Structure of a webapplication Catalogue structure: / The root of a web application. This directory holds things that are directly available to the client. HTML-files, JSP s, style sheets etc The root is mapped by the tomcat configuration. The default is $INST_DIR\webapps\name_of_appl locally on Solaris we use ~/tomcat /WEB-INF This is a subcatalogue in the webapplication root. Things in here are not available to the client directly. This is a reserved name that is used by tomcat to detect a web application and it triggers tomcat to try a deployment during the startupscan. Structure of a webapplication 28 January 2009 1
/WEB-INF/lib Jar files that will be use by the application, eg JSTL /WEB-INF/classes class files for servlets, userdefined tags and JavaBeans /WEB-INF/*.tld tag library definition files /WEB-INF/web.xml The web application definition file, i. e. the deployment descriptor. Structure of a webapplication 28 January 2009 2
Can look like this: kursa.it.uu.se> cd tomcat kursa.it.uu.se> ls -R error.jsp test.jsp test.xsl WEB-INF./WEB-INF: classes c.tld lib src web.xml x.tld./web-inf/classes: com./web-inf/classes/com: mimer./web-inf/classes/com/mimer: fredrik./web-inf/classes/com/mimer/fredrik: TestBean.class TestServlet.class./WEB-INF/lib: jstl.jar standard.jar./web-inf/src: com Structure of a webapplication 28 January 2009 3
./WEB-INF/src/com: mimer./web-inf/src/com/mimer: fredrik./web-inf/src/com/mimer/fredrik: TestBean.java TestServlet.java Structure of a webapplication 28 January 2009 4
To distribute an application, you can pack this structure into a WAR-file. A WAR file is just a jar file create with the Java Archiver (jar) with another filetype. Structure of a webapplication 28 January 2009 5
The content of web.xml Describes a web application from different aspects. Application context parameters servlet mappings user defined tags authorization etc Structure of a webapplication 28 January 2009 6
Structure is <?xml... > <web-app> paragraph paragraph... </web-app> Order is sometimes significant Case is significant Structure of a webapplication 28 January 2009 7
Examples with a servlet 2.5/JSP 2.1 header <?xml version = '1.0' encoding = 'UTF-8'?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi= "http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation = "http://java.sun.com/xml/ns/javaee http:// java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" > <context-param> <param-name>dbname</param-name> <param-value>murach</param-value> </context-param> <servlet> <servlet-name> email6.emailservlet </servlet-name> <servlet-class> email6.emailservlet </servlet-class> <init-param> <param-name> filename </param-name> <param-value>../webapps/murach/useremail.txt </param-value> </init-param> Structure of a webapplication 28 January 2009 8
</servlet> </web-app> A Servlet 2.4/JSP 2.0 (J2EE 1.4) header goes like <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi= "http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation = "http://java.sun.com/xml/ns/j2ee http:// java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4" > A Servlet 2.3/JSP 1.2 (J2EE 1.3) header goes like <?xml version = 1.0 encoding = utf-8?> <!DOCTYPE web-app PUBLIC -//Sun Microsystems, Inc.//DTD Web Application 2.3//EN http://java.sun.com/dtd/web-app_2_3.dtd > <web-app>... </webapp> Structure of a webapplication 28 January 2009 9
We can introduce servlet mappings to simplify the access of a servlet. instead of saying /servlet/package.classname I setup a mapping: <servlet-mapping> <servlet-name> email6.emailservlet </servlet-name> <url-pattern> /myservlet </url-pattern> </servlet-mapping> Now I can access my servlet using: /myservlet Usually you introduce a logical servlet name to avoid having the physical name in a lot of places. See later examples. You should always use mappings in real applications because this gives you the full potential of the container including security, filtering etc. Structure of a webapplication 28 January 2009 10
You can also set servletspecific init-parameters. This is a way to avoid hardcoded resource names. <servlet>... <init-param> <param-name> CHECKOUT_PAGE </param-name> <param-value> /checkout.jsp </param-value> </init-param> <init-param> <param-name> JDBC_URL </param-name> <param-value> jdbc:mysql://tomcat.it.uu.se/ test?user=olle&password=xxxx </param-value> <description> The Database URL to use </description> </init-param> <init-param> <param-name> Structure of a webapplication 28 January 2009 11
SHOW_PAGE </param-name> <param-value> /show.jsp </param-value> </init-param> <init-param> <param-name> THANKYOU_PAGE </param-name> <param-value> /thankyou.jsp </param-value> </init-param> <init-param> <param-name> DETAIL_PAGE </param-name> <param-value> /detail.jsp </param-value> </init-param> </servlet> Structure of a webapplication 28 January 2009 12
Other elements in web.xml, presented here without respect to ordering. <session-config> <session-timeout> 30 </session-timeout> </session-config> <mime-mapping> <extension> html </extension> <mime-type> text/html </mime-type> </mime-mapping> <welcome-file-list> <welcome-file> index.jsp </welcome-file> <welcome-file> index.html </welcome-file> </welcome-file-list> <error-page> <exception-type> java.lang.throwable </exception-type> <location> Structure of a webapplication 28 January 2009 13
