Web Application Development 1 Outline Web application architecture

Web Application Development 1

Outline • • • Web application architecture HTTP CGI Java Servlets Apache Tomcat Session maintenance 2

Architecture

HTTP • Created by Tim Berners-Lee at CERN – Defined 1989 -1991 • Standardized and much expanded by the IETF • Rides on top of TCP protocol – TCP provides: reliable, bi-directional, in-order byte stream • Goal: transfer objects between systems – Do not confuse with other WWW concepts: • HTTP is not page layout language (that is HTML) • HTTP is not object naming scheme (that is URLs) • Text-based protocol – Human readable 4

Client-Server Paradigm Client: q initiates contact with server (“speaks first”) q typically requests service from PC running server, Explorer q for Web, client is implemented in browser; for e-mail, in mail reader Server: q provides requested service to client q e. g. , Web server sends requested Web page, mail server delivers email HT TP req res ues t pon s e st ue q e r Apache Web server nse h o p res p t ht ttp Mac running Safari

HTTP 6

HTTP Request Message Format HTTP method sp URL sp header field name … header field name cr lf : : HTTP version field value cr lf request line header lines Entity Body 7

HTTP Request Example GET /somedir/page. html HTTP/1. 0 User-agent: Mozilla/4. 0 Accept: text/html, image/gif, image/jpeg Accept-language: fr (extra carriage return, line feed) request line (GET, POST, HEAD commands) header lines Carriage return, line feed indicates end of message 8

HTTP Response Message Format HTTP version sp status code sp status phrase cr lf header field name … header field name cr lf : : field value cr lf response line header lines Response Body 9

HTTP Response Example HTTP/1. 0 200 OK Date: Thu, 25 Aug 2001 12: 00: 15 GMT Server: Apache/1. 3. 0 (Unix) Last-Modified: Mon, 22 Aug 2001 …. . . Content-Length: 6821 Content-Type: text/html status line: (protocol status code status phrase) header lines Carriage return, line feed indicates end of message data data data. . . data, e. g. , requested html file 10

CGI Architecture

Objectives • Standardizes execution of server-side applications/handlers • Specifies: – Interface between client and handler – Interface between web server and hander

Web Server-Handler Interaction • Handler Input – Meta-variables – Stdin (message body) • Handler Output – Stdout

Client-Handler Interaction • Clients request the execution of a handler program by means of a: – A request method (e. g. , GET, POST) – Universal Resource Identifier (URI) • Identifies handler – Extra arguments

URI Syntax <protocol>: //<host><port>/<path-info><script>"? "<query-string> http: //finance. yahoo. com/add? op 1=10&op 2=20 <protocol> <host> <port> <path-info> <script> <query-string> http finance. yahoo. com 80 null add op 1=10, op 2=20

Query String Encoding • RFC 2396 • Why encode? · Can think of a CGI script as a function, send arguments by specifying name/value pairs. · Way to pack and unpack multiple arguments into a single string

Encoding Rules · All arguments · Single string of ampersand (&) separated name=value pairs name_1=value_1&name_2=value_2&. . . · Spaces · Replaced by a plus (+) sign · Other characters (ie, =, &, +) · Replaced by a percent sign (%) followed by the two-digit hexadecimal ASCII equivalent

Method • GET – Arguments appear in the URL after the ? – Can be expressed as a URL – Limited amount of information can be passed this way – URL may have a length restriction on the server – Arguments appear on server log • POST · Arguments are sent in the HTTP message body · Cannot be expressed as URL · Arbitrarily long form data can be communicated (some browsers may have limits (i. e. 7 KB)). · Arguments usually does not appear in server logs.

Forms and CGI • Specify request method in “method” attribute • Automatically encodes all named field values

Example: add. html

Servlets • Generic Java 2 EE API for invoking and connecting to “mini-servers” (lightweight, short-lived, serverside interactions). • Mostly HTTPServlets – Generate HTTP responses (as for CGI) – Servlet code snippets can be embedded directly into HTML pages: JSP = Java Server Pages • Competitor: Microsoft ASP = Active Server Pages 21

Servlet Architecture · Web server: Apache, Netscape Enterprise, IIS · Servlet container: Running JVM, hooked into the web server, loads and maintains servlets, session info, object store · Servlet: A Java class used to handle a specific request. 22

Java Servlet-Based Web Server Main Process Request for Servlet 1 Request for Setvlet 2 Request for Servlet 1 Thread JVM Servlet 1 Thread Servlet 2 23

