comp9321 web application engineeringcs9321/16s1/lectures/lec12/lec-12.pdf · •jsp technology...

COMP9321 Web Application Engineering

Wrap-up

1 COMP9321, 16s1, Week12

http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442

Dr. Basem Suleiman

Service Oriented Computing Group, CSE, UNSW Australia

Semester 1, 2016, Week 12

Course Core Components

2

This course consists of:

• 12 weeks of lectures

• 1 individual assignment – 10 marks

• 1 group assignment – 25 marks

• 1 group assignment – 15 marks

• 1 final exam (50 marks)

COMP9321, 16s1, Week12

Assignments

3 COMP9321, 16s1, Week12

• Assignment 1 – GradeBook

• Assignment 2 – Week 13 (GradeBook)

• Assignment 3 – Due Wednesday, June 1, 2016, 23:59:59

Assignments

4 COMP9321, 16s1, Week12

• Assignment 1 • Individual web application development

• XML, Servlet and JSP

• Assignment 2 • Group – Hotel Management Web Application

• JSP, Java objects, JDBC, others

• Design patters, MVC, other frameworks

• Teamwork skills

• Assignment 3 • Performance Evaluation of Web application

• Group – performance of Hotel Management Application

• Performance testing JMeter, Queuing theory and laws,

Analysis and reporting

Final Exam

5 COMP9321, 16s1, Week12

Final Exam

6 COMP9321, 16s1, Week12

• 2 hours exam (+10 minutes reading time)

• Total marks 50

• 6 Main questions (Answer only 5)

• No multiple choice questions

• First 5 answers will be marked

• Questions cover both technical and conceptual understanding on

the core topics

• Concepts, explanation, design principles, comparisons

• Short, factual and essay question, technical knowledge concepts

• Topics/Lectures Week1- Week10

• To make both our life easier, please

• Write to the point, use diagrams wherever is helpful, provide

examples especially if the question asks for it

• Write legibly and clearly – quality not quantity

Final Exam

7 COMP9321, 16s1, Week12

Final Exam

8 COMP9321, 16s1, Week12

• The following topics from the lectures will not be asked in

the final exam:

• TCP and DNS from Web Essentials

• Queueing Theory and Performance Modeling in

Performance Measurement Lecture

• Service Oriented Architecture (SOA)/Web Services

• NoSQL database

• Introduction to Cloud Computing

• Architecting Web Applications for the Cloud

General Review

Week 1 – 10

9 COMP9321, 16s1, Week12

Warning: this review covers some topics only. For the final exam, study all topics and slides covered in weeks 1-10, excluding topics specified in the previous slide.

Different Layers in an Application

10 COMP9321, 16s1, Week12

Presentation Layer

11 COMP9321, 16s1, Week12

HTML <form> method attribute

how to send form-data

URL variables (with method="get") , or HTTP post transaction (with method="post").

specifies

as

Method? Get/Post

Static vs. Dynamic Web Page

12 COMP9321, 16s1, Week12

A static web page is delivered to the user exactly as stored, in contrast to dynamic web pages which are generated by a web application, and on demand!

web page whose construction is controlled by an application server processing server-side scripts.

software framework that provides both facilities to create web applications and a server environment to run them.

is-a

is-a

Java application servers

e.g.

It's core set of API and features are defined by Java EE.

The Web modules include Java Servlets and Java Server Pages.

http://docs.oracle.com/javaee/6/tutorial/doc/

Java Servlets

13 COMP9321, 16s1, Week12

http://java.sun.com/products/servlet/index.jsp http://docs.oracle.com/javaee/6/tutorial/doc/bnafd.html

A Lifecycle of a Servlet

14 COMP9321, 16s1, Week12

The Web container controls the lifecycle of a servlet class:

• initialisation • ServletConfig • ServletContext • …

Attributes and Sharing Attributes

15 COMP9321, 16s1, Week12

Who has access to the board and how long does it live?

16 COMP9321, 16s1, Week 2

RequestDispatcher in Servlet

17 COMP9321, 16s1, Week12

• The RequestDispatcher interface provides the facility of dispatching the

request to another resource, e.g., servlet, jsp, or html.

• This interface can also be used to include the content of another resource also.

