Network Services Agenda URI URI Examples
Total Page:16
File Type:pdf, Size:1020Kb
Agenda URIs Network Services HTTP Authentication Dynamic Web Technologies HTTP, Web CGI Johann Oberleitner Java Servlets SS 2006 WebDAV Web Caching URI URI Examples Unique Resource Identifier ftp://ftp.is.co.za/rfc/rfc1808.txt Remembered by people http://www.ietf.org/rfc/rfc2396.txt Transcribed from one network resource to another -> characters accessible on each keyboard ldap://[2001:db8::7]/c=GB?objectClass?one RFC 3896 mailto:[email protected] URI = news:comp.infosystems.www.servers.unix scheme:hierachical-part [?query] [#fragment] tel:+43-1-58801-58400 Hierarchical-part absolute or relative telnet://192.0.1.8:25/ Hierarchical-part may contain authority part urn:oasis:names:specification:docbook:dtd:x ml:4.1.2 1 URI / 1 URI / 2 http://www.example.at/search?xyz=abc http://www.ietf.org/rfc/rfc2396.txt Query-Part Scheme part Authority part Hierarchical part http://www.ex1.at/abc.html#my-anchor Anchor URLs & URNs HTTP / 1 Specialized Subtypes of URIs Protocol for Information Systems URLs (=Uniform Resource Locator) identify a Distributed, collaborative, hypermedia resource via In use by WWW initiative since 1990 Access mechanism (scheme) and General idea: request-response Location within computer networks HTTP/0.9 URNs (=Uniform Resource Name) identify a resource Simple protocol for raw data transfer across Internet via HTTP/1.0 (RFC 1945) urn:<NID>:<NID-specific-ID> Extended by allowing messages to use MIME-format NID = Namespace identifier HTTP/1.1 (RFC 2616) Example: urn:ISBN:0130888931 More strict Location independent URNs are retained even if location is changed Standard Port: TCP 80 Uses NVT protocol 2 HTTP / 2 HTTP / 3 HTTP Request sends HTTP Response Request method (GET,POST, …) Status line URI (what is requested) including message protocol version Protocol version Success or error code MIME-like message MIME-like message Request modifiers Server information Client information Entity metainformation (content-type, length, Body content date of modification, ...) Generic syntax: "Method Request-URI HTTP-Version" Entity-body content HTTP / 4 – Request methods HTTP / 5 – Request methods GET POST Retrieve information identified by Request-URI Requests entity enclosed in request as additional May refer to a process instead to a data entity item for entity identified in Request-URI See Dynamic Web URI determines handler for the post Conditional GET Examples if request message contains additional header Annotation of existing resources fields Posting a message to bulleting boards, newsgroups, ... Eg. If-Modified Since, If-Match, If-None-Match, If-Range Providing a block of data, such as the result of submitting a form, to a data-handling process Goal to reduce bandwidth Extending a database through append operation HEAD Actual Function determined by server Like GET but does not return message-body Response contains result of the action HTTP header identical 3 HTTP / 6 – Request methods HTTP – Status Codes OPTIONS Informational 1xx Communication options availabe on the request/response chain identified by URI-Request Prior regular response PUT If unexpected May be ignored Enclosed entity shall be stored under supplied Request-URI Proxies must forward 1xx responses DELETE 100 Continue Delete resource identified by Request-URI Client SHOULD continue with its request TRACE Successful 2xx Debugging method CONNECT Request successful For proxies to dynamically switch being a tunnel (SSL) 200 OK 201 Created, 202 Accepted,... HTTP - Status Codes HTTP – Status Codes Redirection 3xx Client Error 4xx Further actions need to be taken by user to fulfill request 400 Bad request 301 Moved Permanently New URI given in Location field of response 401 Unautorized If possible client shall change link 402 Forbidden 302 Found Authorization won't help, shall not be repeated New URI given in Location field of 303 See Other 404 Not Found Similar to 302 but different URI should be retrieved with GET No match found for Request-URI Primarily to allow output of POST-activated script to redirect user agent 408 Request Timeout 304 Not Modified 410 Gone For conditional GET requests Resource no longer at server 4 HTTP – Status codes HTTP – Persistent Connections HTTP connection closed after one request Server Error 5xx Assumption that client has more requests from same server Standard in HTTP/1.1: persistent connection desired 500 Internal Server Error Controlled with Header field 501 Implementation Connection: close / keep-alive header Server time-out closes connection automatically 503 Service Unavailable Advantages Overloading of server Opening/closing fewer TCP connections CPU