Servlet API (javax. Servlet) • • • Servlet Container Servlet Interface Http. Servlet. Responce Http. Servlet. Request Servlet. Context 24

Servlet Container · Contains and manages servlets through their lifecycle · Provides the network services over which requests and responses are sent · Decodes requests · Formats MIME based responses 25

Servlet Interface · Central abstraction of the servlet API · All servlets either implement this interface, or extend a class that implements this interface · Generic. Servlet and Http. Servlet two classes in the servlet API that implement the Servlet interface 26

Http. Servlet · Web developers extend Http. Servlet to implement their servlets. · Inherited from Generic. Servlet · Init() · Destroy() · Defined by HTTPServlet · do. Get() · do. Post() 27

do. Get() and do. Post() protected void do. Get(Http. Servlet. Request req, Http. Servlet. Response resp) protected void do. Post(Http. Servlet. Request req, Http. Servlet. Response resp) 28

Http. Servlet. Response · Encapsulates all information to be returned from the server to the client · In the HTTP protocol, this information is transmitted from the server to the client either by HTTP headers or the message body of the request. · Headers: Can set/manipulate http headers · primitive manipulation: set. Status(), set. Header(), add. Header() · convenience methods: set. Content. Type(), send. Redirect(), send. Error() · Body: Obtain a Print. Writer, used to return character data to the client · get. Writer() 29

Example: Hello World 30

Http. Servlet. Request · Encapsulates all information from the client request · In the HTTP protocol, this information is transmitted from the client to the server in the HTTP headers and the message body of the request. · Manipulate 'form' variables: get. Parameter() get. Parameter. Names() get. Parameter. Values() 31

Example: Form 32

Environment Variables DOCUMENT_ROOT HTTP_COOKIE HTTP_HOST HTTP_REFERER HTTP_USER_AGENT HTTPS QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_USER REQUEST_METHOD REQUEST_URI SCRIPT_FILENAME SERVER_SOFTWARE root directory of your server visitor's cookie, if one is set hostname of the page browser type of the visitor "on" if called through a secure server query string IP address of the visitor hostname of the visitor's username GET or POST The full pathname of the current CGI server software (e. g. Apache 1. 3)

Example: Environment Variables 34

Tomcat Configuration Tomcat webapps conf Root csc 309 Servlets index. html index. jsp WEB-INF server. xml web. xml tomcat_users. xml web. xml classes Hello. World. class Some. Other. class 35

Deployment Descriptor (web. xml) • $CATALINA_HOME/conf/web. xml – Default for all web applications • $CATALINA_HOME/webapp/ece 1779 Servlets/WEB_INF/web. xml – Specific to ece 779 Servlets <servlet> <servlet-name>Sample. Server. Name</servlet-name> <servlet-class>Hello. World</servlet-class> </servlet> <servlet-mapping> <servlet-name>Sample. Servlet. Name</servlet-name> <url-pattern>/index. html</url-pattern> </servlet-mapping> http: //127. 0. 0. 1: 8080/ece 1779 Servlets/index. html Maps to: $CATALINA_HOME/webapp/ece 1779 Servlets/WEB_INF/classes/Hello. World. class 36

$CATALINA_HOME/conf/tomcat_users. xml <? xml version='1. 0' encoding='utf-8'? > <tomcat-users> <rolename="tomcat"/> <rolename="role 1"/> <rolename="manager"/> <rolename="admin"/> <username= “ece 1779" password= “secret" full. Name= "name" roles="admin, manager"/> <username="tomcat" password="tomcat" roles="tomcat"/> <username="role 1" password="tomcat" roles="role 1"/> <username="both" password="tomcat" roles="tomcat, role 1"/> </tomcat-users> 37

Tomcat Web Application Manager • Deploy applications • Start/stop/reload 38

Servlet Debugging • Logs – $CATALINA_HOME/logs • Interactive debugger – Use Java JPDA interface • Allows an external program to “attach” to process – Start Tomcat in debugging mode • $CATALINA_HOME/bin/catalina. sh jpda start – Start IDE debugger – Attach debugger to running Tomcat instance 39

Session Maintenance · HTTP is stateless by default · No memory of browsers state · Preserving state between browser/web server interactions · Behavior reflects previous forms filled in and pages viewed · Kept at the browser or/and web server. · Example: Want to allow access to a given script only once a user is logged in. Don't want to require a user to login at every page. 40

