Web Technologies

B.Tech. IT III Year II Semester

UNIT V

WEB SERVERS &SERVLETS

Outline of Presentation

Tomcat Webserver
Introduction To Servlets
Life Cycle of Servlet
Servlet API
Reading Servlet Parameters
Steps to Run a Servlet
Example to handle Http Request and Response
Using Cookies and Session Tracking
Security Issues

Tomcat WebServer
A servlet container is like a mini server, but only
for serving html, jsp and servlets.
Many servlet containers could be used for this course.
Some may even be easier to configure than tomcat,
but tomcat provides an easy-to-use
development/deployment tool and also complies with
the servlet specification best of all containers.
Tomcat is from Apache and is open-source.
Tomcat can be used as a stand-alone servlet container.
You can install the Apache server with Tomcat, and
then proceed to configure each for their individual
purposes. (The server would relay servlet requests to
Tomcat.)

Introduction to Servlets
What can you build with Servlets?

Search Engines
E-Commerce Applications
Shopping Carts
Product Catalogs
Intranet Applications
Groupware Applications:
bulletin boards
file sharing

Servlets vs. CGI

Perl 1
Browser 1
Browser 2

Web
Server

Perl 2

Browser N
Perl N

Browser 1
Browser 2
Browser N

Web
Server

Servlet

A Servlet does not run in

a separate process.
A Servlet stays in
memory between
requests.
A CGI program needs to
be loaded and started for
each CGI request.
There is only a single
instance of a servlet
which answers all
requests concurrently.

Benefits of Java Servlets

Performance
The performance of servlets is superior to CGI because there is no
process creation for each client request.
Each request is handled by the servlet container process.
After a servlet has completed processing a request, it stays resident in
memory, waiting for another request.

Portability
Like other Java technologies, servlet applications are portable.

Rapid development cycle

As a Java technology, servlets have access to the rich Java library that
will help speed up the development process.

Robustness
Servlets are managed by the Java Virtual Machine.
Don't need to worry about memory leak or garbage collection, which
helps you write robust applications.

Widespread acceptance
Java is a widely accepted technology.

Definitions
A servlet is a Java class that can be loaded
dynamically into and run by a special web server.
This servlet-aware web server, is known as servlet
container.
Servlets interact with clients via a request-response
model based on HTTP.
Therefore, a servlet container must support HTTP as
the protocol for client requests and server responses.
A servlet container also can support similar protocols
such as HTTPS (HTTP over SSL) for secure
transactions.

Servlet Container Architecture

HTTP Request
Browser

HTTP Response

HTTP
Server

Servlet
Container
Static
Content

Servlet

How Servlets Work

Receive
Request

is servlet
loaded?

No

Yes
is servlet
current?

No
Load Servlet

Yes

Send
Response

Process Request

Servlet Life Cycle

Initialization
init()

Service
service()
doGet()
doPost()
doDelete()
doHead()
doTrace()
doOptions()

Destruction
destroy()

Concurrent
Threads
of Execution

Servlet Life Cycle

When a servlet is FIRST requested, it is loaded into the
servlet engine. The init() method of the servlet is invoked
so that the servlet may initialize itself.
Once initialization is complete, the request is then
forwarded to the appropriate method (ie. doGet or doPost)
The servlet is then held in memory. Subsequent requests
are simply forwarded to the servlet object.
When the engine wishes to remove the servlet, its destroy()
method is invoked.
NOTE: Servlets can receive multiple requests for multiple
clients at any given time. Therefore, servlets must be

thread safe

Servlet APIs

Every servlet must implement javax.servlet.Servlet

interface
Most servlets implement the interface by extending
one of these classes
javax.servlet.GenericServlet
javax.servlet.http.HttpServlet

Generic Servlet & HTTP Servlet

GenericServlet

Client
request
Server

service ( )

response

HTTPServlet

Browser

doGet( )

request
HTTP
Server

response

service ( )

doPost( )

Interface javax.servlet.Servlet
The Servlet interface defines methods

to initialize a servlet
Life
Cycle
to receive and respond to client requests
Methods
to destroy a servlet and its resources
to get any startup information
to return basic information about itself, such as its author,
version and copyright.

Developers need to directly implement this interface

only if their servlets cannot (or choose not to) inherit
from GenericServlet or HttpServlet.

