Overview
• Generic Mechanisms • ISAPI/Apache Modules • CGI (Common Gateway Interface) Network Services, VU 2.0 •PHP • ASP •Java related Dynamic Web Technologies – Java Servlets, Java Server Pages, Java Server Faces – Java Web Applications • ASP.NET Dipl.-Ing. Johann Oberleiter Institute for Informationsystems, Distributed • Cocoon, Struts Systems Group
Dynamic Web – Why? Generic principles
• Web Servers return only with static files • Separation of layout, content and program logic – Good design principle (not only in Web) • Interactive Content – Allows parallel tasks of • Developer – Created based on user interaction • Web Designer • Dynamic Content • Layout – Created on the fly –HTML • Content – Database access – Which Text when dynamically generated • Program Logic – What overall structure – What navigational structures
1 ISAPI Apache Modules
• Internet Server API (Microsoft IIS) • Extension mechanism for Apache – IIS only – Extension mechanism for IIS – C based – C-based (like Windows API) – Based on Apache Portable Runtime (APR), and C standard • Implements number of callbacks library – Functions that are called by server • Request sent to ISAPI extension via API functions (callbacks) • Based on Hooks (callbacks) • Respond via API functions (callbacks) • Categories • Supports use of Multithreaded features – Authentication, Authorization, Accounting • Features – Scalability – Cache – Supports ISAPI extensions – Filters • Similar to CGI-scripts • Modify output from another module – Supports ISAPI filter • Pre & postprocessing of a request, may be chained – Mappers • NSAPI • Map requests from URLs to resources on disc – Netscape Server API – Loggers
Common Gateway Interface CGI / 2
• Supported by most programming languages • RFC 3875 – Requires access of standard input stream, standard output stream, environment • Running external programs • Supported by most programming languages – From HTTP servers – requirements • Access standard input stream – Platform-independent mechanism • Access standard output stream • Access environment variables • CGI script & HTTP server together – Web Server • Invocation of executables (stand-alone executables) – Servicing a client request • Invocation of interpreter (interpreter languages) –Typical – Creating response •C, Perl • CGI script addressed with URI • New Process per request
2 CGI / 3 CGI / 4
Client WWW void main(void) Browser Server { printf("Content-type: text/html\r\n"); printf("\r\n"); printf("Hello world!
\r\n"); CGI- exit(0); Script }
Fast-CGI Fast-CGI / 2
• CGI performance problem void main(void) { – Many requests require multiple processes int count=0; – Initialization of connections/resources while(FCGI_Accept() >= 0) { (database) printf("Content-type: text/html\r\n"); •FastCGI printf("\r\n"); – Script remains in memory (via endless loop) printf("Hello world!
\r\n"); } – Predefined protocol/API for communication exit(0); with HTTP server }
3 PHP PHP - sample
• Abbreviation for PHP: Hypertext Preprocessor • Dynamic Web Scripting language – Syntax resembles C and Perl – Currently most frequently used Web programming language … – Usually embedded in HTML – Supported by most Internet service providers
• Wellknown through LAMP – Linux – Apache – MySql – PHP Hello World“; ?> • Many libraries – In particular libraries for database access • Problem – Mix of HTML and script code – Language grown over the years • Performance – Quite GoodActive Server Pages ASP / 2
Host 1 • Server-side scripting ala Microsoft – Relies on MS scripting languages COM Component 1 • Usually VB.NET or JScript (JavaScript) HTTP Server • Programming model – Program Logic via COM components – Principally scalable (via COM+) – Principally secure (server-side via COM+, ADSI) • Problems Host 2 – Mixture of layout and content • Principally possible to do it in a clean way (via COM comp.) COM+ / 2 – Vendor-lockin (only IIS supported) COM+ / 1 • though special solutions for Apache exist – Interpreted
4 Java Servlets Request/response Interaction
• Web component Web client Web server – implemented in Java (browser) • Generates dynamic content • Managed by a servlet engine (container) Servlet container – Web server extensions request response • Request/response paradigm ServletA ServletB ServletC – Interaction with Web clients
Servlets characteristics Servlet interface / 1
• Much faster than CGI scripts (in general) <
5 Servlet implementation Servlet lifecycle
service • Server implements servlet interface instantiate Servlet • Typically by inheriting from (predefined) init implementation classes initialized – GenericServlet
– HttpServlet destroy
destroyed finalized & garbage collected
Request Handling Response Generation
• Through Service method • By using methods of ServletResponse • ServletRequest object used object • Concurrent requests to same servlet – Concurrent execution of service method on different • Manual generation of any response threads • HTTP specific Request Handling • HttpServletResponse interface – HttpServlet adds HTTP specific methods – sendRedirect • primarily doGet & doPost, • doPut, doDelete, doHead, doOptions, doTrace – sendError • getParameterXXX methods provide – from URI query string and POST-ed data • getHeaderXXX methods
6 Servlet example Filtering public void doGet(HttpServletRequest req, • Filter HttpServletResponse res) throws ... – Java component { – Allow on the fly transformation res.setContentType("text/html"); – Implements javax.servlet.Filter PrintWriter out= res.getWriter(); • Filter transforms content of – HTTP requests out.println(""); – Responses out.println("
"); – Header information ... • Modify or adapt out.close(); – Requests for a resource (dynamic&static content) } – Responses from a resourceFilter examples Filter implementation
