cooperation between applets and servlets. applets applets runs on the clientsside, the servlet on...
Post on 22-Dec-2015
220 views
TRANSCRIPT
Cooperation between applets and servletsCooperation between applets and servlets
AppletsApplets Applets runs on the clientsside, the servlet on
the server side Suitable for presentations and logic that belongs
on the client, for example:Advanced graphics or animationSpecial GUI controls (eg. WYSIWYG editor)
Problem: how does applets and servlets communicate
ConstraintsConstraints
Applets runs in a sandbox,therefore limitations. Can only contact the network resource from
which the applet originated. The applet can therefore only retreive
information from its ”home”.
Technique 1: control the applet from the server
Technique 1: control the applet from the server
Technique : configurable appletTechnique : configurable applet
<html> <head> <title>Drawing applet examplel</title> </head>
<body> <applet width="300"
height="200" code=”drawing.class"> <param name=”drawing" value="0-255-255-255-0-0; 5-0-0-300-200-0; 0-255-0-0-0-0;
1-18-18-188-288-0; 1-20-10-400-10-0; 5-45-29-22-23-3;frode; 4-200-30-0-0-my name is frode"> </applet> </body></html>
The AppletThe Appletimport java.util.*;import java.awt.*;import java.applet.*;
public class drawing extends Applet { String drawing; public void init() { // retreive drawing parameters from the server drawing = getParameter(”drawing"); } public void paint(Graphics g) { parseTegning(g); }
public void parseDrawing(Graphics g) { // retreive all commands StringTokenizer commands = new StringTokenizer(drawing,";"); while (commands.hasMoreElements()) { try { int op, arg1, arg2, arg3 = 0, arg4 = 0; String arg5 = ""; String fullcommand = commands.nextToken(); // tokenize the command StringTokenizer parts = new StringTokenizer(fullcommand,"-"); op = Integer.parseInt(parts.nextToken()); arg1 = Integer.parseInt(parts.nextToken()); arg2 = Integer.parseInt(parts.nextToken()); arg3 = Integer.parseInt(parts.nextToken()); arg4 = Integer.parseInt(parts.nextToken()); arg5 = parts.nextToken(); draw(g,op,arg1,arg2,arg3,arg4,arg5); } catch (Exception e) { // Syntax errors that occur in command input are ignored in this example } } }
public void draw(Graphics g,int op,int a1, int a2,int a3,int a4,String a5) { switch (op) { case 0: g.setColor(new Color(a1,a2,a3)); break; case 1: g.drawLine(a1,a2,a3,a4); break; case 2: g.drawOval(a1,a2,a3,a4); break; case 3: g.drawRect(a1,a2,a3,a4); break; case 4: g.drawString(a5,a1,a2); break; case 5: g.fillRect(a1,a2,a3,a4); break; case 6: g.fillOval(a1,a2,a3,a4); break; } }
Technique 2: the applet contact the serverTechnique 2: the applet contact the server
Functionality: user clicksAnd the text follows
<html> <head> <title>Drawing applet example</title> </head>
<body> <applet width="300"
height="200" code="dynamicdrawing.class"> <param name=”source" value="/drawing.jsp"> </applet> </body></html>
drawing.jspdrawing.jsp
<% response.setHeader(”drawing", "1-10-10-100-100-0;1-100-10-20-200-0;4-"
+request.getParameter("x")+"-"+request.getParameter("y") +"-0-0-Hi here I am");%>
public void init() { kilde = getParameter(”source"); contactServer(-1,-1); addMouseListener(this); }
public void contactServer(int x,int y) { try { URL server = new URL(getCodeBase().getProtocol(), getCodeBase().getHost(), getCodeBase().getPort(), source+"?x="+x+"&y="+y); URLConnection connection = tjener.openConnection(); connection.setUseCaches(false); drawing = connection.getHeaderField(”drawing"); } catch (Exception e) { } Runtime.getRuntime().gc(); } public void mouseClicked(MouseEvent h) { contactServer(h.getX(),h.getY()); repaint(); }}
Filtering og filtersFiltering og filters
client
ServletJSP-page
filter
filter
filter
filter
request
response
Application areasApplication areas
Catch requests and inspect contect and http-headers
Catch and modify requests before they reach the actual resource (servlet or jsp-page)
Catch responses from resource and inspect content and http-headers
Catch and modify responses from resources
ExamplesExamples
Compression filters Encryption filters Image conversion filters Log and account filters Security and autentication filters XSLT transformation filters
Example 1:Catch and block requests
Example 1:Catch and block requests
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;public class IEfilter implements Filter { private FilterConfig filterConfig;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; } public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; String browser = req.getHeader( "User-Agent" ); System.out.println(”Before if check "+browser); if ( nettleser.indexOf("IE") == -1 ) { request.setAttribute("filtercheck", ”Approved by frode's filter"); chain.doFilter(request, response); } svar.sendError(res.SC_FORBIDDEN); } public void init(FilterConfig c) { this.filterConfig = c; } public void destroy() { this.filterConfig = null; } }
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app> <filter> <filter-name>MSblocker</filter-name> <filter-class>filter.IEfilter</filter-class> </filter>
<filter-mapping> <filter-name>MSblocker</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping></web-app>