Store State At Server · Current state is stored at the server (i. e. , in a file, database, or in JVM’s memory) · Each request includes a token identifying the browsers session (tokens can be passed via cookies, hidden variables, URL rewriting). · At each request, the executing servlet uses the token to fetch session state · Careful: Browser back button problem. The page the user is viewing may not reflect state stored at the server. 41

Http. Session · One instance for each active session · Accessing/creating a session Http. Session session = request. get. Session(); · Session attributes Object o = session. get. Attribute("name"); session. set. Attribute("name", o); 42

Session Duration • Default: expire a session if idle (no http requests) for 30 minutes • Changing session timeout – Delete all session related attributes from server – Does not remove cookie from client – Configuration file (web. xml) <session-config> <session-timeout>30</session-timeout> </session-config> – Run-time • • session. get. Max. Inactive. Interval() • session. set. Max. Inactive. Interval() Terminating a session – session. invalidate() – Deletes session related attributes form server – Removes cookie from client 43

Session Example 44

Other Issues • Multithreading – Http. Session is not thread safe – Use proper synchronization to prevent concurrent property modifications • Persistent sessions – Tomcat has support for persistent sessions • Survive server restart – Saves session data to a file – Serializes properties • Property values need to be serializable • Session event listeners – Possible to create servlets that execute when a session times out – Can be use to garbage collect resources outside of the JVM 45

Servlet. Context · Interface defines a servlet’s view of the web application within which the servlet is running. · Container Provider is responsible for providing an implementation of the Servlet. Context interface in the servlet container. · Using the Servlet. Context object, a servlet can · log events · obtain URL references to resources · set attributes that other servlets in the context can access. 46

Servlet. Context Continued • One instance of Servlet. Context per web application per container Servlet. Context context = get. Servlet. Context(); • Provides access to Initialization Parameters · Defined in the deployment descriptor · A file called web. xml in the WEB-INF subdirectory of the app directory · Methods: get. Init. Parameter(), 47 get. Init. Parameter. Names()

Servlet. Context Attributes · Context level shared objects. Can be bound into the context and accessed by any servlet that is part of the application. · Methods: set. Attribute() get. Attribute. Names() remove. Attributes() · More than 1 thread may be accessing a shared object. · Application developer responsible for synchronizing access to shared objects 48

Servlet. Context Resources · Gives servlet access to local documents associated with the application. (i. e. static web pages, images) · Access to server logs · Methods: get. Resource() get. Resource. As. Stream() get. Resource. Paths() log(“Error! File does not exist”); 49

Servlet. Context. Example 50

JSP • Servlets disadvantage –A little java in a whole lot of HTML • Java Server Pages –Java embedded in HTML • Deployed in textual form (as opposed to byte code) • Translated to into a servlet on the fly $CATALINA_HOME/webapps/ece 1779/hello. jsp $CATALINA_HOME/work/Catalina/localhost/ece 1779/org/apache/jsp/hello_jsp. java 51

JSP Life Cycle 52

JSP • • Expressions <%= object. function() %> Java expression that evaluates into a String Translated into out. print() statement Scriplets <% java. util. Date current. Time = new java. util. Date; String str. Date = current. Time. to. String(); %> One or more Java statements Left in place Directives <%@ page import=“java. util. Date, java. text. Simple. Date. Format” %> <%@ page content. Type="text/html; charset=UTF-8" %> <%@ taglib prefix="s" uri="/struts-tags" %> Tags <s: iterator value="posts" status="it. Status“> <s: form action="Add. Post“> <s: textfield name="username" label="Your name"/>

Movieplex Example

Design Content All data stored in Movieplex. java - Array of movies - Array of theatres - Array of showtimes Initialization. java - Servlet that creates Movieplex object and stores in Servlet. Content Regular operation List. Theaters. jsp - Retrieves movie data from servlet context - Renders HTML page with list of all available theatres Show. Theater. jsp - Takes theaterid as parameter - Renders HTML listing all the movies currently shown at a theatre

Data Structures public class Movie { public int id; public String name; public String rating; public String starring; public String director; public String synopsis; public String poster; public String url; } public class Theater { public int id; public String name; public String address; public String phone; } public class Showtime { public int id; public int theaterid, movieid; public int year, month, day; public int hour, minute; public float price; } // date // time of day

