Transcript Servlets

Web Application Development
1
Outline
•
•
•
•
•
•
Web application architecture
HTTP
CGI
Java Servlets
Apache Tomcat
Session maintenance
2
Architecture
HTTP
• Created by Tim Berners-Lee at CERN
– Defined 1989-1991
• Standardized and much expanded by the IETF
• Rides on top of TCP protocol
– TCP provides: reliable, bi-directional, in-order byte stream
• Goal: transfer objects between systems
– Do not confuse with other WWW concepts:
• HTTP is not page layout language (that is HTML)
• HTTP is not object naming scheme (that is URLs)
• Text-based protocol
– Human readable
4
Client-Server Paradigm
Client:

initiates contact with server
(“speaks first”)

typically requests service from
PC running
server,
Explorer

for Web, client is implemented in
browser; for e-mail, in mail reader
Server:

provides requested service to
client

e.g., Web server sends requested
Web page, mail server delivers email
Apache Web
server
Mac running
Safari
HTTP
6
HTTP Request Message Format
HTTP method sp URL sp
header field name
…
header field name
cr lf
:
:
HTTP version
field value
cr lf
field value
cr lf
cr lf request line
header
lines
Entity Body
7
HTTP Request Example
GET /somedir/page.html HTTP/1.0
User-agent: Mozilla/4.0
Accept: text/html, image/gif,image/jpeg
Accept-language:fr
(extra carriage return, line feed)
request line
(GET, POST,
HEAD
commands)
header
lines
Carriage return,
line feed
indicates end
of message
8
HTTP Response Message Format
HTTP version sp status code sp status phrase cr lf response line
header field name
…
header field name
cr lf
:
:
field value
cr lf
field value
cr lf
header
lines
Response Body
9
HTTP Response Example
HTTP/1.0 200 OK
Date: Thu, 25 Aug 2001 12:00:15 GMT
Server: Apache/1.3.0 (Unix)
Last-Modified: Mon, 22 Aug 2001 …...
Content-Length: 6821
Content-Type: text/html
status line:
(protocol
status code
status phrase)
header
lines
Carriage return,
line feed
indicates end
of message
data data data data data ...
data data data data data ...
data data data data data ...
data, e.g.,
requested
html file
10
CGI Architecture
Objectives
• Standardizes execution of server-side
applications/handlers
• Specifies:
– Interface between client and handler
– Interface between web server and hander
Web Server-Handler Interaction
• Handler Input
– Meta-variables
– Stdin (message body)
• Handler Output
– Stdout
Client-Handler Interaction
• Clients request the execution of a handler
program by means of a:
– A request method (e.g., GET, POST)
– Universal Resource Identifier (URI)
• Identifies handler
– Extra arguments
URI Syntax
<protocol>://<host><port>/<path-info><script>"?"<query-string>
http://finance.yahoo.com/add?op1=10&op2=20
<protocol>
<host>
<port>
<path-info>
<script>
<query-string>
http
finance.yahoo.com
80
null
add
op1=10, op2=20
Query String Encoding
• RFC 2396
• Why encode?
 Can think of a CGI script as a function, send
arguments by specifying name/value pairs.
 Way to pack and unpack multiple arguments into
a single string
Encoding Rules
 All arguments
 Single string of ampersand (&) separated name=value
pairs
name_1=value_1&name_2=value_2&...
 Spaces
 Replaced by a plus (+) sign
 Other characters (ie, =, &, +)
 Replaced by a percent sign (%) followed by the two-digit
hexadecimal ASCII equivalent
Method
• GET
– Arguments appear in the URL after the ?
– Can be expressed as a URL
– Limited amount of information can be passed this way
– URL may have a length restriction on the server
– Arguments appear on server log
• POST
 Arguments are sent in the HTTP message body
 Cannot be expressed as URL
 Arbitrarily long form data can be communicated (some
browsers may have limits (i.e. 7KB)).
 Arguments usually does not appear in server logs.
Forms and CGI
• Specify request method in “method” attribute
• Automatically encodes all named field values
Example: add.html
Servlets
• Generic Java2EE API for invoking and connecting
to “mini-servers” (lightweight, short-lived, serverside interactions).
• Mostly HTTPServlets
– Generate HTTP responses (as for CGI)
– Servlet code snippets can be embedded directly
into HTML pages: JSP = Java Server Pages
• Competitor: Microsoft ASP = Active Server
Pages
21
Servlet Architecture
 Web server: Apache, Netscape Enterprise, IIS
 Servlet container: Running JVM, hooked into the web
server, loads and maintains servlets, session info,
object store
 Servlet: A Java class used to handle a specific request.