• Authentication filters • doFilter(ServletRequest req, ServletResponse res, • Logging and auditing filters FilterChain next) 1. Examine request • Image conversion filters 2. May wrap Request object with a custom implementation to • Data compression filters filter/modify content or headers for input filtering • Encryption filters 3. May wrap Response object with a custom implementation to filter/modify content or headers for output filtering • Tokenizing filters 4. May invoke next filter in chain or block further processing • Filters triggering resource access events 5. After invocation 4. examine response headers and modify • XSL/T filters output – Last element of chain is target servlet • MIME-type chain filters • Caching filters
7 Session Tracking Other Servlet Issues
• Cookies – Supported by servlet container • Request forwarding – Cookie name JSESSIONID – Via Request Dispatchers • SSL sessions – Only when SSL/TLS is in use – Support for event listeners – Built-in mechanism to distinguish multiple requests • For state changes in ServletContext, HttpSession, • URL Rewriting ServletRequest – Adds session ID to request URL – Lifecycle, changes to attributes, session migration, object –Eg. http://www.xyz.com/index.html;jsessionid=1234 binding • Supports storage of key-value pairs – Keys are object names (strings) •Problem – Values arbitrary Java objects • Session timeouts – Not often supported by public Web hosters
Java Server Pages (JSP) JSP
• JSP page • JSP container – Textual document how to create a response object – Life-cycle management from a request object for a given protocol – Runtime support – Defines a JSP page implementation class • Translation phase • Implements semantics of the JSP page – Validates syntactic correctness of JSP page • Implements javax.servlet.Servlet interface – Locates/Creates implementation class – HTTP default protocol for requests/responses • Execution phase – Default ending .jsp – Container delivers events to JSP page • Compilation • Traditional usage – Into implementation class + deployment info during deployment – Generation of HTML possible • Removal of start-up lag for transition phase • Generating XML possible • Reduction of memory footprint needen to run JSP container – no – More modern JSP XML-like syntax compiler required
8 JSP - Syntax JSP Elements
• Directives •Elements – Global information, independent of specific request – Info for translation phase – Element type known to JSP container – Syntax: <%@ directive ... %> • Actions • Template Data – Infos for request processing – Standardized (by JSP specification) – JSP translator not aware about – Custom (portable tag extension mechanism) – Syntax:
JSP Expression Language JSP Documents
• Simple expressions without Java code • JSP page that is also a XML document • Enclosed within ${...} – Well-formed, validation –${a+b} – Entity resolution may be applied –
9 JSP Taglibs JavaServer Faces
• Extension of tags a JSP container interprets • Extension of Servlets/JSPs – Tab library • Definition of Web components – Taglib directive required – Custom tag from tag library • <%@ taglib=http://www.xyz/mysupertags prefix="mysuper"/> – Event processing (similar to JavaBeans) –XML view • ActionListener • ValueChangedListener • xmlns:prefix on root of JSP document (urn:jsptld:uriValue) – Components render themselves as HTML –
JavaServer Faces - Sample Web Applications
10 Web Applications Web Applications
• Structured Hierarchy of Directories /index.html – Root of hierarchy is document root for application files /howto.jsp • Special directory WEB-INF /feedback.jsp – All things related to the application not in the document root /images/banner.gif – No file of WEB-INF served directly to client /images/jumping.gif – Eg. Configuration /WEB-INF/web.xml – Deployment descriptor /WEB-INF/web.xml /WEB-INF/lib/jspbean.jar – Servlet and Utility classes in /WEB-INF/classes/ /WEB-INF/classes/com/mycorp/servlets/MyServlet.class – Java ARchive Files (JAR) in /WEB-INF/lib/ /WEB-INF/classes/com/mycorp/servlets/MyUtils.class • Packaged in Web ARchive Format (WAR-File) Example: –JAR Format Context-Path: /catalog in Web-Container • Supports references to other J2EE technologies Request: /catalog.index.html – eg EJB,JNDI,WebServices
Web Applications Security
• Deployment Descriptor (XML File) • Declarative Security – ServletContext Init Parameters – Expressing an application's security structure external to the – Session Configuration application – Servlet/JSP Definitions • Roles, Access Control, Authentication Requirements – Servlet/JSP Mappings – Described in deployment descriptor • /foo/bar/* servlet1 • /catalog servlet2 • Programmatic Security – Application Lifecycle Listener classes – HttpServletRequest – Filter Definitions and Filter Mappings • getRemoteUser (user name client used for auth.) – MIME Type Mappings • isUserInRole – Welcome File list • getUserPrincipal (principal name of current user) • Default files for unmachted URIs (eg. default.jsp) • Servlet container – Error Pages – Enforces declarative or programmatic security • List of error page descriptions • For the principal associated with an incoming request based on – Locale and Encoding Mappings security attributes of the principal – Security
11 Security Constraint Security Role (deployment descriptor)
• On application deployment
Jakarta Tomcat Apache Integration with Tomcat / 1
• Most important Servlet engine • Sharing load using different port numbers – Became reference implementation – Eg. Apache runs on port 80, tomcat on 8080 • Usually port 8080 • Same or different server • Hosts JSPs, Servlets – Problems – Connections to other technologies • User see URLs that contain different ports/servers • Stand-alone WebServer – interesting for bookmarking – Supports SSI • 2 WebServers to tune, maintain, secure – Supports CGI • Apache security does not know about Tomcat – Not as sophisticated as Apache security (file access, user authentication) • Performance, no support for non-Java languages, available tools, ...
