Cutting Edge Research in Engineering of Web Applications Part 2 What is Different about Engineering Web Apps? Jeff Offutt Professor of Software Engineering.

Slides:



Advertisements
Similar presentations
Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 10 Servlets and Java Server Pages.
Advertisements

 Copyright Wipro Technologies JSP Ver 1.0 Page 1 Talent Transformation Java Server Pages.
The Web Warrior Guide to Web Design Technologies
Chapter 51 Scripting With JSP Elements JavaServer Pages By Xue Bai.
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
Liang, Introduction to Java Programming, Sixth Edition, (c) 2005 Pearson Education, Inc. All rights reserved Chapter 34 Servlets.
Satzinger, Jackson, and Burd Object-Orieneted Analysis & Design
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
ASP.NET Programming with C# and SQL Server First Edition
JSP Architecture  JSP is a simple text file consisting of HTML or XML content along with JSP elements  JSP packages define the interface for the compiled.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
Introduction To System Analysis and design
INTRODUCTION TO WEB DATABASE PROGRAMMING
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Testing Dynamic Aspects of Web Applications Jeff Offutt Professor, Software Engineering George Mason University Fairfax, VA USA
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
IT533 Lectures Session Management in ASP.NET. Session Tracking 2 Personalization Personalization makes it possible for e-businesses to communicate effectively.
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
JSP Java Server Pages Softsmith Infotech.
Java Server Pages Lecture July Java Server Pages Java Server Pages (JSPs) provide a way to separate the generation of dynamic content (java)
J2EE Structure & Definitions Catie Welsh CSE 432
9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
JAVA SERVER PAGES CREATING DYNAMIC WEB PAGES USING JAVA James Faeldon CS 119 Enterprise Systems Programming.
Introduction to JavaServer Pages. 2 JSP and Servlet Limitations of servlet  It’s inaccessible to non-programmers JSP is a complement to servlet  focuses.
Chapter 6 Server-side Programming: Java Servlets
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Copyright © 2002 ProsoftTraining. All rights reserved. JavaServer Pages.
Overview of Form and Javascript fundamentals. Brief matching exercise 1. This is the software that allows a user to access and view HTML documents 2.
Server-side Programming The combination of –HTML –JavaScript –DOM is sometimes referred to as Dynamic HTML (DHTML) Web pages that include scripting are.
The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
SE-2840 Dr. Mark L. Hornick1 Servlet Threads and Sessions.
Copyright © 2002 ProsoftTraining. All rights reserved. Java Servlets.
JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.
What is a Servlet? Java Program that runs in a Java web server and conforms to the servlet api. A program that uses class library that decodes and encodes.
CS562 Advanced Java and Internet Application Introduction to the Computer Warehouse Web Application. Java Server Pages (JSP) Technology. By Team Alpha.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, written in Java code, that.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
©SoftMooreSlide 1 Session Tracking with Servlets.
UMass Lowell Computer Science Java and Distributed Computing Prof. Karen Daniels Fall, 2000 Lecture 21 Java Servlets Wed. 11/22/00 based on material.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
Java Server Pages. 2 Servlets The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
Bayu Priyambadha, S.Kom. Static content  Web Server delivers contents of a file (html) 1. Browser sends request to Web Server 3. Web Server sends HTML.
World Wide Web has been created to share the text document across the world. In static web pages the requesting user has no ability to interact with the.
1 Web Programming with Servlets & JSPs WEB APPLICATIONS – AN OVERVIEW.
Distributed Web Systems Cookies and Session Tracking Lecturer Department University.
Upsorn Praphamontripong CS Design and Implementation of Software for the Web Fall 2016 State Handling on the Web.
Introduction to Unique Aspects of Web Applications
Scope and State Handling in JSPs
Web Software Model CS 4640 Programming Languages for Web Applications
Introduction to Web Applications
Design and Maintenance of Web Applications in J2EE
Handling State in Java Servlets
Handling State in Web Applications
Scope and State Handling in Java Server Pages
Back end Development CS Programming Languages for Web Applications
State Handling CS 4640 Programming Languages for Web Applications
[Based in part on SWE 432 and SWE 632 materials by Jeff Offutt, GMU]
Back end Development CS Programming Languages for Web Applications
State Handling CS 4640 Programming Languages for Web Applications
[Based in part on SWE 432 and SWE 632 materials by Jeff Offutt, GMU]
Presentation transcript:

Cutting Edge Research in Engineering of Web Applications Part 2 What is Different about Engineering Web Apps? Jeff Offutt Professor of Software Engineering George Mason University