22
Java Servlet-Based Web Server
Main Process
Request for
Servlet1
Request for
Setvlet2
Request for
Servlet1
Thread
JVM
Servlet1
Thread
Thread
Servlet2
23
Servlet API (javax.Servlet)
•
•
•
•
•
Servlet Container
Servlet Interface
HttpServletResponce
HttpServletRequest
ServletContext
24
Servlet Container
 Contains and manages servlets through
their lifecycle
 Provides the network services over
which requests and responses are sent
 Decodes requests
 Formats MIME based responses
25
Servlet Interface
 Central abstraction of the servlet API
 All servlets either implement this interface,
or extend a class that implements this
interface
 GenericServlet and HttpServlet two classes
in the servlet API that implement the
Servlet interface
26
HttpServlet
 Web developers extend HttpServlet to
implement their servlets.
 Inherited from GenericServlet
 Init()
 Destroy()
 Defined by HTTPServlet
 doGet()
 doPost()
27
doGet() and doPost()
protected void doGet(HttpServletRequest req,
HttpServletResponse resp)
protected void doPost(HttpServletRequest req,
HttpServletResponse resp)
28
HttpServletResponse
 Encapsulates all information to be returned from the server to
the client
 In the HTTP protocol, this information is transmitted from
the server to the client either by HTTP headers or the
message body of the request.
 Headers: Can set/manipulate http headers
 primitive manipulation: setStatus(),
setHeader(), addHeader()
 convenience methods: setContentType(),
sendRedirect(), sendError()
 Body: Obtain a PrintWriter, used to return character data to
the client
 getWriter()
29
Example: Hello World
30
HttpServletRequest
 Encapsulates all information from the client request
 In the HTTP protocol, this information is
transmitted from the client to the server in the
HTTP headers and the message body of the
request.
 Manipulate 'form' variables:
getParameter()
getParameterNames()
getParameterValues()
31
Example: Form
32
Environment Variables
DOCUMENT_ROOT
HTTP_COOKIE
HTTP_HOST
HTTP_REFERER
HTTP_USER_AGENT
HTTPS
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_USER
REQUEST_METHOD
REQUEST_URI
SCRIPT_FILENAME
SERVER_SOFTWARE
root directory of your server
visitor's cookie, if one is set
hostname of the page
browser type of the visitor
"on" if called through a secure server
query string
IP address of the visitor
hostname of the visitor
visitor's username
GET or POST
The full pathname of the current CGI
server software (e.g. Apache 1.3)
Example: Environment Variables
34
Tomcat Configuration
Tomcat
webapps
conf
Root
csc309Servlets
index.html
index.jsp
WEB-INF
server.xml
web.xml
tomcat_users.xml
web.xml
classes
HelloWorld.class
SomeOther.class
35
Deployment Descriptor (web.xml)
• $CATALINA_HOME/conf/web.xml
– Default for all web applications
• $CATALINA_HOME/webapp/ece1779Servlets/WEB_INF/web.xml
– Specific to ece779Servlets
<servlet>
<servlet-name>SampleServerName</servlet-name>
<servlet-class>HelloWorld</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SampleServletName</servlet-name>
<url-pattern>/index.html</url-pattern>
</servlet-mapping>
http://127.0.0.1:8080/ece1779Servlets/index.html
Maps to:
$CATALINA_HOME/webapp/ece1779Servlets/WEB_INF/classes/HelloWorld.class
36
$CATALINA_HOME/conf/tomcat_users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<role rolename="role1"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username= “ece1779" password= “secret" fullName= "name" roles="admin,manager"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="role1" password="tomcat" roles="role1"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
</tomcat-users>
37
Tomcat Web Application Manager
• Deploy applications
• Start/stop/reload
38
Servlet Debugging
• Logs
– $CATALINA_HOME/logs
• Interactive debugger
– Use Java JPDA interface
• Allows an external program to “attach” to process
– Start Tomcat in debugging mode
• $CATALINA_HOME/bin/catalina.sh jpda start
– Start IDE debugger
– Attach debugger to running Tomcat instance
39
Session Maintenance
 HTTP is stateless by default
 No memory of browsers state
 Preserving state between browser/web server interactions
 Behavior reflects previous forms filled in and pages
viewed
 Kept at the browser or/and web server.
 Example: Want to allow access to a given script only once
a user is logged in. Don't want to require a user to login at
every page.
40
Store State At Server
 Current state is stored at the server (i.e., in a file,
database, or in JVM’s memory)
 Each request includes a token identifying the browsers
session (tokens can be passed via cookies, hidden
variables, URL rewriting).
