1
Web Application Development
1
Outline
• Web application architecture • HTTP • CGI • Java Servlets • Apache Tomcat • Session maintenance
2
Architecture
4
HTTP
• Created by Tim Berners-Lee at CERN – Defined 1989-1991
• Standardized and much expanded by the IETF • Rides on top of TCP protocol
– TCP provides: reliable, bi-directional, in-order byte stream • Goal: transfer objects between systems
– Do not confuse with other WWW concepts: • HTTP is not page layout language (that is HTML) • HTTP is not object naming scheme (that is URLs)
• Text-based protocol – Human readable
2
Client-Server Paradigm
Client: ! initiates contact with server
(“speaks first”) ! typically requests service from
server, ! for Web, client is implemented in
browser; for e-mail, in mail reader
Server: ! provides requested service to
client ! e.g., Web server sends requested
Web page, mail server delivers e-mail
PC running Explorer
Apache Web server
Mac running Safari
HTTP request HTTP response
http request
http response
HTTP
6
7
HTTP Request Message Format
HTTP method URL sp HTTP version cr lf
header field name : field value cr lf
request line sp
header field name : field value cr lf cr lf
Entity Body
header lines
…
8
HTTP Request Example
GET /somedir/page.html HTTP/1.0 User-agent: Mozilla/4.0 Accept: text/html, image/gif,image/jpeg Accept-language:fr
(extra carriage return, line feed)
request line (GET, POST,
HEAD commands)
header lines
Carriage return, line feed
indicates end of message
3
9
HTTP Response Message Format
HTTP version status code sp status phrase cr lf
header field name : field value cr lf
response line sp
header field name : field value cr lf cr lf
Response Body
header lines
…
10
HTTP Response Example
HTTP/1.0 200 OK Date: Thu, 25 Aug 2001 12:00:15 GMT Server: Apache/1.3.0 (Unix) Last-Modified: Mon, 22 Aug 2001 …... Content-Length: 6821 Content-Type: text/html
data data data data data ... data data data data data ... data data data data data ...
header lines
status line: (protocol
status code status phrase)
data, e.g., requested html file
Carriage return, line feed
indicates end of message
CGI Architecture Objectives
• Standardizes execution of server-side applications/handlers
• Specifies: – Interface between client and handler – Interface between web server and hander
4
Web Server-Handler Interaction
• Handler Input – Meta-variables – Stdin (message body)
• Handler Output – Stdout
Client-Handler Interaction
• Clients request the execution of a handler program by means of a: – A request method (e.g., GET, POST) – Universal Resource Identifier (URI)
• Identifies handler – Extra arguments
URI Syntax
<protocol>://<host><port>/<path-info><script>"?"<query-string>
http://finance.yahoo.com/add?op1=10&op2=20
<protocol> http <host> finance.yahoo.com <port> 80 <path-info> null <script> add <query-string> op1=10, op2=20
Query String Encoding
• RFC 2396
• Why encode? • Can think of a CGI script as a function, send
arguments by specifying name/value pairs. • Way to pack and unpack multiple arguments into
a single string
5
Encoding Rules
• All arguments • Single string of ampersand (&) separated name=value
pairs name_1=value_1&name_2=value_2&...
• Spaces • Replaced by a plus (+) sign
• Other characters (ie, =, &, +) • Replaced by a percent sign (%) followed by the two-digit
hexadecimal ASCII equivalent
Method
• GET – Arguments appear in the URL after the ? – Can be expressed as a URL – Limited amount of information can be passed this way – URL may have a length restriction on the server – Arguments appear on server log
• POST • Arguments are sent in the HTTP message body • Cannot be expressed as URL • Arbitrarily long form data can be communicated (some
browsers may have limits (i.e. 7KB)). • Arguments usually does not appear in server logs.
Forms and CGI
• Specify request method in “method” attribute • Automatically encodes all named field values
Example: add.html
6
21
Servlets • Generic Java2EE API for invoking and connecting
to “mini-servers” (lightweight, short-lived, server-side interactions).
• Mostly HTTPServlets – Generate HTTP responses (as for CGI) – Servlet code snippets can be embedded directly
into HTML pages: JSP = Java Server Pages • Competitor: Microsoft ASP = Active Server
Pages
22
Servlet Architecture
• Web server: Apache, Netscape Enterprise, IIS • Servlet container: Running JVM, hooked into the web
server, loads and maintains servlets, session info, object store
• Servlet: A Java class used to handle a specific request.