A. Who am I ? B. Who are you ? Outline July 2013© J Offutt2 Part1 (13:00-15:00) 1. Web Apps Overview 2. How the Interweb Works 3. Web Software (Servlets) Part 2 (19:00-21:00) 4. Control Flow & State Handling is Different 5. State Handling in JSP Part 3 (Friday13:00-15:00) 6. Web Software Security 7. Modeling Web Apps 8. Testing Web Apps 9. Engineering Process

July 2013© J Offutt3 Tracking State Information D1 D1+D2+D3 Form1Form2Form3 Server Form4 Server D1+D2 D1+D2+D3+D4D1 Server D1+D2D1+D2+D3 The initial versions of the web suffered from a lack of state: HTML Form Server HTML Page DataInfo If you wanted multiple screens, there was no way for data to be accumulated or stored

July 2013© J Offutt4 Session Tracking Web applications must maintain user statesWeb applications must maintain user states This is called session trackingThis is called session tracking

Session Tracking (2) Session tracking refers to keeping data between multiple HTTP requestsSession tracking refers to keeping data between multiple HTTP requests This problem is essential to maintaining state, which we understand quite well in the context of traditional procedural programming and object-oriented programmingThis problem is essential to maintaining state, which we understand quite well in the context of traditional procedural programming and object-oriented programming The Web brings in unique constraintsThe Web brings in unique constraints July 2013© J Offutt5 Session: A series of related interactions between a client and a web server (similar to a use case) HTTP is connectionless Distributed

New Control Flow and State Handling July 2013© J Offutt6 To support session handling (and other issues) J2EE introduced new language mechanisms 1.New control flow mechanisms 2.New state management. 3.New variable scopes.

Traditional Control Flow Procedural languagesProcedural languages –Method / function calls –Decisions – if, while, for, repeat-until, switch, … –Static includes – other code pulled in before compiling OO languagesOO languages –Dynamic binding via polymorphism Client / ServerClient / Server –Message passing July 2013© J Offutt7

Web App Control Flow (1) Traditional Control Flow Mechanisms 1.Same as traditional – Software on server and client 2.Synchronous message passing – Client to server, HTTP –Also server to other servers 3.Event handling – On the client July 2013© J Offutt8

Web App Control Flow (2) New Control Flow Mechanisms 4.Asynchronous message passing – Client to server, Ajax 5.Forward – Transfers control from one server component to another, no return 6.Redirect – Ask client to send request elsewhere 7.URL rewriting by users 8.Dynamic include – Control passes to another component, then returns, no parameters 9.Dynamic binding – Reflection allows new components to be added and used dynamically July 2013© J Offutt9

Ramifications of New Control Flow The traditional control flow graph does not model essential parts of web app execution !The traditional control flow graph does not model essential parts of web app execution ! UML diagrams do not model many of theseUML diagrams do not model many of these Most developers learn the syntax, but not the concepts behind these new control connectionsMost developers learn the syntax, but not the concepts behind these new control connections July 2013© J Offutt10 Lots of poorly designed software … and lots and lots of poorly understood software faults !

New Control Flow and State Handling July 2013© J Offutt11 To support session handling (and other issues) J2EE introduced new language mechanisms 1.New control flow mechanisms 2.New state management. 3.New variable scopes.

Handling State in Procedural Languages The C programming language has simple ways to handle stateThe C programming language has simple ways to handle state July 2013© J Offutt12 char name [25]; main () { int x, y, z;. : Global variable Local variables We added several layers of scope in OO languages

State in Object-Oriented Languages In addition to local and global variables, OO languages have other scopesIn addition to local and global variables, OO languages have other scopes –Nonlocals : package, protected, default, … Data sharing in OO languagesData sharing in OO languages –Two components can share data if they are in the same scope –Two components can share data by passing parameters OO languages also are based on the concept of objects, which are instances of classesOO languages also are based on the concept of objects, which are instances of classes –Classes define types, which are global –Objects can be defined at multiple scopes July 2013© J Offutt13

© J Offutt14 Class 4 Handling State in Java Class 1 inheritance Class 3Class 2 Package Class 5 private membersdefaultprotected memberspublic members July 2013

State on the Web These schemes have two simple, subtle, assumptions :These schemes have two simple, subtle, assumptions : July 2013© J Offutt15 1. The software components share physical memory 2. The program runs to completion with active memory But these assumptions are violated in web applications ! 1.Distributed software components 2.Connectionless nature of HTTP To keep state in web applications, we need different ways to store and access variables and objects Public access and parameter passing are not enough in Web applications!