/email6/error.html </location> </error-page> <error-page> <error-code> 404 </error-code> <location> /email6/error_404.jsp </location </error-page> Structure of a webapplication 28 January 2009 14
An example, the simple test servlet that we have shown before <?xml version = '1.0' encoding = 'UTF-8'?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi= "http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation = "http://java.sun.com/xml/ns/javaee http:// java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" > <servlet> <servlet-name> TestServlet </servlet-name> <servlet-class> com.mimer.fredrik.testservlet </servlet-class> </servlet> <servlet-mapping> <servlet-name> TestServlet </servlet-name> <url-pattern> /testservlet </url-pattern> </servlet-mapping> <taglib> Structure of a webapplication 28 January 2009 15
<taglib-uri> http://java.sun.com/jsp/jstl/core </taglib-uri> <taglib-location> /WEB-INF/c.tld </taglib-location> </taglib> <taglib> <taglib-uri> http://java.sun.com/jsp/jstl/xml </taglib-uri> <taglib-location> /WEB-INF/x.tld </taglib-location> </taglib> </web-app> Structure of a webapplication 28 January 2009 16
And another example <?xml version = '1.0' encoding = 'UTF-8'?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi= "http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation = "http://java.sun.com/xml/ns/javaee http:// java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5" > <servlet> <servlet-name> Shop </servlet-name> <servlet-class> se.upright.education.uu.pvk.assignmenttwo. servlets.shopservlet </servlet-class> <init-param> <param-name> CHECKOUT_PAGE </param-name> <param-value> /checkout.jsp </param-value> </init-param> <init-param> <param-name> JDBC_URL </param-name> <param-value> jdbc:mysql://tomcat.it.uu.se/test </param-value> <description> The Database URL to use </description> </init-param> <init-param> <param-name> SHOW_PAGE </param-name> Structure of a webapplication 28 January 2009 17
<param-value> /show.jsp </param-value> </init-param> <init-param> <param-name> THANKYOU_PAGE </param-name> <param-value> /thankyou.jsp </param-value> </init-param> <init-param> <param-name> DETAIL_PAGE </param-name> <param-value> /detail.jsp </param-value> </init-param> </servlet> <servlet-mapping> <servlet-name> Shop </servlet-name> <url-pattern> /shop </url-pattern> </servlet-mapping> <session-config> <session-timeout> 30 </session-timeout> </session-config> <taglib> <taglib-uri> http://java.sun.com/jsp/jstl/core </taglib-uri> <taglib-location> /WEB-INF/c.tld </taglib-location> Structure of a webapplication 28 January 2009 18
</taglib> <taglib> <taglib-uri> http://java.sun.com/jsp/jstl/xml </taglib-uri> <taglib-location> /WEB-INF/x.tld </taglib-location> </taglib> <taglib> <taglib-uri> /bookshop </taglib-uri> <taglib-location> /WEB-INF/bookshop.tld </taglib-location> </taglib> </web-app> Structure of a webapplication 28 January 2009 19
Authorization, i. e. access to applications You can setup security constraints on your application. Those are based on URL-patterns. A security constraint protects a web resource so that access is granted only for the roles listed in a constraint. e. g. <security-constraint> <web-resource-collection> <web-resource-name> TheShop </web-resource-name> <url-pattern> /* </url-pattern> </web-resource-collection> <auth-constraint> <role-name> tomcat </role-name> </auth-constraint> <user-data-constraint> <transport-guarantee> NONE </transport-guarantee> </user-data-constraint> </security-constraint> Structure of a webapplication 28 January 2009 20
The web-resource-collection specifies a name, which is mandatory even if it s not used. It also specifies one or more URL-pattern that is to be protected. You can optionally have one or more http-method tags that specifies the HTTP methods the contstraint applies to. The default is all methods. URL-patterns can look like: /test.jsp /*.jsp /* /test/* The auth-constraint specfies the roles that are allowed access to this resources. Roles are setup in tomcat configuration with username, password and rolename. We do have a rule tomcat with username and password tomcat. Structure of a webapplication 28 January 2009 21
There is also a user-data-constraint tag. It specifies how data should be transmitted across the network. Possible values are: NONE, INTEGRAL, CONFIDENTIAL, No requirement The transport protocol should guarantee the integrity of data Prevent observing the data by others than the recipient, i. e. use SSL or something similar Structure of a webapplication 28 January 2009 22
Authentication can be done in several ways. Basic authentication, Digest authentication, Form-based auth. uses the normal login mechanism of the browser. Unencrypted transmission of password and username same as above but with encrypted transmission. Only supported by Internet Explorer Allows you to code an HTML-form that uses predefined actions to log in. Unencrypted transmission Structure of a webapplication 28 January 2009 23
