Unit III Servlets
Unit III Servlets
Unit – III
Contents of the Unit
• Servlet Structure, Lifecycle, Single Thread model interface, Handling
Client Request: Form Data, Handling Client Request: HTTP Request
Headers. Generating server Response: HTTP Status codes, Generating
server Response: HTTP Response Headers, Handling Cookies
Basic Servlet Structure
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class ServletTemplate extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
// Use "request" to read incoming HTTP headers
// (e.g. cookies) and HTML form data (e.g. data the user
// entered and submitted).
// Use "response" to specify the HTTP response status
// code and headers (e.g. the content type, cookies).
PrintWriter out = response.getWriter();
// Use "out" to send content to browser
}
}
The Servlet Life Cycle
• init method: put one-time setup code.
• service method: each user request results in a thread that calls the
service method of the previously created instance.
• Multiple concurrent requests normally result in multiple threads
calling service simultaneously
• The service method then calls doGet, doPost, or another doXxx
method
• destroy method: when the serverdecides to unload a servlet
The init Method
• Is called when the servlet is first created
• Is not called again for each user request.
• Used for one-time initializations.
• Created when a user first invokes a URL corresponding to the servlet
or when the server is first started.
• Two versions of init:
• One that takes no arguments.
• one that takes a ServletConfig object as an argument.
No argument init
• Used when the servlet does not need to read any settings that vary
from server to server.
• General form
public void init() throws ServletException {
// Initialization code...
}
init with ServletConfig object as an
argument.
• Used when the servlet needs to read server-specific settings before it can complete the
initialization.
• For example, the servlet might need to know about database settings, password files, server-
specific performance parameters, hit count files, or serialized cookie
• General form
public void init(ServletConfig config) throws ServletException
{
super.init(config);
// Initialization code...
}
• This method takes a Servlet-Config as an argument.
• ServletConfig has a getInitParameter method, look up initialization parameters associated with
the servlet.
• The method body must have a call to super.init.
The service Method
• Each time the server receives a request for a servlet, the server spawns a new
thread and calls service.
• The service method checks the HTTP request type (GET, POST, PUT, DELETE, etc.)
and calls doGet, doPost, doPut, doDelete, etc., as appropriate.
• To handle both POST and GET requests identically override service directly as
below (but not a good idea)
public void service(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Servlet Code
}
doPost call doGet
public void doGet(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
// Servlet Code
}
public void doPost(HttpServletRequest request, HttpServletResponse
response) throws ServletException, IOException {
doGet(request, response);
}
The doGet, doPost, and doXxx
Methods
• Ninety-nine percent of the time, you only care about GET and/or
POST requests override doGet and/or doPost.
• Override doDelete for DELETE requests, doPut for PUT, doOptions for
OPTIONS, and doTrace for TRACE.
• Automatic support for OPTIONS and TRACE.
The SingleThreadModel
Interface
• A single instance of the servlet is created
• A new thread for each user request, with multiple simultaneous threads running if a new
request comes in while a previous request is still executing.
• The doGet and doPost methods must be careful to synchronize access.
• To prevent this multithreaded access implement the SingleThreadModel interface
public class YourServlet extends HttpServlet
implements SingleThreadModel {
...
}
• Either queues up all the requests and passing them one at a time to a single
servlet instance, or by creating a pool of multiple instances, each of which
handles one request at a time.
The destroy Method
• Removes a previously loaded servlet instance.
• This is explicitly asked by the server administrator or the servlet is idle
for a long time.
• Used to close database connections, halt background threads, write
cookie lists or hit counts to disk, and perform other such cleanup
activities.
• This may possibly cause the Web server to crash.
•
Reading Form Data from
Servlets
• HttpServletRequest class has two methods
• getParameter(String);
• Returns a single string
• getParameterValues();
• Returns an array of strings
• To the getParameter method supply the case-sensitive parameter name as an argument.
• Use getParameter for both get and post methods, the server handles it appropriately behind the scenes.