State and Session Tracking Session tracking refers to passing data from one HTTP request to anotherSession tracking refers to passing data from one HTTP request to another A web application is comprised of several software componentsA web application is comprised of several software components The characteristics of a Web app means that the components do not communicate directlyThe characteristics of a Web app means that the components do not communicate directly –Independent processes (threads) –Connectionless protocol –Client-server or N-tier architecture –Execution flow always goes through a client July 2013© J Offutt16 How can these independent components share data?

Session Tracking Methods 1. Include data as extra parameters (URL rewriting) 2. Hidden form fields 3. Cookies 4. Servlet API session tracking tools July 2013© J Offutt17 Request with a Token Client C Server S Response with a Token All four methods work by exchanging a token between the client and server

July 2013© J Offutt18 (1) URL Rewriting Forms usually add parametersForms usually add parameters URL ? P1=v1 & P2=v2 & P3=v3 & … URL ? P1=v1 & P2=v2 & P3=v3 & … You can add values in the URL as a parameter :You can add values in the URL as a parameter : HREF = "./servlet/X ? SneakyParam=42"> HREF = "./servlet/X ? SneakyParam=42"> or : User=george" > or : User=george" > This is used as a key to find the saved information about the user georgeThis is used as a key to find the saved information about the user george –Messy and clumsy –Long URLs –Information on URL is public –All HTML pages must be created dynamically –Often limited in size

(2) Hidden Form Fields Flows of control go through the clientFlows of control go through the client Data that must be passed from one software component to another can be stored in hidden form fields in the HTMLData that must be passed from one software component to another can be stored in hidden form fields in the HTML Generate HTML pages with forms that store “hidden” information :Generate HTML pages with forms that store “hidden” information : Several problems :Several problems : – Insecure – users can see the data – Unreliable – users can change the data – Undependable – users can use the back button, direct URL entry, and URL rewriting to skip some hidden form fields Still useful in limited situationsStill useful in limited situations July 2013© J Offutt19

July 2013© J Offutt20 (3) Cookies Cookies are small files or text strings stored on the client’s computerCookies are small files or text strings stored on the client’s computer Created by the web browserCreated by the web browser Arbitrary strings, but sometimes var=value pairs or XMLArbitrary strings, but sometimes var=value pairs or XML Java coding : Java coding : Cookie c = new Cookie (“user”, “george”); Cookie c = new Cookie (“user”, “george”); c.setMaxAge (5*24*60*60); // expires in 5 days, in seconds c.setMaxAge (5*24*60*60); // expires in 5 days, in seconds response.addCookie (c); // sends cookie to client response.addCookie (c); // sends cookie to client

July 2013© J Offutt21 (3) Cookies – cont. Cookies are very useful and simpleCookies are very useful and simple Not visible as part of the HTML contentNot visible as part of the HTML content Convenient way to solve a real problemConvenient way to solve a real problem But cookies are scary !But cookies are scary ! –It’s as if I stored my files at your house –Cookies go way beyond session tracking –Cookies allow behavior tracking

July 2013© J Offutt22 (4) Servlet Sessions Cookies are handled automaticallyCookies are handled automatically HttpSession stores data in the current active objectHttpSession stores data in the current active object Data disappears when the object is destroyedData disappears when the object is destroyed Object is destroyed after the session ends, usually 30 minutes after the last requestObject is destroyed after the session ends, usually 30 minutes after the last request The servlet API uses cookies to provide a simple, safe, flexible method for session tracking

Sessions—Big Picture July 2013© J Offutt23 Web Server Client 1 Time HTTP Request HTTP Response Session ID = 0347 HTTP Request HTTP Response HTTP Request HTTP Response Session ID = 0347 Time Client 2 HTTP Request HTTP Response Session ID = 4403 HTTP Request HTTP Response HTTP Request HTTP Response Session ID = 4403 Session ID = 0347 Session ID = 4403 Server returns a new unique session ID when the request has none

Session ID = 4403 Sessions—Big Picture July 2013© J Offutt24 Web Server Client 1 Time HTTP Request HTTP Response Session ID = 0347 HTTP Request HTTP Response HTTP Request HTTP Response Session ID = 0347 Time Client 2 HTTP Request HTTP Response Session ID = 4403 HTTP Request HTTP Response HTTP Request HTTP Response Session ID = 4403 Client stores the ID and sends it to the server in subsequent requests Session ID = 0347 Server recognizes all the requests as being from the same client. session This defines a session. Server recognizes these requests as being from a different client.