23
Main Process
JVM
Java Servlet-Based Web Server
Servlet1
Request for Servlet1
Request for Setvlet2
Request for Servlet1
Servlet2
Thread
Thread
Thread
24
Servlet API (javax.Servlet)
• Servlet Container • Servlet Interface • HttpServletResponce • HttpServletRequest • ServletContext
7
25
Servlet Container
• Contains and manages servlets through their lifecycle
• Provides the network services over which requests and responses are sent
• Decodes requests • Formats MIME based responses
26
Servlet Interface
• Central abstraction of the servlet API
• All servlets either implement this interface, or extend a class that implements this interface
• GenericServlet and HttpServlet two classes in the servlet API that implement the Servlet interface
27
HttpServlet • Web developers extend HttpServlet to
implement their servlets. • Inherited from GenericServlet
• Init() • Destroy()
• Defined by HTTPServlet • doGet() • doPost()
28
doGet() and doPost()
protected void doGet(HttpServletRequest req, HttpServletResponse resp)
protected void doPost(HttpServletRequest req, HttpServletResponse resp)
8
29
HttpServletResponse • Encapsulates all information to be returned from the server to
the client • In the HTTP protocol, this information is transmitted from
the server to the client either by HTTP headers or the message body of the request.
• Headers: Can set/manipulate http headers • primitive manipulation: setStatus(), setHeader(), addHeader()
• convenience methods: setContentType(), sendRedirect(), sendError()
• Body: Obtain a PrintWriter, used to return character data to the client • getWriter() 30
Example: Hello World
31
HttpServletRequest • Encapsulates all information from the client request • In the HTTP protocol, this information is
transmitted from the client to the server in the HTTP headers and the message body of the request.
• Manipulate 'form' variables:
getParameter()
getParameterNames()
getParameterValues() 32
Example: Form
9
Environment Variables DOCUMENT_ROOT root directory of your server HTTP_COOKIE visitor's cookie, if one is set HTTP_HOST hostname of the page HTTP_REFERER HTTP_USER_AGENT browser type of the visitor HTTPS "on" if called through a secure server QUERY_STRING query string REMOTE_ADDR IP address of the visitor REMOTE_HOST hostname of the visitor REMOTE_USER visitor's username REQUEST_METHOD GET or POST REQUEST_URI SCRIPT_FILENAME The full pathname of the current CGI SERVER_SOFTWARE server software (e.g. Apache 1.3) 34
Example: Environment Variables
35
Tomcat Configuration Tomcat
webapps
csc309Servlets Root
index.jsp index.html
conf
server.xml
WEB-INF
classes
web.xml
HelloWorld.class
web.xml
tomcat_users.xml
SomeOther.class 36
Deployment Descriptor (web.xml) • $CATALINA_HOME/conf/web.xml
– Default for all web applications • $CATALINA_HOME/webapp/ece1779Servlets/WEB_INF/web.xml
– Specific to ece779Servlets <servlet> <servlet-name>SampleServerName</servlet-name> <servlet-class>HelloWorld</servlet-class> </servlet> <servlet-mapping> <servlet-name>SampleServletName</servlet-name> <url-pattern>/index.html</url-pattern> </servlet-mapping>
http://127.0.0.1:8080/ece1779Servlets/index.html Maps to: $CATALINA_HOME/webapp/ece1779Servlets/WEB_INF/classes/
HelloWorld.class
10
37
$CATALINA_HOME/conf/tomcat_users.xml
<?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="tomcat"/> <role rolename="role1"/> <role rolename="manager"/> <role rolename="admin"/> <user username= “ece1779" password= “secret" fullName= "name" roles="admin,manager"/> <user username="tomcat" password="tomcat" roles="tomcat"/> <user username="role1" password="tomcat" roles="role1"/> <user username="both" password="tomcat" roles="tomcat,role1"/> </tomcat-users>
38
Tomcat Web Application Manager
• Deploy applications • Start/stop/reload
39
Servlet Debugging
• Logs – $CATALINA_HOME/logs
• Interactive debugger – Use Java JPDA interface
• Allows an external program to “attach” to process – Start Tomcat in debugging mode
• $CATALINA_HOME/bin/catalina.sh jpda start – Start IDE debugger – Attach debugger to running Tomcat instance
40
Session Maintenance
• HTTP is stateless by default • No memory of browsers state
• Preserving state between browser/web server interactions • Behavior reflects previous forms filled in and pages
viewed • Kept at the browser or/and web server.