• It is one of the way of servlet collaboration.

http://www.javatpoint.com/

The RequestDispatcher interface provides two methods: forward and include

• Forward: Forwards a request from a servlet to another resource (servlet, JSP file, or HTML file) on the server.

public void forward(ServletRequest request,ServletResponse response)

RequestDispatcher in Servlet

18 COMP9321, 16s1, Week12

• The RequestDispatcher interface provides the facility of dispatching the

request to another resource, e.g., servlet, jsp, or html.

• This interface can also be used to include the content of another resource also.

• It is one of the way of servlet collaboration.

http://www.javatpoint.com/

The RequestDispatcher interface provides two methods: forward and include

• Include: Includes the content of a resource (servlet, JSP page, or HTML file)

in the response.

public void include(ServletRequest request,ServletResponse response)

Session Management

19 COMP9321, 16s1, Week 2

Session Management

20 COMP9321, 16s1, Week 2

Managing the User State

21 COMP9321, 16s1, Week12

A problem in HTTP request/response:

• HTTP is a stateless protocol.

• A single request/response;

• Nothing is remembered 'between requests' from the same user;

• Web applications need to maintain users + their data.

It is a programmer's responsibility:

• The term "session" is used to represent the data associated with one user while

she navigates around a Web application.

• Session is a conversional state between client and server.

• Session can consists of multiple request and response between client and server.

• Since HTTP is stateless, the only way to maintain a session is when some unique

information about the session (session id) is passed between server and client in

every request and response.

Cookies

22 COMP9321, 16s1, Week12

• Cookies are text files stored on the client computer and they are kept for

various information tracking purpose.

• Java Servlets transparently supports HTTP cookies.

• There are three steps involved in identifying returning users:

• Server script sends a set of cookies to the browser. e.g. session id

• Browser stores this information on local machine for future use.

• Next time, browser sends request + those cookies to the server and server uses that information to identify the user.

JavaServer Pages (JSP) Technology

23 COMP9321, 16s1, Week12

• JavaServer Pages (JSP) technology allows you to easily create

web content that has both static and dynamic components.

• JSP technology makes available all the dynamic capabilities of

Java Servlet technology; but provides a more natural approach

to creating static content.

• JSP is similar to PHP, but it uses the Java programming language.

• To deploy and run JavaServer Pages, a compatible web server

with a servlet container, such as Apache Tomcat, is required.

JSP

24 COMP9321, 16s1, Week12

JSP Basics

25 COMP9321, 16s1, Week12

JSP Page

JSP Elements

Template Text (HTML bits…)

Scripting

Elements

Directive

Elements

Action

Elements

Traditional

Modern EL Scripting

${…}

Scriptlet

Expression

Declaration

Comments

Page

Include

Taglib

custom

Standard

<abc:mytag>

<jsp:useBean>

<jsp:getProperty>

<jsp:setProperty>

<jsp:include>

<jsp:forward>

<jsp:param>

Extensible Markup Language (XML)

26 COMP9321, 16s1, Week12

• XML originally designed to meet the challenges of large-scale

electronic publishing.

• XML separates presentation issues from the actual data.

• XML plays an increasingly important role in the exchange of a

wide variety of data on the Web and elsewhere.

• Needs a communication protocol?

• e.g. SOAP stands for Simple Object Access Protocol

• SOAP is based on XML

• SOAP is a W3C recommendation

• SOAP uses XML Information Set for its message format.

JSP Elements: JSP Actions (useBean)

27 COMP9321, 16s1, Week 3

The XML Family

28 COMP9321, 16s1, Week12

XML: a markup language used to describe information.

DOM: a programming interface for accessing and updating documents.

DTD and XML Schema: describes the structure and content of XML documents.

XSLT: a language for transforming XML documents

XPath: a query language for navigating XML documents.

XPointer: for identifying fragments of a document.

XLink: generalises the concept of a hypertext link.

XInclude: for merging documents.

XQuery: a language for making queries across documents.

RDF: a language for describing resources.

XML – Document Type Definition

29 COMP9321, 16s1, Week 4

• An XML document with correct syntax is called "Well Formed“ • Errors (incorrect syntax) – application processing will trigger errors • Well Formed XML document it has valid XML syntax rules

• Well formed XML document “valid” XML document ?