• The return value is a String corresponding to the URL-decoded value of the first occurrence of that parameter
name.
• An empty String is returned if the parameter exists but has no value, and null is returned if there was no such
parameter.
• If the parameter could potentially have more than one value, call getParameterValues instead of
getParameter
• The return value of getParameterValues is null for nonexistent parameter names and is a one-element array
when the parameter has only a single value.
• Parameter names are case sensitive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Collecting Three Parameters</TITLE>
</HEAD>
<BODY BGCOLOR="#FDF5E6">
<H1 ALIGN="CENTER">Collecting Three Parameters</H1>
<FORM ACTION="/servlet/coreservlets.ThreeParams">
First Parameter: <INPUT TYPE="TEXT" NAME="param1"><BR>
Second Parameter: <INPUT TYPE="TEXT" NAME="param2"><BR>
Third Parameter: <INPUT TYPE="TEXT" NAME="param3"><BR>
<CENTER>
<INPUT TYPE="SUBMIT">
</CENTER>
</FORM>
</BODY>
</HTML>
public class ThreeParams extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html");
PrintWriter out = response.getWriter();
String title = "Reading Three Request Parameters";
out.println(ServletUtilities.headWithTitle(title) +
"<BODY BGCOLOR=\"#FDF5E6\">\n" + "<H1 ALIGN=CENTER>" + title + "</H1>\n" +
"<UL>\n" + " <LI><B>param1</B>: "
+ request.getParameter("param1") + "\n" + " <LI><B>param2</B>: "
+ request.getParameter("param2") + "\n" + " <LI><B>param3</B>: "
+ request.getParameter("param3") + "\n" + "</UL>\n" +
"</BODY></HTML>");
}
}
Reading All Parameters
Reading Request Headers from
Servlets
• Request Headers:
• Accept,
• Accept-Encoding,
• Connection,
• Cookie,
• Host,
• Referer, and
• User-Agent
Example of Request Header
GET /search?keywords=servlets+jsp HTTP/1.1
Accept: image/gif, image/jpg, */*
Accept-Encoding: gzip
Connection: Keep-Alive
Cookie: userID=id456578
Host: www.somebookstore.com
Referer: http://www.somebookstore.com/findbooks.html
User-Agent: Mozilla/4.7 [en] (Win98; U)
Getting Request Headers
• The getHeader method of HttpServletRequest returns a String if the
specified header was supplied on this request is available, null
otherwise.
• Header names are not case sensitive.
• getHeader is the general-purpose way to read incoming headers
Specific Header Methods In
Httpservletrequest
• getCookies
• The getCookies method returns the contents of the Cookie header, parsed
and stored in an array of Cookie objects.
• getAuthType and getRemoteUser
• The getAuthType and getRemoteUser methods break the Authorization
header into its component pieces.
• getContentLength
• The getContentLength method returns the value of the Content-Length
header (as an int).
Special Access Methods In
Httpservletrequest cont..
• getContentType
• The getContentType method returns the value of the Content-Type header (as
a String).
• getDateHeader and getIntHeader
• The getDateHeader and getIntHeader methods read the specified header and
then convert them to Date and int values, respectively.
• getHeaderNames
• Rather than looking up one particular header, you can use the
getHeaderNames method to get an Enumeration of all header names
received on this particular request.
Special Access Methods In
Httpservletrequest cont..
• getHeaders
• In most cases, each header name appears only once in the request.
Occasionally, however, a header can appear multiple times, with each
occurrence listing a separate value. Accept-Language is one such example. If a
header name is repeated in the request, version 2.1 servlets cannot access
the later values without reading the raw input stream, since getHeader
returns the value of the first occurrence of the header only. In version 2.2,
however, getHeaders returns an Enumeration of the values of all occurrences
of the header.
Additional methods
• getMethod
• The getMethod method returns the main request method (normally GET or
POST, but things like HEAD, PUT, and DELETE are possible).
