SE 452 Fall 2001/2002

Lecture Notes Set 4

• Sent by browser to server to request information GET /SE452/index.html HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/4.72 [en] Host: se.cs.depaul.edu Accept: image/gif, image/jpg, */* Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8

• In the ServletRequest object
  • int getContentLength() - length of the request body in bytes
  • String getContentType() - the MIME type of the request body
  • String getProtocol() - the name and version of the protocol that the client is using (protocol/majorVersion.minorVersion)
  • String getRemoteAddr() - IP address of the client
  • String getRemoteHost() - fully qualified host name of client
  • String getScheme() - name of the scheme (protocol) used to make request (eg http, https, ftp)
  • boolean isSecure() - whether this request was made using a secure channel such as https
• In the HttpServletRequest object
  • String getAuthType() - name of the authentication scheme used eg BASIC, SSL or null
  • String getContextPath() - portion of the request URI that indicates the context of the request
  • String getMethod() - name of the HTTP method eg GET, POST, PUT
  • String getPathInfo() - any extra path info associated with the URL the client sent
  • String getPathTranslated() - any extra path info after the name but before the query string and translates it to a real path
  • String getQueryString() - the query string that is appended to the URI after the path. Only for GET requests.
  • String getRemoteUser() - the login of the user making the request if the user has been authenticated or null if they have not been authenticated
  • String getRequestURI() - part of the request URL from the protocol name up to the query string in the first line of the HTTP request
  • String getServletPath() - part of the request URL that calls the servlet
• This is all information about the request itself.

• A servlet to demonstrate how to get infomation from the request
• The HTML
  • Example
  • Source
• The servlet
  • Source

• Information sent along with the data from the client to the server
• User-Agent
  • Identifies the browser type and version
• Host
  • Indicates the host given in the request URL
  • Required in HTTP 1.1
• Accept
  • Indicates MIME types browser can handle
• Accept-Encoding
  • Indicates encodings the browser can handle
• Connection
  • keep-alive: browser can handle persistent connection
• Authorization
  • User identification for password protected pages
• Cookie
  • cookies previously sent to the client by the same server
• If-Modified-Since
  • send the page only if it has been changed after the specified date
• Referer
  • URL of the referring web page

• Used to manipulate the headers
• String getHeader(String name)
  • returns the value of the specified request header as a String
• Enumeration getHeaderNames()
  • returns an enumeration of all of the header names in this request
• Enumeration getHeaders(String name)
  • returns all the values of the specified request header as an Enumeraion of String objects

• A servlet to demonstrate how to get infomation from the request headers
• The servlet
  • Example
  • Source

• A servlet to demonstrate how to send information to the user in compressed format
• You use a compression stream in the IO hierarchy to send the data and then tell the client that they are getting compressed data.
• The HTML
  • Example
  • Source
• The servlet
  • Source

• Used to relay information back to the client to tell it what it is getting back
  • Content-Encoding - how the document is encoded
  • Content-Length - number of bytes in the document
  • Content-Type - MIME type of the document (different from Content-Encoding)
  • Expires - time when document should be considered out of date and no longer cached by the browser
  • Last-Modified - time the document was last modified
  • Location - URL to which the browser should reconnect
  • Refresh - number of seconds until the browser should reload the page. Can also include URL to connect to.

• Used to give client info on what happened with the request
• Code ranges:
  • 1xx: informational
  • 2xx: success
  • 3xx: redirection
  • 4xx: client error
  • 5xx: server erro
• Setting the status code allows you to:
  • forward client to another URL
  • indicate a missing resource
  • instruct browser to use a cached copy
• Common Status Codes:
  • 200 (OK)
    • Everything is OK, document follows
    • Default for servlets
  • 204 (No Content)
    • Browser should keep displaying previous document
  • 301 (Moved Permanently)
    • Requested document premanently moved elsewhere (indicated in Location header)
    • Browser should go to new location automatically
  • 302 (Found)
    • Requested document temporarily moved elsewhere (indicated in Location header)
    • Browser should go to new location automatically
  • 304 (Not Modified)
    • When the request header If-Modified-Since is present, the reqeusted document was available and not modified
  • 401 (Unauthorized)
    • Browser tried to access password-protected page without proper Authorization header
  • 404 (Not Found)
    • No such page

• You should set all response headers and status before writing the document to the output
• public void setContentLength(int len)
  • Sets the Content-Length header
• public void setContentType(String type)
  • Sets the Content-Type header
• public void setStatus(int statusCode)
  • Sets the status code for the response
  • Used when there is no error (ie SC_OK or SC_MOVED_TEMPORARILY)
• public void sendError(int statusCode) or public void sendError(int statusCode, String message)
  • Sends an error response to the client using the specified status code and an optional descriptive message
  • Wraps the message insde a small HTML document
• public void sendRedirect(String location)
  • Sends a temporary redirect to the client using the specified URL
  • URL may be a relative URL
• public boolean containsHeader(String name)
  • Tells you is response header has already been set
• public void setHeader(String name, String value)
  • Sets a response header with the given name and value
  • Overwrites previous values
• public void addHeader(String name, String value)
  • Adds a response header with given name and value
  • Does not overwrite previous value buy adds another
• public void setDateHeader(String name, long date) and public void setIntHeader(String name, int value)
  • Sets a response header with the given name and date or integer value
• public void addDateHeader(String name, long date) and public void addIntHeader(String name, int value)
  • Adds a response header with the given name and date or integer value

• When the reqeust header If-Modified-Since is present in the request it is called a conditional get.
• Advantage: reduce network traffic and server load
• Steps:
  • User request a page that is cached in the browser
  • Browser sends a conditional get to server
  • Checks page modification date against the date sent from browser
  • If page has changed after date sent, page is sent
  • If page has not changed, a 304 (Not Modified) response is sent
• Using conditional gets in servlets
  • Two methods:
    • Explicitly set Last-Modified header long t = System.currentTimeMilis(); response.setDateHeader("Last-Modified", t);
    • Override getLastModified() method in HttpServlet long getLastModified(HttpServletRequest request){ return System.currentTimeMilis(); }

• Mechanism used by communicating entities to prove identity
• Client can authenticate with web server using
  • HTTP Basic Authentication - all browsers
  • HTTP Digest Authentication - only IE
  • HTTPS Client Authentication - digital certificates
  • Form Based Authentication - written by user
• HTTP Basic Authentication (Challenge/Response authentication)
  • Based on username and password
    • Server send authentication request to browser (Challenge)
    • Browser get username and password (Credentials) from user and sends them to server (Response)
    • Server authenticats user in the specified realm using the credentials
  • Not a secure authentication protocol
    • User password is transmitted with a simple base64 encoding, which is easy to reverse
    • Server is never authenticated
  • Steps:
    • Client attempts to access a protected realm
    • Server responds with a challenge:
      • Status code 401
      • Response header: WWW-Authenticate: Basic realm="name"
    • Client responds with a request header that includes the credentials:
      • Authorization: Basic <base64 encoded user/password>
      • Decoded password has the form userid:password

• A servlet to demonstrate how to do simple authentication
• The servlet
  • Example
  • Source

• Architecture
  • JavaExpoBase - base class for all servlets
  • JavaExpo - the first page a user sees when coming to this web app
  • JavaExpoLogin - page to handle login information
  • JavaExpoLogout - page that handles logging a user out
  • JavaExpoRegister - page that allows user to register for the expo

• Page Builder Pattern
  • Enforce a consistent style
  • Simplify page construction
  • Related GoF patterns: Template Method, Builder
• Form Handler Pattern
  • Uniform way to validate and process posted form data