 At each request, the executing servlet uses the token to
fetch session state
 Careful: Browser back button problem. The page the
user is viewing may not reflect state stored at the
server.
41
HttpSession
 One instance for each active session
 Accessing/creating a session
HttpSession session = request.getSession();
 Session attributes
Object o = session.getAttribute("name");
session.setAttribute("name",o);
42
Session Duration
•
Default: expire a session if idle (no http requests) for 30 minutes
•
Changing session timeout
– Delete all session related attributes from server
– Does not remove cookie from client
– Configuration file (web.xml)
<session-config>
<session-timeout>30</session-timeout>
</session-config>
– Run-time
•
• session.getMaxInactiveInterval()
• session.setMaxInactiveInterval()
Terminating a session
– session.invalidate()
– Deletes session related attributes form server
– Removes cookie from client
43
Session Example
44
Other Issues
•
Multithreading
– HttpSession is not thread safe
– Use proper synchronization to prevent concurrent property modifications
•
Persistent sessions
– Tomcat has support for persistent sessions
• Survive server restart
– Saves session data to a file
– Serializes properties
• Property values need to be serializable
•
Session event listeners
– Possible to create servlets that execute when a session times out
– Can be use to garbage collect resources outside of the JVM
45
ServletContext
 Interface defines a servlet’s view of the web application within
which the servlet is running.
 Container Provider is responsible for providing an implementation
of the ServletContext interface in the servlet container.
 Using the ServletContext object, a servlet can
 log events
 obtain URL references to resources
 set attributes that other servlets in the context can access.
46
ServletContext Continued
• One instance of ServletContext per web application per
container
ServletContext context = getServletContext();
• Provides access to Initialization Parameters
 Defined in the deployment descriptor
 A file called web.xml in the WEB-INF subdirectory
of the app directory
 Methods:
getInitParameter(),
47
getInitParameterNames()
ServletContext Attributes
 Context level shared objects. Can be bound into the context
and accessed by any servlet that is part of the application.
 Methods:
setAttribute()
getAttribute()
getAttributeNames()
removeAttributes()
 More than 1 thread may be accessing a shared object.
 Application developer responsible for synchronizing access to
shared objects
48
ServletContext Resources
 Gives servlet access to local documents associated with the
application. (i.e. static web pages, images)
 Access to server logs
 Methods:
getResource()
getResourceAsStream()
getResourcePaths()
log(“Error! File does not exist”);
49
ServletContextExample
50
JSP
• Servlets disadvantage
–A little java in a whole lot of HTML
• Java Server Pages
–Java embedded in HTML
• Deployed in textual form (as opposed to byte code)
• Translated to into a servlet on the fly
$CATALINA_HOME/webapps/ece1779/hello.jsp
$CATALINA_HOME/work/Catalina/localhost/ece1779/org/apache/jsp/hello_jsp.java
51
JSP Life Cycle
52
JSP
•
•
•
•
Expressions
<%= object.function() %>
Java expression that evaluates into a String
Translated into out.print() statement
Scriplets
<%
java.util.Date currentTime = new java.util.Date;
String strDate = currentTime.toString();
%>
One or more Java statements
Left in place
Directives
<%@ page import=“java.util.Date, java.text.SimpleDateFormat” %>
<%@ page contentType="text/html; charset=UTF-8" %>
<%@ taglib prefix="s" uri="/struts-tags" %>
Tags
<s:iterator value="posts" status="itStatus“>
<s:form action="AddPost“>
<s:textfield name="username" label="Your name"/>
Movieplex Example
Design
Content
All data stored in Movieplex.java
- Array of movies
- Array of theatres
- Array of showtimes
Initialization
Initialization.java
- Servlet that creates Movieplex object and stores in ServletContent
Regular operation
ListTheaters.jsp
- Retrieves movie data from servlet context
- Renders HTML page with list of all available theatres
ShowTheater.jsp
- Takes theaterid as parameter
- Renders HTML listing all the movies currently shown at a theatre
Data Structures
public class Movie {
public int id;
public String name;
public String rating;
public String starring;
public String director;
public String synopsis;
public String poster;
public String url;
}
public class Theater {
public int id;
public String name;
public String address;
public String phone;
}
public class Showtime {
public int id;
public int theaterid, movieid;
public int year, month, day;
public int hour, minute;
public float price;
}
// date
// time of day
Data Structures
public class Movieplex {
public Theater [] theaters;
public Movie [] movies;
public Showtime [] showtimes;
public Movieplex() {
Theater [] t = { new Theater(1,"Canada Square","2190 Yonge Street, Toronto, ON, M4S2C6", "416-6460444"),
new Theater(2,"SilverCity","2300 Yonge Street, Toronto, ON, M4P1E4","4165441236") };
this.theaters = t;
Movie [] m = { new Movie(1,"Casino Royale", "PG-13","Daniel Craig, Judi Dench, Mads Mikkelsen, Eva
Green, Jeffrey Wright", ......),
new Movie(2,"Babel", "R", "Brad Pitt, Cate Blanchett, Gael Garcia Bernal, Elle
Fanning, Koji Yakusho", ... ) };
this.movies = m;
Showtime [] s = { new Showtime(1,1,1,2007,3,23,18,0,8),
new Showtime(2,1,1,2007,3,18,20,0,8) };
this.showtimes = s;
}
Three Tier Architecture
58
RDBMS
• Relational Database Management Systems
• A way of saving and accessing data on persistent (disk)
storage.