• Example: Want to allow access to a given script only once a user is logged in. Don't want to require a user to login at every page.
11
41
Store State At Server • Current state is stored at the server (i.e., in a file,
database, or in JVM’s memory) • Each request includes a token identifying the browsers
session (tokens can be passed via cookies, hidden variables, URL rewriting).
• At each request, the executing servlet uses the token to fetch session state
• Careful: Browser back button problem. The page the user is viewing may not reflect state stored at the server.
42
HttpSession • One instance for each active session • Accessing/creating a session
HttpSession session = request.getSession(); • Session attributes
Object o = session.getAttribute("name");
session.setAttribute("name",o);
43
Session Duration • Default: expire a session if idle (no http requests) for 30 minutes
– Delete all session related attributes from server – Does not remove cookie from client
• Changing session timeout – Configuration file (web.xml)
<session-config> <session-timeout>30</session-timeout> </session-config>
– Run-time • session.getMaxInactiveInterval() • session.setMaxInactiveInterval()
• Terminating a session – session.invalidate() – Deletes session related attributes form server – Removes cookie from client
44
Session Example
12
45
Other Issues • Multithreading
– HttpSession is not thread safe – Use proper synchronization to prevent concurrent property modifications
• Persistent sessions – Tomcat has support for persistent sessions
• Survive server restart – Saves session data to a file – Serializes properties
• Property values need to be serializable • Session event listeners
– Possible to create servlets that execute when a session times out – Can be use to garbage collect resources outside of the JVM
46
ServletContext • Interface defines a servlet’s view of the web application within
which the servlet is running. • Container Provider is responsible for providing an implementation
of the ServletContext interface in the servlet container. • Using the ServletContext object, a servlet can
• log events • obtain URL references to resources • set attributes that other servlets in the context can access.
47
ServletContext Continued • One instance of ServletContext per web application per
container
ServletContext context = getServletContext();
• Provides access to Initialization Parameters • Defined in the deployment descriptor
• A file called web.xml in the WEB-INF subdirectory of the app directory
• Methods: getInitParameter(), getInitParameterNames() 48
ServletContext Attributes • Context level shared objects. Can be bound into the context
and accessed by any servlet that is part of the application. • Methods:
setAttribute() getAttribute() getAttributeNames() removeAttributes()
• More than 1 thread may be accessing a shared object. • Application developer responsible for synchronizing access to
shared objects
13
49
ServletContext Resources • Gives servlet access to local documents associated with the
application. (i.e. static web pages, images) • Access to server logs • Methods:
getResource() getResourceAsStream() getResourcePaths()
log(“Error! File does not exist”);
ServletContextExample
50
51
JSP • Servlets disadvantage
– A little java in a whole lot of HTML • Java Server Pages
– Java embedded in HTML • Deployed in textual form (as opposed to byte code) • Translated to into a servlet on the fly
$CATALINA_HOME/webapps/ece1779/hello.jsp
$CATALINA_HOME/work/Catalina/localhost/ece1779/org/apache/jsp/hello_jsp.java
52
JSP Life Cycle
14
JSP • Expressions
<%= object.function() %> Java expression that evaluates into a String Translated into out.print() statement
• Scriplets <%
java.util.Date currentTime = new java.util.Date; String strDate = currentTime.toString();
%> One or more Java statements Left in place
• Directives <%@ page import=“java.util.Date, java.text.SimpleDateFormat” %> <%@ page contentType="text/html; charset=UTF-8" %> <%@ taglib prefix="s" uri="/struts-tags" %>
• Tags <s:iterator value="posts" status="itStatus“> <s:form action="AddPost“> <s:textfield name="username" label="Your name"/>
Movieplex Example
Design Content
All data stored in Movieplex.java - Array of movies - Array of theatres - Array of showtimes
Initialization Initialization.java - Servlet that creates Movieplex object and stores in ServletContent
Regular operation ListTheaters.jsp - Retrieves movie data from servlet context - Renders HTML page with list of all available theatres
ShowTheater.jsp - Takes theaterid as parameter - Renders HTML listing all the movies currently shown at a theatre
Data Structures public class Movie { public int id; public String name; public String rating; public String starring; public String director; public String synopsis; public String poster; public String url; }
public class Theater { public int id; public String name; public String address; public String phone; }
public class Showtime { public int id; public int theaterid, movieid; public int year, month, day; // date public int hour, minute; // time of day public float price; }
15
Data Structures public class Movieplex {
public Theater [] theaters; public Movie [] movies; public Showtime [] showtimes;
public Movieplex() {
Theater [] t = { new Theater(1,"Canada Square","2190 Yonge Street, Toronto, ON, M4S2C6", "416-6460444"), new Theater(2,"SilverCity","2300 Yonge Street, Toronto, ON,
M4P1E4","416-5441236") }; this.theaters = t;
Movie [] m = { new Movie(1,"Casino Royale", "PG-13","Daniel Craig, Judi Dench, Mads Mikkelsen, Eva Green, Jeffrey Wright", ......),
new Movie(2,"Babel", "R", "Brad Pitt, Cate Blanchett, Gael Garcia Bernal, Elle Fanning, Koji Yakusho", ... ) };
this.movies = m;
Showtime [] s = { new Showtime(1,1,1,2007,3,23,18,0,8), new Showtime(2,1,1,2007,3,18,20,0,8) };
this.showtimes = s; } }
58
Three Tier Architecture
59
RDBMS
• Relational Database Management Systems
• A way of saving and accessing data on persistent (disk) storage.