12 Apache Integration with Tomcat / 2 Apache Integration with Tomcat / 3
• Proxying Apache to Tomcat • Custom connector protocol – Apache hands over all requests to specific – Apache module mod_jk2 URIs to Tomcat • a module for IIS is also available • Using Apache module mod_proxy – AJP protocol (Apache JServ protocol) – Problems – Supports load balancing • No load balancing for more than one proxy – Supports In-Process JVM • 2 WebServers to tune, maintain, secure • Tomcat runs inside Apache • HTTP proxying slower than custom connectors • Dual authentication
ASP.NET ASP.NET / 2
• Microsoft‘s answer to Servlets/JSP • ASP.NET (aspx) page translated to .NET class • Requires .NET – Inherits from System.Web.UI.Page • Supported by IIS 6.0 – Only if source has changed – Special support for Apache / Mono • Server-side Web Controls • Completely different to ASP – .NET classes – More like Java Servlets/JSP/Java ServerFaces – Server-side representation of HTML elements • or more complex elements • Supports different programming languages – Implement their own renderering facility – Any .NET capable programming language – May be rendered in any browser • Microsoft supports C#, C++, VB.NET, J# – May raise events (.NET event/delegate model) • Today frequently supported • Programming model – With Windows 2003 Server Web Edition – Accessing .NET assemblies & components
13 ASP.NET / 3 ASP.NET / 4
• ASP.NET page classes • Validators • In-line code – Validation of user input – Program code within – Different types – Problem: mixture of HTML and program logic • RequiredFieldValidator, • Code behind • RangeValidator – Refers to code separated in a different class file • RegularExpressionValidator • <%@ Language=„c#“ Inherits=„MyOther.MyClass“> – Inherits from the provided class • CustomValidator – Addition of new methods,properties allowed – Happens after button is pressed – .NET Methods/Properties may be accessed with special script elements – Error message may be placed on a Web • Allows separation of layout and contents control "ValidationSummary"
ASP .NET / 5 Dynamic Web Architectures / 1
<%@ Page Language="C#"%> • Sun's Model 1 architecture
– Weak concerning separation of content and presentation14 Model 1 architecture Dynamic Web Architectures / 2
• Sun's Model 2 architecture – MVC paradigm request • Model – underlying Datamodel •View –GUI – Changes in the model are automatically represented in the view • Controller – interprets user interaction JSP Beans – sends appropriate commands to Model – Servlet acts as controller response – JSP acts as View – JavaBeans act as Model (created by the servlet) • Contain also connections to databases, EJB servers, ... – No processing logic in the JSPs • Processing logic – Better separation of content and presentation
Model 2 architecture Struts
• Framework for request 1 (Controller) – Model 2 architectures Servlet • Provides its own controller
2 • Supports different technologies for Model response 4 3 (View) (Model) – JDBC, EJB, Hibernate JSP Beans • Supports different technologies for View – JSP, JSF, XSLT, JSTL, Velocity Templates
15 Cocoon Cocoon / 2
• XML based servlet framework generate (start from file abc.xml) • Based on XSLT pipelines
• Sitemaps controls generation of pages transform (apply layout.xsl) – generate starts pipeline
– transform applies stylesheet transform (apply book.xsl) – Serialize generates final output file
• Continuations serialize (generate abc.html) – Navigation flow written with JavaScript
16