GenericServlet - Methods
void init(ServletConfig config)
Initializes the servlet.

void service(ServletRequest req, ServletResponse res)

Carries out a single request from the client.

void destroy()
Cleans up whatever resources are being held (e.g., memory, file
handles, threads) and makes sure that any persistent state is
synchronized with the servlet's current in-memory state.

ServletConfig getServletConfig()
Returns a servlet config object, which contains any initialization
parameters and startup configuration for this servlet.

String getServletInfo()
Returns a string containing information about the servlet, such as its
author, version, and copyright.

HttpServlet - Methods
void doGet (HttpServletRequest request,
HttpServletResponse response)
handles GET requests
void doPost (HttpServletRequest request,
HttpServletResponse response)
handles POST requests
void doPut (HttpServletRequest request,
HttpServletResponse response)
handles PUT requests
void doDelete (HttpServletRequest request,
HttpServletResponse response)
handles DELETE requests

Servlet Request Objects

provides client request information to a servlet.
the servlet container creates a servlet request object and passes
it as an argument to the servlet's service method.
the ServletRequest interface define methods to retrieve data
sent as client request:
parameter name and values
attributes
input stream
HTTPServletRequest extends the ServletRequest interface to
provide request information for HTTP servlets

HttpServletRequest - Methods
Enumeration getParameterNames()
an Enumeration of String objects, each String
containing the name of a request parameter; or
an empty Enumeration if the request has no
parameters
java.lang.String[] getParameterValues (java.lang.String name)
Returns an array of String objects containing
all of the values the given request parameter
has, or null if the parameter does not exist.
java.lang.String getParameter (java.lang.String name)
Returns the value of a request parameter as a
String, or null if the parameter does not exist.

HttpServletRequest - Methods
Cookie[] getCookies()
Returns an array containing all of the Cookie objects the
client sent with this request.
java.lang.String getMethod()
Returns the name of the HTTP method with which\thi
request was made, for example, GET, POST, or PUT.
java.lang.String getQueryString()
Returns the query string that is contained in the request
URL after the path.
HttpSession getSession()
Returns the current session associated with this request, or
if the request does not have a session, creates one.

Servlet Response Objects

Defines an object to assist a servlet in sending a
response to the client.
The servlet container creates a ServletResponse
object and passes it as an argument to the servlet's
service method.

HttpServletResponse - Methods
java.io.PrintWriter getWriter()
Returns a PrintWriter object that can send
character text to the client
void setContentType (java.lang.String type)
Sets the content type of the response being
sent to the client. The content type may
include the type of character encoding used,
for example, text/html; charset=ISO-8859-4
int getBufferSize()
Returns the actual buffer size used for the
response

Reading Servlet Parameters

The request object (which implements
HttpServletRequest) provides information from the
HTTP request to the servlet
One type of information is parameter data, which is
information from the query string portion of the
HTTP request

Query string with

one parameter

Steps to Running a Servlet

Create a directory structure under Tomcat for your

application.
Write the servlet source code.
Compile your source code.
deploy the servlet
Run Tomcat
Call your servlet from a web browser

Create a Directory Structure

The webapps directory is the Tomcat installation dir
(CATALINA_HOME) is where you store your web applications.

A web application is a collection of servlets and other contents installed

under a specific subset of the server's URL namespace.

A separate directory is dedicated for each servlet application.

Create a directory called myApp under the webapps directory.
Create the src and WEB-INF directories under myApp, and create a
directory named classes under WEB-INF.
The src directory is for your source files, and the classes directory
under WEB-INF is for your Java classes.
If you have html files, you put them directly in the myApp directory.
The admin, ROOT, and examples directories are for applications created
automatically when you install Tomcat

Write the Servlet Code

Servlets implement the javax.servlet.Servlet interface.
Because most servlets extend web servers that use the
HTTP protocol to interact with clients, the most
common way to develop servlets is by specializing
the javax.servlet.http.HttpServlet class.
The HttpServlet class implements the Servlet
interface by extending the GenericServlet base class,
and provides a framework for handling the HTTP
protocol.
Its service() method supports standard HTTP requests
by dispatching each request to a method designed to
handle it.
In myApp/src, create a file called TestingServlet.java

Servlet Example
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
14:
16:
17:

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class MyServlet extends HttpServlet
{
protected void doGet(HttpServletRequest req,
HttpServletResponse res)
{
res.setContentType("text/html");
PrintWriter out = res.getWriter();
out.println( "<HTML><HEAD><TITLE> Hello You! +
</Title></HEAD> +
<Body> HelloYou!!!</BODY></HTML> );
out.close();
}
}

An Example of Servlet (I)

Lines 1 to 3 import some packages which
contain many classes which are used by
the Servlet (almost every Servlet needs
classes from these packages).