59
Why Use an RDBMS
• Data Safety
– data is immune to program crashes
• Concurrent Access
– atomic updates via transactions
• Fault Tolerance
– replicated dbs for instant fail-over on machine/disk crashes
• Data Integrity
– aids to keep data meaningful
• Scalability
– can handle small/large quantities of data in a uniform manner
• Reporting
– easy to write SQL programs to generate arbitrary reports
60
RDBMS Technology
• Client/Server Databases
– Oracle, Sybase, MySQL, SQLServer
• Personal Databases
– Access
• Embedded Databases
– Pointbase
61
Client/Server Databases
client
client
client processes
tcp/ip connections
Server
disk i/o
server process
62
Inside the Client Process
client
application
code
db library
API
tcp/ip
connection
to server
63
JDBC
 JDBC (Java DataBase Connectivity)
 Standard SQL database access interface.
 Allows a Java program to issue SQL statements and
process the results.
 DB independent. Can replace underlying database with
minimal code impact.
 Defines classes to represent constructs such as database
connections, SQL statements, result sets, and database
metadata.
64
A JDBC Application
65
JDBC Pieces
 Java client: code implementing the application
 JDBC API. Provides DB independent abstraction to
 establish a connection with a database
 send SQL statements
 process the results
 JDBC Driver
 Translates API calls to requests made against the specific database.
 Specific driver for the each database.
 Installed on the client. Usually a set of class files placed in the class
path.
 e.g., mysql-connector-java-5.1.7-bin.jar
 All large databases are now supported.
 Database server:
 The actual database engine
 Pointbase, Oracle, MSAccess, SQL Server, Postgresql etc.
66
JDBC
• Package java.sql
java.sun.com/products/jdk/1.2/docs/api/java/sql/package-summary.html
• Classes and interfaces
– DriverManager
getConnection()
– Connection
Transactions
commit(), rollback(), setAutoCommit()
SQL statements
createStatement(), prepateStatement()
– Statement
executeQuery(), executeUpdate()
– ResultSet
Scrolling over tuples
next(), previous(), first(), last(), isLast()
Values of attributes
getString(int index), getTime(String name)
– PreparedStatement
executeQuery(), executeUpdate()
setInt (int index, int x)
67
API: Establish Connection
1 Class.forName(com.mysql.jdbc.Driver)
make the driver class available
2 String url = “jdbc:mysql://sysnet.cs.toronto.edu/databasename";
This is the connect string. The connect string, mentions the driver as
well as the database. For the example above, the driver is the
jdbc:pointbase:embedded bridge driver. The database is sample.
3 Connection con=DriverManager.getConnection(url, uID, pw);
Get a connection (session) with a specific database. Within the context
of a Connection, SQL statements are executed and results are returned.
A Connection can be used to obtain information about the DB
By default a Connection automatically commits changes after each
statement.
Typically, setting up a connection is an expensive operation.
68
API: Executing Queries
 A query can return many rows, each with many attributes
 Steps are
1 Send query to the database
2 Retrieve one row at a time
3 For each row, retrieve attributes
69
Trivial Example
70
API: Updates
Int rowsAffected=
stmt.executeUpdate(
"DELETE * FROM ACCOUNTS;");
Executes a SQL INSERT, UPDATE or DELETE statement.
Returns the number of rows affected.
71
API: Prepared Statements
 Is a parameterized SQL statement.
 Used to speedup query parsing (statement does not need to be reparsed)
 Used to simplify development (clumsy strings do not have to be created and
recreated for each update).