Data Structures public class Movieplex { public Theater [] theaters; public Movie [] movies; public Showtime [] showtimes; public Movieplex() { Theater [] t = { new Theater(1, "Canada Square", "2190 Yonge Street, Toronto, ON, M 4 S 2 C 6", "416 -6460444"), new Theater(2, "Silver. City", "2300 Yonge Street, Toronto, ON, M 4 P 1 E 4", "4165441236") }; this. theaters = t; Movie [] m = { new Movie(1, "Casino Royale", "PG-13", "Daniel Craig, Judi Dench, Mads Mikkelsen, Eva Green, Jeffrey Wright", . . . ), new Movie(2, "Babel", "R", "Brad Pitt, Cate Blanchett, Gael Garcia Bernal, Elle Fanning, Koji Yakusho", . . . ) }; this. movies = m; Showtime [] s = { new Showtime(1, 1, 1, 2007, 3, 23, 18, 0, 8), new Showtime(2, 1, 1, 2007, 3, 18, 20, 0, 8) }; this. showtimes = s; }

Three Tier Architecture 58

RDBMS • Relational Database Management Systems • A way of saving and accessing data on persistent (disk) storage. 59

Why Use an RDBMS • Data Safety – data is immune to program crashes • Concurrent Access – atomic updates via transactions • Fault Tolerance – replicated dbs for instant fail-over on machine/disk crashes • Data Integrity – aids to keep data meaningful • Scalability – can handle small/large quantities of data in a uniform manner • Reporting – easy to write SQL programs to generate arbitrary reports 60

RDBMS Technology • Client/Server Databases – Oracle, Sybase, My. SQL, SQLServer • Personal Databases – Access • Embedded Databases – Pointbase 61

Client/Server Databases client processes tcp/ip connections Server disk i/o server process 62

Inside the Client Process client application code db library API tcp/ip connection to server 63

JDBC · JDBC (Java Data. Base Connectivity) · Standard SQL database access interface. · Allows a Java program to issue SQL statements and process the results. · DB independent. Can replace underlying database with minimal code impact. · Defines classes to represent constructs such as database connections, SQL statements, result sets, and database metadata. 64

A JDBC Application 65

JDBC Pieces · Java client: code implementing the application · JDBC API. Provides DB independent abstraction to · establish a connection with a database · send SQL statements · process the results · JDBC Driver · Translates API calls to requests made against the specific database. · Specific driver for the each database. · Installed on the client. Usually a set of class files placed in the class path. · e. g. , mysql-connector-java-5. 1. 7 -bin. jar · All large databases are now supported. · Database server: · The actual database engine · Pointbase, Oracle, MSAccess, SQL Server, Postgresql etc. 66

JDBC • Package java. sql java. sun. com/products/jdk/1. 2/docs/api/java/sql/package-summary. html • Classes and interfaces – Driver. Manager get. Connection() – Connection Transactions commit(), rollback(), set. Auto. Commit() SQL statements create. Statement(), prepate. Statement() – Statement execute. Query(), execute. Update() – Result. Set Scrolling over tuples next(), previous(), first(), last(), is. Last() Values of attributes get. String(int index), get. Time(String name) – Prepared. Statement execute. Query(), execute. Update() set. Int (int index, int x) 67

API: Establish Connection 1 Class. for. Name(com. mysql. jdbc. Driver) make the driver class available 2 String url = “jdbc: mysql: //sysnet. cs. toronto. edu/databasename"; This is the connect string. The connect string, mentions the driver as well as the database. For the example above, the driver is the jdbc: pointbase: embedded bridge driver. The database is sample. 3 Connection con=Driver. Manager. get. Connection(url, u. ID, pw); Get a connection (session) with a specific database. Within the context of a Connection, SQL statements are executed and results are returned. A Connection can be used to obtain information about the DB By default a Connection automatically commits changes after each statement. Typically, setting up a connection is an expensive operation. 68

API: Executing Queries · A query can return many rows, each with many attributes · Steps are 1 Send query to the database 2 Retrieve one row at a time 3 For each row, retrieve attributes 69

Trivial Example 70

API: Updates Int rows. Affected= stmt. execute. Update( "DELETE * FROM ACCOUNTS; "); Executes a SQL INSERT, UPDATE or DELETE statement. Returns the number of rows affected. 71