July 2013© J Offutt25 Servlet API Session Methods The servlet API methods are not synchronizedThe servlet API methods are not synchronized Multiple servlets can access the same session object at the same timeMultiple servlets can access the same session object at the same time If this can happen, the program must synchronize the code that modifies the shared session attributesIf this can happen, the program must synchronize the code that modifies the shared session attributes

July 2013© J Offutt26 Session Definition The web serverThe web server –Servlet container –Servlet context The clientThe client –IP address –Browser Session objects are kept on the serverSession objects are kept on the server Each session object uses different parts of memory (instances of data values) on the serverEach session object uses different parts of memory (instances of data values) on the server A session is defined by

July 2013© J Offutt27 Example Client Servlet S1 JSP 3JSP 2JSP 1 Consider a small Web app with 2 servlets and 3 JSPs Servlet S2 How can the servlets and JSPs share data?

New Control Flow and State Handling July 2013© J Offutt28 To support session handling (and other issues) J2EE introduced new language mechanisms 1.New control flow mechanisms 2.New state management. 3.New variable scopes.

July 2013© J Offutt29 Sharing Data : Session Object One program component can store a value in the session objectOne program component can store a value in the session object Another component can retrieve, use, and modify the valueAnother component can retrieve, use, and modify the value Depends on the servlet container :Depends on the servlet container : –Software components are threads, not processes –Servlet container stays resident and can keep shared memory

July 2013© J Offutt30 Session objectServletContainer Session Data Example Client Servlet S1 JSP 3JSP 2JSP 1 Software components share “container” access data Servlet S2

July 2013© J Offutt31 Login Example LoginForm Entry View Data isLoggedIn: T/F userID: string 2. Check isLoggedIn 4. Set isLoggedIn true and set userID 6. Check isLoggedIn 7. if isLoggedIn false 3. if isLoggedIn false 1. User request 5. User request

Session and Context Scopes The session object is available to software components in the same request and sessionThe session object is available to software components in the same request and session –They have access to the session ID –This is called session scope Sometimes we need a wider scopeSometimes we need a wider scope –Chat rooms : Allow multiple users to interact –Group collaboration : Online meeting –Online bidding –Reservation systems J2EE also defines a context scopeJ2EE also defines a context scope July 2013© J Offutt32 This allows us to share data among multiple users

Context Scope July 2013© J Offutt33 session object 1 Container Engine Servlet S1 JSP 3JSP 2JSP 1 Servlet S2 context object Session 1 Context (application) session object 2 Session 2

July 2013© J Offutt34 Session and Context Scope Examples Compare attributeServlet and servletContext examples Try them in different browsers Compare the differences

Control Flow & State Summary Managing state is fundamental to any program Managing state is fundamental to any program Managing state is the most unique aspect of designing and programming web applications Managing state is the most unique aspect of designing and programming web applications Software vendors are creating new frameworks all the time Software vendors are creating new frameworks all the time – Most of them introduce additional state handling techniques Many professional developers make fundamental mistakes with managing state Many professional developers make fundamental mistakes with managing state July 2013© J Offutt35 State management is the most common source of software faults in web applications

A. Who am I ? B. Who are you ? Outline July 2013© J Offutt36 Part1 (13:00-15:00) 1. Web Apps Overview 2. How the Interweb Works 3. Web Software (Servlets) Part 2 (19:00-21:00) 4. Control Flow & State Handling is Different 5. State Handling in JSP Part 3 (Friday13:00-15:00) 6. Web Software Security 7. Modeling Web Apps 8. Testing Web Apps 9. Engineering Process

Java Server Pages A JSP is a scripted page that mixes programming statements into HTMLA JSP is a scripted page that mixes programming statements into HTML JSP scriptlets:JSP scriptlets: –Have a Java-like syntax –Can use external objects and call methods –Can process form data JSPs are translated to Java servlets, then compiledJSPs are translated to Java servlets, then compiled The help separate presentation from dataThe help separate presentation from data July 2013© J Offutt37

JSP Scope & State M anagement JSPs formalize this with four separate scopesJSPs formalize this with four separate scopes 1. Page : Within the same program component (web page) 2. Request : Within the same request 3. Session : Within all requests from the same session 4. Application : Within all sessions for one servlet context Each can be accessed by different sets of program componentsEach can be accessed by different sets of program components Some exist for different periods of timeSome exist for different periods of time July 2013© J Offutt38

July 2013© J Offutt39 application page session Sharing Data with Scope request forward request Client 1Client 2 page request

Web Apps State Summary Programmers often get state management wrongProgrammers often get state management wrong –They learned “how” without learning “why” (the theory) –They don’t understand the differences in the various scopes –They forget to consider which scope to use as part of design State management is very different from traditional programmingState management is very different from traditional programming These scopes are quite powerfulThese scopes are quite powerful New frameworks beyond J2EE often add different scopes or different semantics on the same scopesNew frameworks beyond J2EE often add different scopes or different semantics on the same scopes July 2013© J Offutt40

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.