Example:
String insert="INSERT INTO ACCOUNT(NAME,AMOUNT)VALUES(?,?);";
PreparedStatement ps =con.prepareStatement(insert);
ps.setString(1,"Charlie"); // Fill in the first ?
ps.setDouble(2,23.45); // Fill in the second ?
rowsEffected=ps.executeUpdate();
ps.setInt(1,"Arnold"); // Fill in the first ?
ps.setInt(2,102.23); // Fill in the second ?
rowsEffected=ps.executeUpdate();
72
Scope of DB Connections
1.
Request: Open/close connection on each action
invocation
2.
Session: Keep 1 open connection associated with the
session: HttpSession.getParameter(“dbCon”)
3.
Web App: Keep 1 open connection for the web
application and re-use it
73
Connection Pooling
• The Solution:
– Maintain a pool of open connections that time themselves out
• The SharedPoolDataSource allocates a new Connection object
– It wraps it in a PoolingConnection object that delegates calls to its
enclosed Connection object and returns it to the client.
– It sets a timeout that will reclaim the Connection for a pool of free
connections
• If client accesses PoolingConnection after timeout, PoolingConnection
will request a fresh connection from the pool.
• Client returns Connection to the pool when done with it.
– SharedPoolDataSource does not close the Connection, rather saves it for
the next request
• Client may block awaiting a freed connection if some maximum upper limit of
open connections is reached.
74
Connection Pooling
–
Init method of main webapp servlet:
// Create a data source
DriverAdapterCPDS ds = new DriverAdapterCPDS();
ds.setDriver("com.mysql.jdbc.Driver");
ds.setUrl("jdbc:mysql://servername/databasename");
ds.setUser("public");
ds.setPassword("public");
// Create a connection pool
SharedPoolDataSource dbcp = new SharedPoolDataSource();
dbcp.setConnectionPoolDataSource(ds);
//Add to webapp context
getServletContext().setAttribute(“dbConPool”,dbcp);
75
Connection Pooling
–
Each servlet doGet() or doPost() calls:
SharedPoolDataSource dbcp = getServletContext().getAttribute(“dbConPool”);
Connection con = dbcp.getConnection();
…
Statement s = con.createStatement();
…
con.close();
76
Indirection and Capabilities
Capability: enforces access control by
providing a handle to a resource.
Servlet
connection x
connection
Cannot revoke capability
Poolingconnection
Servlet
dbonnection y
private connection x
connection
onTimeOut: x = null
Indirection enables revoking capability
77
SQLGateway
78
Atomic Transactions
• ATM banking example:
– Concurrent deposit/withdrawal operation
– Need to protect shared account balance
• What about transferring funds between accounts?
– Withdraw funds from account A
– Deposit funds into account B
79
Properties of funds transfer
• Should appear as a single operation
– Another process reading the account balances should
see either both updates, or none
• Either both operations complete, or neither does
– Need to recover from crashes that leave transaction
partially complete
80
Transactions
• Definition: A transaction is a collection of DB modifications, which is
treated as an atomic DB operation.
– Transactions ensure that a collection of updates leaves the database in a
consistent state (as defined by the application program); all updates take
place or none do.
– A sequence of read and write operations, terminated by a commit or abort
• Definition: Committed
– A transaction that has completed successfully; once committed, a transaction
cannot be undone
• Definition: Aborted
– A transaction that did not complete normally
• JDBC: By default the Connection automatically commits changes after
executing each statement. If auto commit has been disabled, the method
commit must be called explicitly; otherwise, database changes will not be
saved.
81
API: Transactions
Example:
// Change to transactional mode
con.setAutoCommit(false);
// Transaction A begins here
stmt.executeUpdate("DELETE * FROM ACCOUNT...;");//
stmt.executeUpdate("INSERT INTO ACCOUNT ...."); //
stmt.executeUpdate("INSERT INTO ACCOUNT ...."); //
stmt.executeUpdate("INSERT INTO ACCOUNT ...."); //
con.commit();
// Commit changes to database
1
2
3
4
// All of 1,2,3,4 take effect
82
API: Transactions
Example:
// Transaction B begins here
stmt.executeUpdate("DELETE * FROM SALES...;"); // 5
stmt.executeUpdate("INSERT INTO SALES ...."); // 6
stmt.executeUpdate("INSERT INTO SALES ...."); // 7
stmt.executeUpdate("INSERT INTO SALES ...."); // 8
con.rollback();
// Rollback to before transaction B began
// None of 5,6,7,8 effects the DB
83
Example
• Movie database
showtimeid
1
2
movieid
1
1
showtimes
theatherid
sdate
1
20/03/2005
1
20/03/2005
orderid
1
orders
userid
1
stime
20:00:00
22:00:00
available
90
90
showtimeid
1
• Add an order and decrement # of available spaces
84