Example 2:Filter chaining – avoid html injection
Modifying request
Example 2:Filter chaining – avoid html injection
Modifying request
<h1> <hi>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app><filter>
<filter-name>ltFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[<]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value>&lt;</param-value>
</init-param></filter>
<filter> <filter-name>gtFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[>]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[>]]></param-value>
</init-param></filter>
<filter> <filter-name>ampFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[&]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[&]]></param-value>
</init-param></filter>
<filter> <filter-name>quotFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA["]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA["]]></param-value>
</init-param></filter>
<filter-mapping> <filter-name>ampFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>ltFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>gtFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping> <filter-name>quotFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping></web-app>
The FilterThe Filter
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;import filter.SensureWrapperConfig;
public class SensureFilterConfig implements Filter { private FilterConfig filterConfig; private String find, replace;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }
public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { SensureWrapperConfig req = new SensureWrapperConfig((HttpServletRequest)request, find, replace); chain.doFilter(req,response); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }
We need a wrapperWe need a wrapper
Because a request cannot be modified once it is created – (read only)
package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;
// This class is reading and mofifying the parameter list
public class SensureWrapperConfig extends HttpServletRequestWrapper { private String find, replace; public SensureWrapperConfig(HttpServletRequest req) { super(spørsmål); } public SensureWrapperConfig(HttpServletRequest req, String find, String replace) { super(req); this.find = find; this.replace = replace; } public String getParameter(String param) { String value = super.getParameter(param); value = value.replaceAll(find,replace); return value; } }
Example 3:Modify the response
Example 3:Modify the response
<body><head> <link rel="stylesheet" href="style.css" type="text/css"/> </head> <body>
<web-app><filter>
<filter-name>postFilter</filter-name> <filter-class>filter.BodyFilter</filter-class> <init-param>
<param-name>find</param-name> <param-value><![CDATA[<body>]]></param-value>
</init-param><init-param>
<param-name>replace</param-name> <param-value><![CDATA[ <head> <link rel="stylesheet" href="style.css" type="text/css"/> </head>
<body>]]></param-value>
</init-param></filter>
<filter-mapping> <filter-name>postFilter</filter-name> <url-pattern>*.jsp</url-pattern>
</filter-mapping></web-app>
The FilterThe Filter
import filter.BodyWrapper;
public class BodyFilter implements Filter { private FilterConfig filterConfig; private String find, replace;
public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }
public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { OutputStream out = response.getOutputStream(); KroppsWrapper res = new KroppsWrapper((HttpServletResponse)response); chain.doFilter(request, res); String body = new String(svar.getData()); body = body.replaceAll(find,replace); out.write(body.getBytes()); out.close(); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }
The WrapperThe Wrapper
package filter;import javax.servlet.*;import java.io.*;
public class BodyStream extends ServletOutputStream { private DataOutputStream stream; public BodyStream(OutputStream output) { stream = new DataOutputStream(output); }
public void write(int b) throws IOException { stream.write(b); }
public void write(byte[] b) throws IOException { stream.write(b); }
public void write(byte[] b, int off, int len) throws IOException { stream.write(b, off, len); } }
package filter;
import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import filter.BodyStream;
public class BodyWrapper extends HttpServletResponseWrapper { private ByteArrayOutputStream output; private int contentLength; private String contentType;
private FilterConfig filterConfig; private String find, replace; public KroppsWrapper(HttpServletResponse res) { super(res); output = new ByteArrayOutputStream(); }
public byte[] getData() { return output.toByteArray(); }
public ServletOutputStream getOutputStream() { return new KroppsStream(output); }
Part 1
public void setContentLength(int length) { this.contentLength = length; super.setContentLength(length); }
public int getContentLength() { return contentLength; }
public void setContentType(String type) { this.contentType = type; super.setContentType(type); }
public String getContentType() { return contentType; }
public PrintWriter getWriter() { return new PrintWriter(getOutputStream(), true); } }
Part 2
Have a nice weekend
Have a nice weekend