• A valid XML document must be:

• Well formed AND

• Conform to Document Type Definition (DTD)

• Document Type Definition (DTD) • Defines the structure and the legal elements and attributes of an XML document

• DTD or XML Schema (XML alternative to DTD)

• Internal DTD declaration or external DTD declaration (.dtd)

Well-formedness and Validity of XML

30 COMP9321, 16s1, Week 4

Limitations of DTD

31 COMP9321, 16s1, Week 4

The XML Family – XML Schema

32 COMP9321, 16s1, Week 4

XML Schema (or SML Schema Definition XSD)

• is an XML-based alternative to DTD.

• describes the structure of an XML document.

• defines elements and attributes that can appear in a document

• defines data types for elements and attributes

• defines default and fixed values for elements and attributes

• defines the child elements, their orders, etc.

• XML Schemas are much more powerful than DTDs.

• The XML Schema language is also referred to as XML Schema Definition (XSD).

XML Namespaces

33 COMP9321, 16s1, Week 4

Simple Types

34 COMP9321, 16s1, Week 4

Type Restrictions

35 COMP9321, 16s1, Week 4

More examples : http://www.w3schools.com/xml/schema_facets.asp

Constraint Description

enumeration Defines a list of acceptable values

fractionDigits Specifies the maxi number of decimal places allowed. Must be equal to or greater than zero

length Specifies the exact number of characters or list items allowed. Must be >= than zero

maxExclusive Specifies the upper bounds for numeric values (the value must be less than this value)

maxInclusive Specifies the upper bounds for numeric values (the value must be <= to this value)

maxLength Specifies the Max number of characters or list items allowed. Must be >= zero

minExclusive Specifies the lower bounds for numeric values (the value must be greater than this value)

minInclusive Specifies the lower bounds for numeric values (the value must be>= to this value)

minLength Specifies the minimum number of characters or list items allowed. Must be >= 0

pattern Defines the exact sequence of characters that are acceptable

totalDigits Specifies the exact number of digits allowed. Must be greater than zero

whiteSpace Specifies how white space (line feeds, tabs, spaces, and carriage returns) is handled

Complex Types

36 COMP9321, 16s1, Week 4

Persistence

37 COMP9321, 16s1, Week 5

• Persistence is a fundamental concept in application

development

• In an object-oriented applications, persistence allows an

object to outlive the process that created it

• The state of the object may be stored to disk and an object

with the same state re-created at some point in the future.

• Sometimes entire graphs of interconnected objects may be

made persistent and later re-created in a new process.

(Hibernate, pp.5-29)

Data Persistence

38 COMP9321, 16s1, Week12

• When you work with a relational database in a Java

application, the Java code issues SQL statements to the

database via the JDBC API.

• The Java Database Connectivity (JDBC) API provides

universal data access from the Java programming language.

• Using the JDBC API, you can access virtually any data

source, from relational databases to spreadsheets and flat

files.

• The JDBC API is comprised of two packages:

• java.sql

• javax.sql (Hibernate, pp.5-29)

http://docs.oracle.com/javase/7/docs/api/java/sql/package-summary.html

http://docs.oracle.com/javase/7/docs/api/javax/sql/package-summary.html

JDBC Interfaces

39 COMP9321, 16s1, Week 5

Accessing DB from an Application

40 COMP9321, 16s1, Week12

PreparedStatement object

41 COMP9321, 16s1, Week12

• A more realistic case is that the same kind of SQL statement is processed over and

over (rather than a static SQL statement).

• In PreparedStatement, a place holder (?) will be bound to an incoming value before

execution (no recompilation).

Data Access Objects (DAO)

42 COMP9321, 16s1, Week 5

Object-Relational Impedance Mismatch Problems

43 COMP9321, 16s1, Week12

Object-Relational Impedance Mismatch Problems

44 COMP9321, 16s1, Week12

https://docs.oracle.com/cd/E16162_01/user.1112/e17455/img/mismatch.gif

Impedance (or Paradigm) Mismatch Problem

45 COMP9321, 16s1, Week 5

(Hibernate, pp.5-29) The problem of subtypes

Subtypes

Hibernate - ORM Framework

46 COMP9321, 16s1, Week 5

• Hibernate is an open source ORM solution for JAVA which provides

Object-Relational Persistence and Query service for any Java

Application

• Improve development efficiency by relieving the developer from

majority of common data persistence related programming tasks

•

• Hibernate maps Java classes to database tables and from Java data

types to SQL data types

• Hibernate sits between traditional Java objects and database server to

handle all the work in persisting those objects based on the

appropriate O/R mechanisms and patterns

• Supports major RDBMS including MySQL, MS SQL, Oracle, DB2,

HSQL

Design Patterns

47 COMP9321, 16s1, Week12

A pattern is a proven solution to a problem in a context.

