java

Notice that though this code contains no getSession() calls, the server

tries to put session-cookie as a part of the FORM authorization

26

public void doPost(HttpServletRequest req, HttpServletResponse res)


this.doGet(req,res);

}

} LoginServlet.java

<servlet>

<servlet-name>Login</servlet-name>

<servlet-class>LoginServlet</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>Login</servlet-name>

<url-pattern>/login</url-pattern>

</servlet-mapping> web.xml

27

public class EndSession extends HttpServlet {

public void doGet(HttpServletRequest req, HttpServletResponse res)


HttpSession session = req.getSession(false);

if(session!=null) {

session.invalidate();

}

res.sendRedirect("firm");

}

EndSession.java

<servlet>

<servlet-name>EndSession</servlet-name>

<servlet-class>EndSession</servlet-class>

</servlet>

<servlet-mapping>

<servlet-name>EndSession</servlet-name>

<url-pattern>/endsession</url-pattern>

</servlet-mapping> web.xml

Tomcat’s session

implementation

saves the user

details in the session

but not as attributes.

Recovering this data is

done by calling the

mentioned request

methods, but of

course invalidating

the session leads to

logout

28

<html>

<head>

<title>Logged On</title>

</head>

<body>

<h1>You are logged on!</h1>

<p><a href="firm">Back to the firm page.</a></p>

</body>

</html> login.html

29

FiltersFilters

30

Filters in Servlet APIFilters in Servlet API

• Filters are used to dynamically intercept requests

and responses

• A filter that applies to a URL u typically acts as

follows given a request for u- performs some actions before the processing of u

- passes the request handling to the next filter

- The last filter passes the request to u itself

- performs some actions after the processing of u

31

Filter 1

Request Response

Filter 2

Filter 3

Servlet/JSP/HTML

Client

Container

32

public class FilterExample implements Filter {

public void init(FilterConfig filterConfig) throws ServletException {

... }

public void destroy() {

... }

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

... chain.doFilter(request, response);

... }} FilterExample.java

Before other elements in

way “down”

After other elements in way

“up”

33

<filter>

<filter-name>Example Filter</filter-name>

<filter-class>FilterExample</filter-class>

</filter>

<filter-mapping>

<filter-name>Example Filter</filter-name>

<url-pattern>/images/*</url-pattern>

</filter-mapping>

Registering a FilterRegistering a Filter

web.xml

You can also add an

<init-param>

element like we

saw in servlets

and JSPs.

34

What Can we Do with Filters?What Can we Do with Filters?

• Examine and log requests

• Modify request headers and properties

• Modify the response headers and response data

• Block requests

• And more...

Open FilterExample.java.

Check the result of calling http://localhost/dbi/images/image1.gif in the server’s logs

35

Notes About FiltersNotes About Filters• The order of the filters in the chain is the same as the order

that filter mappings appear web.xml

• The life cycle of filters is similar to that of Servlets

• Filters typically do not themselves create responses, although

they can

• The request and response arguments of doFilter are actually of

type HttpServletRequest and HttpServletResponse

• The FilterConfig interface is used to read initialization

parameters- Those are set in web.xml

36

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

HttpServletResponse res = (HttpServletResponse)response;

HttpServletRequest req = (HttpServletRequest)request;

String URI = req.getRequestURI();

if (URI.endsWith(filterConfig.getInitParameter("type")) &&

(req.getParameter("nofilter") == null)) {



out.println("<html><head><title>ImageFilter</title></head><body>");

out.println("<h2>Image filename = " + URI + "</h2>\n");

out.println("<img src=\"" + URI.substring(1 + URI.lastIndexOf("/")) +

"?nofilter\" />");

out.println("</body></html>"); } ImageFilter.java

URI is the part of the URL

following the http://host:port

Only for filetypes <type> with no

“nofilter” parameter in the

query

We have to add the “nofilter” query so that

the filter won’t work again on the <img>

37

else {chain.doFilter(request, response); }}

<filter>

<filter-name>fImageFilter</filter-name>

<filter-class>ImageFilter</filter-class>

<init-param>

<param-name>type</param-name>

<param-value>.gif</param-value>

</init-param>

</filter>

<filter-mapping>

<filter-name>fImageFilter</filter-name>

<url-pattern>/images2/*</url-pattern>

</filter-mapping>

Default filter chaining.

This time next element in the

chain is not a filter but the

original URL

web.xml

The Filter applies only to .gif

files in /dbi/images/ but not

for other files on the same

directory such as .txt

Open /images2/image1.gif

Open /images2/joke1.txt

A url-pattern of /images2/*.gif

doesn’t work.

That’s why we check the suffix in

the Java code

1 Servlets: Leftover Odds and Ends (Most apply to JSPs as well, duh….)

Documents

Transcript of 1 Servlets: Leftover Odds and Ends (Most apply to JSPs as well, duh….)