The Servlet class is declared in line 5. Our

Servlet extends javax.servlet.http.HttpServlet,
the standard base class for HTTP Servlets.

In lines 7 through 16 HttpServlet's doGet

method is getting overridden

An Example of Servlet (II)

In line 11 we use a method of the
HttpServletResponse object to set the content
type of the response that we are going to
send. All response headers must be set
before a PrintWriter or ServletOutputStream is
requested to write body data to the
response.

In line 12 we request a PrintWriter object to

write text to the response message.

In lines 13 and 14 we use the PrintWriter to

write the text of type text/html (as specified
through the content type).

An Example of Servlet (III)

The PrintWriter gets closed in line 15 when
we are finished writing to it.

In lines 18 through 21 we override the

getServletInfo() method which is supposed to
return information about the Servlet, e.g.
the Servlet name, version, author and
copyright notice. This is not required for
the function of the HelloClientServlet but can
provide valuable information to the user of
a Servlet who sees the returned text in the
administration tool of the Web Server.

Compile the Servlet

Compile the Servlet class
The resulting TestingServlet.class file should
go under myApp/WEB-INF/classes

Deploy the Servlet

In the Servlet container each application is
represented by a servlet context
each servlet context is identified by a unique path
prefix called context path
For example our application is identified by
/myApp which is a directory under webapps.
The remaining path is used in the selected context to
find the specific Servlet to run, following the rules
specified in the deployment descriptor.

Deployment Descriptor

The deployment descriptor is a XML file called web.xml that resides in the WEBINF directory whitin an application.

<web-app xmlns=http://java.sun.com/xml/ns/j2ee>
<display-name>test</display-name>
<description>test example</description>
<servlet>
<servlet-name>Testing</servlet-name>
<servlet-class>TestingServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Testing</servlet-name>
<url-pattern>/servlet/TestingServlet</url-pattern>
</servlet-mapping>
</web-app>

Run the Servlet

To execute your Servlet, type the following
URL in the Browsers address field:
http://localhost/myApp/servlet/myServlet

Web Client Session Tracking

HTTP is a stateless protocol that takes requests from
web clients and responds with a file. It does not
memorize what has happened in the past.
FTP and Telnet protocols know the client states, such
as users, connections, and disconnections but HTTP
does not.
A client session consists of a series of conversations
between the client and web applications on the web
server.

Web Client Session Tracking

contd..
Using the HttpSession API in session management is
quite straightforward, and it may be the best option
for session tracking in most cases.
The HttpSession object can hold a session id that can
be used to identify whether the requests are within the
same session so that they can share the same data.
Each HttpSession object represents a single user
HTTP session.

Web Client Session Tracking

contd..
Mechanisms for session maintenance:
Cookies
URL Rewriting

Hidden Form fields

Servlet Cookies
Cookies are text files that store sets of param/value
pairs. The Servlet at the server side generates the
cookie based on the clients HTTP request.
The cookie is created on the server side and sent back
to the client along with the HttpServletResponse
object.
The cookie is stored in the clients browser.

Servlet Cookies contd..

URL Rewriting

Rewrite the URLs of the links of a web page to

contain extra information in the form of query string
or extra path information.
Example : a user named John Doe log in with
session ID=1234 and enter page1.cgi , page1.cgi
contains a link to page2.cgi
When user click link to page2.cgi, the URL is:
http://sample.com/page2.cgi?fname=John&lname=Doe&sess
ionid=1234

Hidden Form Fields

<input type=HIDDEN name=id value=1234>

Typically contained in forms that are placed in a

common frame of a frameset
Accessed using client-side javascript
When javascript executes in one page of an
application, it stored values(session ID) in hidden
form fields.

Security Issues
Server-side Security Issues

Interception of Session State Information

Forgery of Session State Information
Session Timeout
Buffer Overflow
Data Validation

Security Issues contd..

Page Sequencing
Information Reporting
Browser Residue

User Authentication
Logging of Sensitive Information

Importanat questions
1. Briefly explain about Tomcat web server.
2 a) What are the limitations of Servlets?
b) Explain Servlet Vs CGI
3. Explain the life cycle of a servlet.
4. Write a session tracker that tracks the number of accesses and last access
data of a particular web page.
5.a) Discuss about javax.servelet package.
b) What are the security issues related to servlets.