Each pattern expresses a relation between a certain context, a problem, and a solution.

A design pattern represents a solutions to problems that arise when developing a software.

Design pattern are granular and applied at different levels such as: Frameworks Subsystems Sub-subsystems

Categories include:

Design

Architectural

Analysis

Creational

Structural

Behavioral

J2EE Design Patterns

48 COMP9321, 16s1, Week12

Servlet design guidelines: When to use Servlets

49 COMP9321, 16s1, Week 6

JSP Design Guidelines

50 COMP9321, 16s1, Week 6

General Guideline for Servlet/JSP/JavaBeans

51 COMP9321, 16s1, Week12

Model 1 Architecture

52 COMP9321, 16s1, Week 6

Model 2 Architecture = MVC pattern

53 COMP9321, 16s1, Week 6

Model 2 Architecture = MVC pattern

54 COMP9321, 16s1, Week 6

Command Design Pattern

55 COMP9321, 16s1, Week 6

Securing your Web Application: Threats!

56 COMP9321, 16s1, Week12

Securing your Web Application: Threats!

57 COMP9321, 16s1, Week12

CSRF Attacks Mechanisms

58 COMP9321, 16s1, Week 8

GET scenario Using GET method, the money transfer operation might be reduced to a request like

GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1

• Maria decides to exploit this web application vulnerability using Alice as her victim. Maria first constructs the following exploit URL which will transfer $100,000 from Alice's account to her account. She takes the original command URL and replaces the beneficiary name with herself, raising the transfer amount significantly at the same time

GET http://bank.com/transfer.do?acct=MARIA&amount=10000

The attack that tricks Alice into loading this URL when she's logged into the bank application

• Sending an unsolicited email with HTML content • Planting an exploit URL or script on pages that are likely to be visited by the victim while

they are also doing online banking

The exploit URL can be disguised as an ordinary link, encouraging the victim to click it

<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a>

More CSRF Attacks Examples: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Cross Site Scripting (XSS): Summary!

59 COMP9321, 16s1, Week 8

Cross Site Scripting (XSS): Prevention!!

60 COMP9321, 16s1, Week 8

Cross Site Scripting (XSS): Prevention!!

61 COMP9321, 16s1, Week 8

More on XSS prevention rules and examples https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Session Management…

62 COMP9321, 16s1, Week12

Transport Layer Security (e.g. HTTPS)

63 COMP9321, 16s1, Week12

Performance

64 COMP9321, 16s1, Week12

Scalability

65 COMP9321, 16s1, Week12

Architectural Considerations - Network

66 COMP9321, 16s1, Week 10

https://devcentral.f5.com

General Techniques for Improving Performance and Scalability

67 COMP9321, 16s1, Week 10

1. Caching and Replication

2. Parallelism

3. Redundancy

4. Asynchrony

5. Resource Pooling

Improving Performance using HTTP features

68 COMP9321, 16s1, Week 10

Improving Database Access

69 COMP9321, 16s1, Week12


70 COMP9321, 16s1, Week 10


71 COMP9321, 16s1, Week 10

JOINT queries


72 COMP9321, 16s1, Week 10

Scaling & Request Load Balancing

73 COMP9321, 16s1, Week 10


74 COMP9321, 16s1, Week 10


75 COMP9321, 16s1, Week 10

Application-Level Load Balancing with Stateless Logic


76 COMP9321, 16s1, Week 10

Scaling Databases - Replication

COMP9322 !!

77 COMP9321, 16s1, Week12

…from building a web site (cs9321) to building web services (cs9322) ...

context: “global/distributed/complex” business applications

• Goals:

• understand the concept of services and business processes

• articulate the motivation behind web service-based technologies

• apply the knowledge in practical situations

COMP9322 course aims:

• provide students with a deep understanding of SOA, service-orientation

paradigm, business processes and Web services as an implementation

technology.

78 COMP9321, 16s1, Week12

Good Luck!

79 COMP9321, 16s1, Week12

comp9321 web application engineeringcs9321/16s1/lectures/lec12/lec-12.pdf · •jsp technology...

Documents