• • getRequestURI
• The getRequestURI method returns the part of the URL that comes after the host
and port but before the form data. For example, for a URL of http
://randomhost.com/servlet/search.BookSearch, getRequestURI would return
/servlet/search.BookSearch.
• getProtocol
• The getProtocol method returns the third part of the request line, which is
generally HTTP/1.0 or HTTP/1.1. Servlets should usually check getProtocol before
specifying response headers.
Reading All Headers
HTTP 1.1 Request Headers
• To perform a number of optimizations and to provide a number of
features not otherwise possible.
• HTTP 1.1 supports a superset of the headers permitted in HTTP 1.0.
• HTTP 1.1 specification - RFC 2616.
Accept
• Specifies the MIME types that the browser or other client can handle.
• Example
• images in PNG format have some compression advantages over those in GIF.
• only a few browsers support PNG.
• a servlet could call request.getHeader("Accept"), check for image/png, and if
it finds it, use xxx.png filenames in all the IMG elements it generates.
Otherwise it would just use xxx.gif.
Accept-Charset
• This header indicates the character sets (e.g., ISO-8859-1) the
browser can use.
Accept-Encoding
• Designates the types of encodings that the client knows how to handle.
• The server is free to encode the page by using the format specified by sending
the Content-Encoding response header.
• This encoding type is completely distinct from the MIME type of the actual
document.
• This encoding is reversed before the browser decides what to do with the
content.
• Values of gzip or compress are the two standard possibilities.
• Compressing pages before returning them is a very valuable service because
the decoding time is likely to be small compared to the savings in
transmission time.
Accept-Language
• Specifies the client’s preferred languages.
• The standard language codes are en, en-us, da, etc.
• See RFC 1766 for details.
Authorization
• This header is used by clients to identify themselves when accessing
password-protected Web pages
Cache-Control
• Used by the client to specify a number of options for how pages
should be cached by proxy servers.
• Usually ignored by servlets, but the Cache-Control response header
can be valuable to indicate that a page is constantly changing and
shouldn’t be cached.
Connection
• This header tells whether or not the client can handle persistent HTTP connections.
• These let the client or other browser retrieve multiple files (e.g., an HTML file and
several associated images) with a single socket connection, saving the overhead of
negotiating several independent connections.
• With an HTTP 1.1 request, persistent connections are the default, and the client must
specify a value of close for this header to use old-style connections.
• In HTTP 1.0, a value of keep-alive means that persistent connections should be used.
• The server invokes the servlet only after the server has already read the HTTP
request.
• Servlets need help from the server to handle persistent connections.
• Servlet’s job is just to make it possible for the server to use persistent connections,
which is done by sending a Content-Length response header
Content-Length
• This header is only applicable to POST requests and gives the size of
the POST data in bytes.
• Use request.getContentLength().
Content-Type
• Usually used in responses from the server.
• Part of client requests when the client attaches a document as the
POST data or when making PUT requests.
• access this header using request. getContentType().
Cookie
• Used to return cookies to servers that previously sent them to the
browser.
• Technically, Cookie is not part of HTTP 1.1.
• It was originally a Netscape extension but is now very widely
supported, including in both Netscape and Internet Explorer.
Expect
• This rarely used header lets the client tell the server what kinds of
behaviors it expects.
• The one standard value for this header, 100-continue, is sent by a
browser that will be sending an attached document and wants to
know if the server will accept it.
• The server should send a status code of either 100 (Continue) or 417
(Expectation Failed) in such a case.
From
• This header gives the e-mail address of the person responsible for the
HTTP request.
• Browsers do not send this header, but Web spiders (robots) often set
it as a courtesy to help identify the source of server overloading or
repeated improper requests.
Host
• Browsers are required to specify this header, which indicates the host
and port as given in the original URL.
• Due to request forwarding and machines that have multiple
hostnames, it is quite possible that the server could not otherwise
determine this information.
• This header is not new in HTTP 1.1, but in HTTP 1.0 it was optional,
not required.
If-Match
• This rarely used header applies primarily to PUT requests.
