SE 452 Fall 2001/2002
Lecture Notes Set 4
HTTP Request
- Sent by browser to server to request information
GET /SE452/index.html HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/4.72 [en]
Host: se.cs.depaul.edu
Accept: image/gif, image/jpg, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Manipulating HTTP request
- In the ServletRequest object
- int getContentLength() - length of the request body in bytes
- String getContentType() - the MIME type of the request body
- String getProtocol() - the name and version of the protocol
that the client is using (protocol/majorVersion.minorVersion)
- String getRemoteAddr() - IP address of the client
- String getRemoteHost() - fully qualified host name of client
- String getScheme() - name of the scheme (protocol) used to make request
(eg http, https, ftp)
- boolean isSecure() - whether this request was made using a secure channel
such as https
- In the HttpServletRequest object
- String getAuthType() - name of the authentication scheme used
eg BASIC, SSL or null
- String getContextPath() - portion of the request URI that indicates the
context of the request
- String getMethod() - name of the HTTP method eg GET, POST, PUT
- String getPathInfo() - any extra path info associated with the URL the client sent
- String getPathTranslated() - any extra path info after the name but before the query
string and translates it to a real path
- String getQueryString() - the query string that is appended to the URI after
the path. Only for GET requests.
- String getRemoteUser() - the login of the user making the request if the user
has been authenticated or null if they have not been authenticated
- String getRequestURI() - part of the request URL from the protocol name up to the
query string in the first line of the HTTP request
- String getServletPath() - part of the request URL that calls the servlet
- This is all information about the request itself.
Request Info Servlet
- A servlet to demonstrate how to get infomation from the request
- The HTML
- The servlet
Common Request Headers
- Information sent along with the data from the client to the server
- User-Agent
- Identifies the browser type and version
- Host
- Indicates the host given in the request URL
- Required in HTTP 1.1
- Accept
- Indicates MIME types browser can handle
- Accept-Encoding
- Indicates encodings the browser can handle
- Connection
- keep-alive: browser can handle persistent connection
- Authorization
- User identification for password protected pages
- Cookie
- cookies previously sent to the client by the same server
- If-Modified-Since
- send the page only if it has been changed after the specified date
- Referer
- URL of the referring web page
Request Headers API
- Used to manipulate the headers
- String getHeader(String name)
- returns the value of the specified request header as a String
- Enumeration getHeaderNames()
- returns an enumeration of all of the header names in this request
- Enumeration getHeaders(String name)
- returns all the values of the specified request header as an Enumeraion
of String objects
Request Header Servlet
- A servlet to demonstrate how to get infomation from the request headers
- The servlet
Compressed Contents Servlet
- A servlet to demonstrate how to send information to the user in compressed format
- You use a compression stream in the IO hierarchy to send the data and then
tell the client that they are getting compressed data.
- The HTML
- The servlet
Common Response Headers
- Used to relay information back to the client to tell it what it is getting back
- Content-Encoding - how the document is encoded
- Content-Length - number of bytes in the document
- Content-Type - MIME type of the document (different from Content-Encoding)
- Expires - time when document should be considered out of date and no
longer cached by the browser
- Last-Modified - time the document was last modified
- Location - URL to which the browser should reconnect
- Refresh - number of seconds until the browser should reload the page. Can
also include URL to connect to.
Response Status Codes
- Used to give client info on what happened with the request
- Code ranges:
- 1xx: informational
- 2xx: success
- 3xx: redirection
- 4xx: client error
- 5xx: server erro
- Setting the status code allows you to:
- forward client to another URL
- indicate a missing resource
- instruct browser to use a cached copy
- Common Status Codes:
- 200 (OK)
- Everything is OK, document follows
- Default for servlets
- 204 (No Content)
- Browser should keep displaying previous document
- 301 (Moved Permanently)
- Requested document premanently moved elsewhere (indicated in Location
header)
- Browser should go to new location automatically
- 302 (Found)
- Requested document temporarily moved elsewhere (indicated in Location
header)
- Browser should go to new location automatically
- 304 (Not Modified)
- When the request header If-Modified-Since is present, the reqeusted document
was available and not modified
- 401 (Unauthorized)
- Browser tried to access password-protected page without proper Authorization
header
- 404 (Not Found)
HttpServletResponse API
- You should set all response headers and status before writing the document to the output
- public void setContentLength(int len)
- Sets the Content-Length header
- public void setContentType(String type)
- Sets the Content-Type header
- public void setStatus(int statusCode)
- Sets the status code for the response
- Used when there is no error (ie SC_OK or SC_MOVED_TEMPORARILY)
- public void sendError(int statusCode) or public void sendError(int statusCode,
String message)
- Sends an error response to the client using the specified status code and an
optional descriptive message
- Wraps the message insde a small HTML document
- public void sendRedirect(String location)
- Sends a temporary redirect to the client using the specified URL
- URL may be a relative URL
- public boolean containsHeader(String name)
- Tells you is response header has already been set
- public void setHeader(String name, String value)
- Sets a response header with the given name and value
- Overwrites previous values
- public void addHeader(String name, String value)
- Adds a response header with given name and value
- Does not overwrite previous value buy adds another
- public void setDateHeader(String name, long date) and
public void setIntHeader(String name, int value)
- Sets a response header with the given name and date or integer value
- public void addDateHeader(String name, long date) and
public void addIntHeader(String name, int value)
- Adds a response header with the given name and date or integer value
Conditional Gets
- When the reqeust header If-Modified-Since is present in the request it is called
a conditional get.
- Advantage: reduce network traffic and server load
- Steps:
- User request a page that is cached in the browser
- Browser sends a conditional get to server
- Checks page modification date against the date sent from browser
- If page has changed after date sent, page is sent
- If page has not changed, a 304 (Not Modified) response is sent
- Using conditional gets in servlets
- Two methods:
- Explicitly set Last-Modified header
long t = System.currentTimeMilis();
response.setDateHeader("Last-Modified", t);
- Override getLastModified() method in HttpServlet
long getLastModified(HttpServletRequest request){
return System.currentTimeMilis();
}
Authentication
- Mechanism used by communicating entities to prove identity
- Client can authenticate with web server using
- HTTP Basic Authentication - all browsers
- HTTP Digest Authentication - only IE
- HTTPS Client Authentication - digital certificates
- Form Based Authentication - written by user
- HTTP Basic Authentication (Challenge/Response authentication)
- Based on username and password
- Server send authentication request to browser (Challenge)
- Browser get username and password (Credentials)
from user and sends them to server (Response)
- Server authenticats user in the specified realm using the credentials
- Not a secure authentication protocol
- User password is transmitted with a simple base64 encoding, which is
easy to reverse
- Server is never authenticated
- Steps:
- Client attempts to access a protected realm
- Server responds with a challenge:
- Status code 401
- Response header: WWW-Authenticate: Basic realm="name"
- Client responds with a request header that includes the credentials:
- Authorization: Basic <base64 encoded user/password>
- Decoded password has the form userid:password
Authentication Servlet
- A servlet to demonstrate how to do simple authentication
- The servlet
Patterns for building web apps
- Page Builder Pattern
- Enforce a consistent style
- Simplify page construction
- Related GoF patterns: Template Method, Builder
- Form Handler Pattern
- Uniform way to validate and process posted form data