time saved in routers and all participating hosts 505 HTTP Version Not supported Fewer packets caused by TCP opens HTTP requests/responses pipelined Client make multiple requests on same TCP connection without waiting for a response Latency of subsequent requests reduced No time spent in TCPs connection opening handshake HTTP State Management HTTP Authentication HTTP Sessions to manage state HTTP is stateless Methods to authenticate users Server Requires HTTP session to maintain variables for one user Restrict access to resources Server manages variables for each session Session-ID used to identify session in requests Not secure unless used with external secure Identification of session URL-Rewriting system (eg. SSL) Appends sessionID at request URI http://www.example.com?sessionID=SID1234 Based on challenges HTML Hidden Field Special field in HTML forms Server poses a challenge to client <input type="hidden" name="sessionID" value="SID1234"/> Client has to response with correct answer Cookies Additional Request-Header-Field Cookie: $Version="1"; sessionID="SID1234" Restriction is based on realms Cookie generated by server Sent to user agent in response field String value Set-Cookie2: $Version="1"; sessionID="SID1234" Defines/Names protection space (=realm) = Set of documents 5 HTTP Authentication Basic Authentication C: requests protected resource Client identifies itself with UserID & Password S: 401 Unauthorized Challenge: "Basic" realm WWW-Authenticate header field includes at WWW-Authenticate: Basic realm="WaynesWorld" least one challenge that must be fulfilled Credentials by client "UserID:Password" base64 encoded C: Authorization header field in request Authorization: Basic XYZ1235456== Contains credentials containing Weak authentication information for a realm Problem: Base64 bijective Server responds with resource Inverse application of base64 algorithm leads to Password Digest Authentication Digest Authentication / 2 Challenge WWW-Authenticate: Digest contains a "nonce" value realm="WaynesWorld", Valid response contains a checksum nonce="dcd98b1234567890acd23467", Username + Password + nonce + HTTP method + Request-URI opaque="12345", Default uses MD5 checksums (128bit) Authorization: Digest Password never sent in the clear username="Wayne" Quality of Protection (qop) realm="WaynesWorld", Different protection levels nonce="dcd98b1234567890acd23467", Authentication, Integrity checking, Confidentiality checking uri="/index.html", response="67890abcdef1234567890ab" 6 Dynamic Web – Why? Dynamic Web Technologies Web Servers usually return only static CGI scripts files Java Servlets What about Interactive Content? PHP Created based on user interaction ASP.NET What about Dynamic Content? Created based on database access CGI (Common Gateway Interface) CGI / 2 Supported by most programming languages RFC 3875 Requires standard input stream, standard output stream, Running external programs environment variables Supported by most programming languages From HTTP servers requirements Platform-independent mechanism Access to standard input stream Access to standard output stream CGI script & HTTP server together Access to environment variables Web Server Servicing a client request Invocation of executables (stand-alone executables) OR Invocation of interpreter (interpreter languages) Creating response Typical CGI script addressed with URI C, Perl But any language possible (Java,…) Invoked by HTTP server Invocation of CGI script creates a new Process per request 7 CGI / 3 CGI / 4 – Exampel in C void main(void) Client WWW Browser Server { printf("Content-type: text/html\r\n"); printf("\r\n"); printf("Hello world!<br>\r\n"); CGI- exit(0); Script } Fast-CGI Fast-CGI / 2 CGI performance problem: void main(void) Many requests require multiple processes { Initialization of connections/resources (database) int count=0; while(FCGI_Accept() >= 0) { FastCGI printf("Content-type: text/html\r\n"); Script remains in memory (via endless loop) printf("\r\n"); Requires Predefined protocol/API for communication with HTTP server printf("Hello world!<br>\r\n"); } Standard CGI uses just StdIn/StdOut exit(0); } 8 Java Servlets Request/response Interaction Web client Web server Web component (browser) implemented in Java Implements interface javax.servlet.Servlet Servlet container Generates dynamic content Managed by a servlet engine (container) request response Web server extensions Request/response paradigm ServletA ServletB ServletC Interaction with Web clients Servlet characteristics Servlet interface / 1 Much faster than CGI scripts (in <<interface>> general) Javax.servlet.Servlet different process model is used destroy ServletConfig getServletConfig()