Basic <login-config> <auth-method> BASIC </auth-method> <realm-name> Admin Login </realm-name> </login-config> The realm-name is used to print an information text on the login banner. You have three possibilities to enter a valid username and password. If you fail an error page will be displayed. A successful login will be stored in the session and you can access all pages without reentering the password. Structure of a webapplication 28 January 2009 24
FORM <login-config> <auth-method> FORM </auth-method> <form-login-config> <form-login-page> /login.jsp </form-login-page> <form-error-page> /login_error.jsp </form-error-page> </form-login-config> </login-config> This means that a JSP called login.jsp will be used to display a login form. If you fail to login, the JSP login_error will be called. In tomcat, there are predefined actions that you should use. Structure of a webapplication 28 January 2009 25
login.jsp <html> <head> <title>login Page for the Bookshop</title> <body bgcolor= white > <form method= POST action= <%= response.encodeurl( j_security_check ) %> > <table border= 0 cellspacing= 5 align= center > <tr> <td colspan= 2 bgcolor= #FFDC75 > <h2>log in to the Bookshop</h2> </td> </tr> <tr> <td colspan= 2 ></td> </tr> <tr> <th align= right >Username:</th> <td align= left ><input type= text name= j_username > </td> </tr> Structure of a webapplication 28 January 2009 26
<tr> <th align= right >Password:</th> <td align= left ><input type= password name= j_password > </td> </tr> <tr> <td align= right ><input type= submit value= Log In > </td> <td align= left ><input type= reset > </td> </tr> </table> </form> </body> </html> Structure of a webapplication 28 January 2009 27
Will give you this Structure of a webapplication 28 January 2009 28
The error page goes like <html> <head> <title>error Page for the Bookshop</title> </head> <body bgcolor= white > Invalid username and/or password, please try <a href= <%= response.encodeurl ( show.jsp ) %> >again</a>. </body> </html> will display Invalid username and/or password, please try again. Structure of a webapplication 28 January 2009 29
You can also have the security-role tag. This lists all roles that you can use in a security-constraint <security-role> <role-name> tomcat </role-name> </security-role> Structure of a webapplication 28 January 2009 30
An introduction to session tracking HTTP is a stateless protocol. It has no recollection of events. To overcome this the web-container maintains a session for each user. For identification, cookies are used. An introduction to session tracking 28 January 2009 31
A cookie is a name/value pair value that is stored in the browser. The server creates a cookie and sends it to the browser. The browser saves the cookie in its cookiefile or in memory. Each time the browser send a request to the server, the cookies are stored in the request object and the server can use them to connect to the correct session. An introduction to session tracking 28 January 2009 32
Examples of cookies are jsessionid=d1f15245171203e86756756763f user_id=87 email=jsmith@hotmail.com username=jsmith passwordcookie=opensesame Typical use of cookies: To allow users to skip logins and registration forms To customize pages that displays information To focus advertising An introduction to session tracking 28 January 2009 33
In the browser you can see: An introduction to session tracking 28 January 2009 34
A servlet can use the following code snippet to get the cookie and to get the sessionid. Cookie [] cookies = request.getcookies(); String cookiename = JSESSIONID ; String cookievalue = ; for(int i=0; i < cookies.length; i++) { Cookie cookie = cookies[i]; if (cookiename.equals(cookie.getname())) cookievalue = cookie.getvalue(); An introduction to session tracking 28 January 2009 35
If you have setup the browser to disallow cookies this scheme cannot be used. Instead a sessionid is appended to the URL. To do this you have to use the encodeurl method of the response block when outputting a URL. E. g. in a servlet: PrintWriter out = response.getwriter(); out.println( Click <a href=\ + response.encodeurl( test.jsp ) + \ > here </a> ); An introduction to session tracking 28 January 2009 36
This will check if cookies can be stored in the browser. If it cannot, the sessionid will be appended to the URL and sent to the browser. An introduction to session tracking 28 January 2009 37
To see this a simple demoservlet has been used. I can press here at the end of the page to reload the page. This will rewrite the URL and the result is visible in the location field. An introduction to session tracking 28 January 2009 38
If I enable cookies it will look like An introduction to session tracking 28 January 2009 39
If you have cookies disabled in the browser the server will send back URL s with the sessionid appended. Each time you submit a form with such a URL, the session id is transferred back to the server. I you fail to pass your URL through the decoding process, you will not be able to connect to your session. An introduction to session tracking 28 January 2009 40
An introduction to session tracking 28 January 2009 41