• The client can supply a list of entity tags as returned by the ETag
response header, and the operation is performed only if one of them
matches.
If-Modified-Since
• Indicates that the client wants the page only if it has been changed
after the specified date.
• Very useful for browsers to cache documents and reload them over
the network only when they’ve changed.
• servlets don’t need to deal directly with this header, just implement
the getLastModified method to have the system handle modification
dates automatically.
If-None-Match
• This header is like If-Match, except that the operation should be
performed only if no entity tags match.
If-Range
• This rarely used header lets a client that has a partial copy of a
document ask for either the parts it is missing (if unchanged) or an
entire new document (if it has changed since a specified date).
If-Unmodified-Since
• Similar to If-Modified-Since in reverse.
• The operation should succeed only if the document is older than the
specified date.
• If-Modified-Since is used for GET requests (“give me the document
only if it is newer than my cached version”), whereas If-Unmodified-
Since is used for PUT requests (“update this document only if nobody
else has changed it since I generated it”).
Pragma
• A Pragma header with a value of no-cache indicates that a servlet that
is acting as a proxy should forward the request even if it has a local
copy.
• The only standard value for this header is no-cache.
Proxy-Authorization
• This header lets clients identify themselves to proxies that require it.
• Servlets typically ignore this header, using Authorization instead.
Range
• This rarely used header lets a client that has a partial copy of a
document ask for only the parts it is missing.
Referer
• indicates the URL of the referring Web page.
• All major browsers set this header, useful way of tracking where requests came
from.
• helpful for tracking advertisers who refer people to the site, for changing content
slightly depending on the referring site, or simply for keeping track of where the
traffic comes from.
• In the last case, most people simply rely on Web server log files, since the Referer is
typically recorded there.
• Although it’s useful, don’t rely too heavily on the Referer header since it can be
easily spoofed by a custom client.
• Note that this header is Referer, not the expected Referrer, due to a spelling mistake
by one of the original HTTP authors.
Upgrade
• Lets the browser or other client specify a communication protocol it
prefers over HTTP 1.1.
• If the server also supports that protocol, both the client and the
server can switch protocols.
• This type of protocol negotiation is almost always performed before
the servlet is invoked.
• Servlets rarely care about this header.
User-Agent
• This header identifies the browser or other client making the request and can be used to
return different content to different types of browsers.
• Relying on a hard-coded list of browser versions and associated features can make for
unreliable and hard-to-modify servlet code.
• Use something specific in the HTTP headers instead.
• Example
• Instead of trying to remember which browsers support gzip on which platforms check the Accept-
Encoding header
• Browser-specific feature does not adds enough value to be worth the maintenance cost.
• The User-Agent header is sometimes used to determine which JavaScript features are
supported.
• This header can be easily spoofed.
Via
• This header is set by gateways and proxies to show the intermediate
sites the request passed through
Warning
• This rarely used catchall header lets clients warn about caching or
content transformation errors.
Generating the Server Response: HTTP Status
Codes
}
Handling Cookies
• Benefits of Cookies
• Four typical ways in which cookies can add value to the site
• Identifying a User During an E-commerce Session
• Avoiding Username and Password
• Customizing a Site
• Focusing Advertising
Some Problems with Cookies
• Not a serious security threat.
• Never interpreted or executed
• Browsers generally only accept
• 20 cookies per site
• 300 cookies total
• Each cookie can be limited to 4 kilobytes => cookies cannot be used to fill up
someone’s disk or launch other denial of service attacks.
Some Problems with Cookies
• Present a significant threat to privacy
• Search engines Remembering searches on certain topics
• To avoid banner ad tipping off their coworkers next time they do a search
• Two sites can share data on a user by each loading small images off the same third-party
site.
• Associating cookies with images can even be exploited via e-mail if you use an HTML-
enabled e-mail reader
• Sites rely on cookies for overly sensitive data.