60
Why Use an RDBMS
• Data Safety – data is immune to program crashes
• Concurrent Access – atomic updates via transactions
• Fault Tolerance – replicated dbs for instant fail-over on machine/disk crashes
• Data Integrity – aids to keep data meaningful
• Scalability – can handle small/large quantities of data in a uniform manner
• Reporting – easy to write SQL programs to generate arbitrary reports
16
61
RDBMS Technology • Client/Server Databases
– Oracle, Sybase, MySQL, SQLServer
• Personal Databases – Access
• Embedded Databases – Pointbase
62
Server server process disk i/o
Client/Server Databases
client client client processes
tcp/ip connections
63
client application
code
Inside the Client Process
tcp/ip connection to server db library
API
64
JDBC • JDBC (Java DataBase Connectivity) • Standard SQL database access interface. • Allows a Java program to issue SQL statements and
process the results. • DB independent. Can replace underlying database with
minimal code impact. • Defines classes to represent constructs such as database
connections, SQL statements, result sets, and database metadata.
17
65
A JDBC Application
66
JDBC Pieces • Java client: code implementing the application
• JDBC API. Provides DB independent abstraction to
• establish a connection with a database
• send SQL statements
• process the results • JDBC Driver
• Translates API calls to requests made against the specific database. • Specific driver for the each database. • Installed on the client. Usually a set of class files placed in the class
path. • e.g., mysql-connector-java-5.1.7-bin.jar
• All large databases are now supported. • Database server:
• The actual database engine
• Pointbase, Oracle, MSAccess, SQL Server, Postgresql etc.
67
JDBC • Package java.sql
java.sun.com/products/jdk/1.2/docs/api/java/sql/package-summary.html
• Classes and interfaces – DriverManager getConnection()
– Connection Transactions commit(), rollback(), setAutoCommit() SQL statements createStatement(), prepateStatement()
– Statement executeQuery(), executeUpdate()
– ResultSet Scrolling over tuples next(), previous(), first(), last(), isLast() Values of attributes getString(int index), getTime(String name)
– PreparedStatement executeQuery(), executeUpdate() setInt (int index, int x)
68
API: Establish Connection 1 Class.forName(com.mysql.jdbc.Driver)
make the driver class available 2 String url = “jdbc:mysql://sysnet.cs.toronto.edu/databasename";
This is the connect string. The connect string, mentions the driver as well as the database. For the example above, the driver is the jdbc:pointbase:embedded bridge driver. The database is sample.
3 Connection con=DriverManager.getConnection(url, uID, pw); Get a connection (session) with a specific database. Within the context of a Connection, SQL statements are executed and results are returned. A Connection can be used to obtain information about the DB By default a Connection automatically commits changes after each statement. Typically, setting up a connection is an expensive operation.
18
69
API: Executing Queries
• A query can return many rows, each with many attributes • Steps are
1 Send query to the database 2 Retrieve one row at a time 3 For each row, retrieve attributes
70
Trivial Example
71
API: Updates
Int rowsAffected=
stmt.executeUpdate(
"DELETE * FROM ACCOUNTS;");
Executes a SQL INSERT, UPDATE or DELETE statement. Returns the number of rows affected.