API: Prepared Statements · Is a parameterized SQL statement. · Used to speedup query parsing (statement does not need to be reparsed) · Used to simplify development (clumsy strings do not have to be created and recreated for each update). Example: String insert="INSERT INTO ACCOUNT(NAME, AMOUNT)VALUES(? , ? ); "; Prepared. Statement ps =con. prepare. Statement(insert); ps. set. String(1, "Charlie"); // Fill in the first ? ps. set. Double(2, 23. 45); // Fill in the second ? rows. Effected=ps. execute. Update(); ps. set. Int(1, "Arnold"); // Fill in the first ? ps. set. Int(2, 102. 23); // Fill in the second ? rows. Effected=ps. execute. Update(); 72

Scope of DB Connections 1. Request: Open/close connection on each action invocation 2. Session: Keep 1 open connection associated with the session: Http. Session. get. Parameter(“db. Con”) 3. Web App: Keep 1 open connection for the web application and re-use it 73

Connection Pooling • The Solution: – Maintain a pool of open connections that time themselves out • The Shared. Pool. Data. Source allocates a new Connection object – It wraps it in a Pooling. Connection object that delegates calls to its enclosed Connection object and returns it to the client. – It sets a timeout that will reclaim the Connection for a pool of free connections • If client accesses Pooling. Connection after timeout, Pooling. Connection will request a fresh connection from the pool. • Client returns Connection to the pool when done with it. – Shared. Pool. Data. Source does not close the Connection, rather saves it for the next request • Client may block awaiting a freed connection if some maximum upper limit of open connections is reached. 74

Connection Pooling – Init method of main webapp servlet: // Create a data source Driver. Adapter. CPDS ds = new Driver. Adapter. CPDS(); ds. set. Driver("com. mysql. jdbc. Driver"); ds. set. Url("jdbc: mysql: //servername/databasename"); ds. set. User("public"); ds. set. Password("public"); // Create a connection pool Shared. Pool. Data. Source dbcp = new Shared. Pool. Data. Source(); dbcp. set. Connection. Pool. Data. Source(ds); //Add to webapp context get. Servlet. Context(). set. Attribute(“db. Con. Pool”, dbcp); 75

Connection Pooling – Each servlet do. Get() or do. Post() calls: Shared. Pool. Data. Source dbcp = get. Servlet. Context(). get. Attribute(“db. Con. Pool”); Connection con = dbcp. get. Connection(); … Statement s = con. create. Statement(); … con. close(); 76

Indirection and Capabilities Capability: enforces access control by providing a handle to a resource. Servlet connection x connection Cannot revoke capability Poolingconnection Servlet dbonnection y private connection x connection on. Time. Out: x = null Indirection enables revoking capability 77

SQLGateway 78

Atomic Transactions • ATM banking example: – Concurrent deposit/withdrawal operation – Need to protect shared account balance • What about transferring funds between accounts? – Withdraw funds from account A – Deposit funds into account B 79

Properties of funds transfer • Should appear as a single operation – Another process reading the account balances should see either both updates, or none • Either both operations complete, or neither does – Need to recover from crashes that leave transaction partially complete 80

Transactions • Definition: A transaction is a collection of DB modifications, which is treated as an atomic DB operation. – Transactions ensure that a collection of updates leaves the database in a consistent state (as defined by the application program); all updates take place or none do. – A sequence of read and write operations, terminated by a commit or abort • Definition: Committed – A transaction that has completed successfully; once committed, a transaction cannot be undone • Definition: Aborted – A transaction that did not complete normally • JDBC: By default the Connection automatically commits changes after executing each statement. If auto commit has been disabled, the method commit must be called explicitly; otherwise, database changes will not be saved. 81

API: Transactions Example: // Change to transactional mode con. set. Auto. Commit(false); // Transaction A begins here stmt. execute. Update("DELETE * FROM ACCOUNT. . . ; "); // stmt. execute. Update("INSERT INTO ACCOUNT. . . . "); // stmt. execute. Update("INSERT INTO ACCOUNT. . "); // con. commit(); // Commit changes to database 1 2 3 4 // All of 1, 2, 3, 4 take effect 82

API: Transactions Example: // Transaction B begins here stmt. execute. Update("DELETE * FROM SALES. . . ; "); // 5 stmt. execute. Update("INSERT INTO SALES. . "); // 6 stmt. execute. Update("INSERT INTO SALES. . "); // 7 stmt. execute. Update("INSERT INTO SALES. . "); // 8 con. rollback(); // Rollback to before transaction B began // None of 5, 6, 7, 8 effects the DB 83

Example • Movie database • Add an order and decrement # of available spaces 84