• Form filling without reentering much of your personal information like (credit card number)
• An attacker who got access to someone’s computer or cookie file could get on-line access
to valuable personal information.
• Incompetent sites might embed credit card or other sensitive information directly in the
cookies themselves
Points to remember
• Even when cookies are used to give added value to a site, the site
shouldn’t depend on them.
• Be careful not to use cookies for particularly sensitive information
The Servlet Cookie API
• Create one or more cookies with designated names and values
new Cookie(name, value).
• Set any optional attributes
cookie.setXxx (readable later by cookie.getXxx),
• insert the cookies into the response headers
response.addCookie(cookie)
• To read incoming cookies
request.getCookies() //returns an array of cookies
getValue()
Creating Cookies
• Call the Cookie constructor.
• Takes two strings: The cookie name and the cookie value
• Neither the name nor the value should contain white space or any of
the following characters:
[]()=,"/?@:;
Cookie Attributes
• Set various characteristics of the cookie by using one of the setXxx
methods
• Xxx is the name of the attribute.
• Each setXxx method has a corresponding getXxx method to retrieve
the attribute value.
• Applies only to outgoing cookies
public String getComment()
public void setComment(String
comment)
• Look up or specify a comment associated with the cookie.
• The comment is used purely for informational purposes on the server;
it is not sent to the client.
public String getDomain()
public void setDomain(String
domainPattern)
• Get or set the domain to which the cookie applies.
• The browser only returns cookies to the exact same hostname that sent them.
• use setDomain method to instruct the browser to return them to other hosts
within the same domain.
• To prevent servers setting cookies that apply to hosts outside their domain, the
domain specified is required to start with a dot.
• Must contain two dots for noncountry domains like .com, .edu and .gov
• Three dots for country domains like .co .uk and .es.
• Example: bali.vacations.com would not normally get sent by the browser to pages
at mexico.vacations.com.
cookie.setDomain(".vacations.com").
public int getMaxAge()
public void setMaxAge(int
lifetime)
• Tells how much time (in seconds) should elapse before the cookie
expires.
• A negative value is the default, indicates that the cookie will last only
for the current session and will not be stored on disk.
• The LongLivedCookie class is a subclass of Cookie
• Sets a maximum age automatically to one year in the future.
• Specifying a value of 0 instructs the browser to delete the cookie.
public String getName()
public void setName(String
cookieName)
• setName() is rarely used.
• getName is used on almost every cookie received on the server.
public String getPath()
public void setPath(String path)
• Get or set the path to which the cookie applies.
• If path not set, the browser returns the cookie only to URLs in or
below the directory containing the page that sent the cookie.
• Example: A cookie of http://ecommerce.site.com/toys/specials.html is
returned to http://ecommerce.site.com/toys/bikes/beginners.html
but not to http://ecommerce.site.com/cds/classical.html.
• General path: someCookie.setPath("/") specifies that all pages on the
server should receive the cookie.
public boolean getSecure()
public void setSecure(boolean
secureFlag)
• gets or sets the boolean value indicating whether the cookie should
only be sent over encrypted (i.e., SSL) connections.
• The default is false; the cookie should apply to all connections.
public String getValue()
public void setValue(String
cookieValue)
• The getValue method looks up the value associated with the cookie.
public int getVersion()
public void setVersion(int
version)
• get/set the cookie protocol version the cookie complies with.
• Version 0, the default, follows the original Netscape specification
• Version 1, not yet widely supported
• RFC 2109
Placing Cookies in the Response
Headers
• addCookie method of HttpServletResponse.
• Example:
Cookie userCookie = new Cookie("user", "uid1234");
userCookie.setMaxAge(60*60*24*365); // 1 year
response.addCookie(userCookie);
Reading Cookies from the Client
• Call getCookies on the HttpServletRequest.
• Returns an array of Cookie objects corresponding to the values that
came in on the Cookie HTTP request header.
• If there are no cookies, getCookies returns null.
• Loop down it, calling getName on each Cookie until a match is found.
• Call getValue on the matching Cookie