72
API: Prepared Statements • Is a parameterized SQL statement. • Used to speedup query parsing (statement does not need to be reparsed) • Used to simplify development (clumsy strings do not have to be created and
recreated for each update). Example: String insert="INSERT INTO ACCOUNT(NAME,AMOUNT)VALUES(?,?);"; PreparedStatement ps =con.prepareStatement(insert);
ps.setString(1,"Charlie"); // Fill in the first ? ps.setDouble(2,23.45); // Fill in the second ?
rowsEffected=ps.executeUpdate();
ps.setInt(1,"Arnold"); // Fill in the first ? ps.setInt(2,102.23); // Fill in the second ?
rowsEffected=ps.executeUpdate();
19
73
Scope of DB Connections
1. Request: Open/close connection on each action invocation
2. Session: Keep 1 open connection associated with the session: HttpSession.getParameter(“dbCon”)
3. Web App: Keep 1 open connection for the web application and re-use it
74
Connection Pooling • The Solution:
– Maintain a pool of open connections that time themselves out • The SharedPoolDataSource allocates a new Connection object
– It wraps it in a PoolingConnection object that delegates calls to its enclosed Connection object and returns it to the client.
– It sets a timeout that will reclaim the Connection for a pool of free connections
• If client accesses PoolingConnection after timeout, PoolingConnection will request a fresh connection from the pool.
• Client returns Connection to the pool when done with it. – SharedPoolDataSource does not close the Connection, rather saves it for
the next request • Client may block awaiting a freed connection if some maximum upper limit of
open connections is reached.
75
Connection Pooling – Init method of main webapp servlet:
// Create a data source DriverAdapterCPDS ds = new DriverAdapterCPDS(); ds.setDriver("com.mysql.jdbc.Driver"); ds.setUrl("jdbc:mysql://servername/databasename"); ds.setUser("public"); ds.setPassword("public");
// Create a connection pool SharedPoolDataSource dbcp = new SharedPoolDataSource(); dbcp.setConnectionPoolDataSource(ds);
//Add to webapp context getServletContext().setAttribute(“dbConPool”,dbcp);
76
Connection Pooling – Each servlet doGet() or doPost() calls:
SharedPoolDataSource dbcp = getServletContext().getAttribute(“dbConPool”);
Connection con = dbcp.getConnection(); … Statement s = con.createStatement(); … con.close();
20
77
Indirection and Capabilities
Servlet connection x connection
connection
Poolingconnection
private connection x
onTimeOut: x = null
Servlet dbonnection y
Cannot revoke capability
Indirection enables revoking capability
Capability: enforces access control by providing a handle to a resource.
78
SQLGateway
79
Atomic Transactions
• ATM banking example: – Concurrent deposit/withdrawal operation – Need to protect shared account balance
• What about transferring funds between accounts? – Withdraw funds from account A – Deposit funds into account B
80
Properties of funds transfer
• Should appear as a single operation – Another process reading the account balances should
see either both updates, or none • Either both operations complete, or neither does
– Need to recover from crashes that leave transaction partially complete
21
81
Transactions • Definition: A transaction is a collection of DB modifications, which is
treated as an atomic DB operation. – Transactions ensure that a collection of updates leaves the database in a
consistent state (as defined by the application program); all updates take place or none do.
– A sequence of read and write operations, terminated by a commit or abort
• Definition: Committed – A transaction that has completed successfully; once committed, a transaction
cannot be undone • Definition: Aborted
– A transaction that did not complete normally • JDBC: By default the Connection automatically commits changes after
executing each statement. If auto commit has been disabled, the method commit must be called explicitly; otherwise, database changes will not be saved.
82
API: Transactions Example: // Change to transactional mode con.setAutoCommit(false); // Transaction A begins here
stmt.executeUpdate("DELETE * FROM ACCOUNT...;");// 1 stmt.executeUpdate("INSERT INTO ACCOUNT ...."); // 2 stmt.executeUpdate("INSERT INTO ACCOUNT ...."); // 3 stmt.executeUpdate("INSERT INTO ACCOUNT ...."); // 4 con.commit();
// Commit changes to database
// All of 1,2,3,4 take effect
83
API: Transactions Example: // Transaction B begins here
stmt.executeUpdate("DELETE * FROM SALES...;"); // 5
stmt.executeUpdate("INSERT INTO SALES ...."); // 6
stmt.executeUpdate("INSERT INTO SALES ...."); // 7
stmt.executeUpdate("INSERT INTO SALES ...."); // 8
con.rollback();
// Rollback to before transaction B began
// None of 5,6,7,8 effects the DB
84
Example
• Movie database
• Add an order and decrement # of available spaces