Presentation is loading. Please wait.

Presentation is loading. Please wait.

HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses.

Published byStella Robbins Modified over 9 years ago

Similar presentations

Presentation on theme: "HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses."— Presentation transcript:

1

2 HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses

3 HTTP Requests & Responses2 Road Map Recap and Overview Reading HTTP Request Headers Generating the Server Response Case Study 1: Search Engines Case Study 2: Basic Web Security Restricting by User Name/Password

4 HTTP Requests & Responses3 Recap and Overview

5 HTTP Requests & Responses4 Overview Interaction between browser and web server. Web Browser Web Server Request Response

6 HTTP Requests & Responses5 Client Request Data When a user submits a browser request to a web server, it sends two categories of data: Form Data: Data that the user explicitly typed into an HTML form. For example: registration information. HTTP Request Header Data: Data that is automatically appended to the HTTP Request from the client. For example: cookies, browser type, etc,

7 HTTP Requests & Responses6 Reading HTTP Request Headers

8 HTTP Requests & Responses7 Sample HTTP Request A sample HTTP Request to Yahoo.com GET / HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) Host: www.yahoo.com Connection: Keep-Alive Cookie: B=2td79o0sjlf5r&b=2 Tip: Check out: http://www.web-sniffer.net

9 HTTP Requests & Responses8 Accessing HTTP Headers As in the SnoopServlet Example: To access any of these Headers, use the HTTPServletRequest getHeader() method. For example: String connection = req.getHeader(“Connection”); To retrieve a list of all the Header Names, use the getHeaderNames() method. getHeaderNames() returns an Enumeration object. For example: Enumeration enum = req.getHeaderNames();

10 HTTP Requests & Responses9 Additional HTTP Information getMethod() Indicates the request method, e.g. GET or POST. getRequestURI() Returns the part of the URL that comes after the host and port. For example, for the URL: http://randomhost.com/servlet/search, the request URI would be /servlet/search. http://randomhost.com/servlet/search getProtocol() Returns the protocol version, e.g. HTTP/1.0 or HTTP/1.1

11 HTTP Requests & Responses10 Reading Browser Types The User-Agent HTTP header indicates the browser and operating system. For example: user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) You can use this header to differentiate browser types or simply log browser requests.

12 HTTP Requests & Responses11 Example User-Agents Internet Explorer: user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Mozilla Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 For strange historical reasons, IE identifies itself as “Mozilla”

13 HTTP Requests & Responses12 Generating the Server Response

14 HTTP Requests & Responses13 Sample HTTP Response As a refresher, here’s a sample HTTP response: HTTP/1.1 200 OK Date: Mon, 06 Dec 2004 20:54:26 GMT Server: Apache/1.3.6 (Unix) Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT Content-length: 327 Connection: close Content-type: text/html Sample Homepage Welcome Hi there, this is a simple web page. Granted, it may…

15 HTTP Requests & Responses14 Generating Responses Servlets can return any HTTP response they want. Useful for lots of scenarios: Redirecting to another web site. Restricting access to approved users. Specifying content-type other than text/html. Return images instead of HTML.

16 HTTP Requests & Responses15 Setting the HTTP Status Code Normally, your Servlet will return an HTTP Status code of: 200 OK to indicate that everything went fine. To return a different status code, use the setStatus() method of the HttpServletResponse object. Be sure to set the status code before sending any document content to the client.

17 HTTP Requests & Responses16 Using setStatus() setStatus takes an integer value. But, it’s best to use the predefined integers in the HttpServletResponse. Here are a few: SC_BAD_REQUEST Status code (400) indicating the request sent by the client was syntactically incorrect. SC_FORBIDDEN Status code (403) indicating the server understood the request but refused to fulfill it. SC_INTERNAL_SERVER_ERROR Status code (500) indicating an error inside the HTTP server which prevented it from fulfilling the request. SC_NOT_FOUND Status code (404) indicating that the requested resource is not available.

18 HTTP Requests & Responses17 Sending Redirects You can redirect the browser to a different URL by issuing a Moved Temporarily Status Code: SC_MOVED_TEMPORARILY: Status code (302) indicating that the resource has temporarily moved to another location. SC_MOVED_TEMPORARILY Because this is so common, the HttpServletResponse interface also has a sendRedirect() method. Example: res.sendRedirect( “http://www.yahoo.com”);http://www.yahoo.com

19 HTTP Requests & Responses18 Example: Search Engines

20 HTTP Requests & Responses19 Multiple Search Engines SearchEngines Servlet Enables users to submit a search query to one of four search engines. Google AllTheWeb Yahoo AltaVista, etc. The code exploits the HTTP Response Header to redirect the user to the correct search engine.

21 HTTP Requests & Responses20 Architecture Web Browser SearchEngines Servlet “I want to search for Bill Gates on Google” “Go to Google” Google “I want to search for Bill Gates on Google” “Your results…”

22 HTTP Requests & Responses21 SearchSpec.java The SearchSpec object contains information about connecting to a specific search engine public String makeURL (String searchString, String numResults) You provide this method with a search string and the number of results, and it returns the URL and search query specific to Google, Yahoo, HotBot, etc. Class is contained in SearchEngines.java on acad

23 HTTP Requests & Responses22 SearchUtilities.java The SearchUtilities.java code has an array of SearchSpec objects: one for Google, one for Yahoo, etc. It also provides a makeUrl method…

24 HTTP Requests & Responses23 SearchEngines.java The main servlet code. This code: Extracts the searchEngine parameter. If no such parameter exists, it sends an HTTP Error. Otherwise, it calls SearchUtilities to construct the correct URL. Finally, it redirects the user to this new URL.

25 HTTP Requests & Responses24 Example: Basic Web Security

26 HTTP Requests & Responses25 HTTP Authentication The HTTP Protocol Includes a built-in authentication mechanism. Useful for protecting web pages or servlets that require user name / password access. First, let’s examine the basic mechanism and the HTTP Headers involved. Then, let’s figure out how to build a servlet that exploits this mechanism.

27 HTTP Requests & Responses26 Basic Authentication 1) If a web page is protected, the Web Server will issue an authentication “challenge”: HTTP/1.1 401 Authorization Required Date: Sun, 27 Aug 2000 17:51:25 GMT Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a WWW-Authenticate: BASIC realm="privileged-few" Keep-Alive: timeout=90, max=150 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html

28 HTTP Requests & Responses27 WWW-Authenticate: BASIC realm=“realm" When you issue a return status code of 401, “Authorization Required”, you need to tell the browser what type of authentication is required. You do this via the WWW-Authenticate Header. This header has two parameters: BASIC: Basic authorization requiring user name and password. Realm: you can create multiple “realms” of authentication for different users, e.g. “Admin”, “User”, “Super_User”, etc. WWW-Authenticate

29 HTTP Requests & Responses28 Basic Authentication Cont. 2) Upon receiving an authentication challenge, the browser will prompt the user with a pop-up box requesting the user name and password. 3) Browser takes the “username:password” from the user and encrypts it using the Base 64 Encoding Algorithm. For example: if the string is “marty:martypd”, the Base 64 string is “bWFydHk6bWFydHlwdw==” We will not cover the details of Base 64, but remember that Base 64 is easy to decode. Therefore, even if your page is protected, someone can easily intercept your Base 64 string and decode it.

30 HTTP Requests & Responses29 Basic Authentication Cont. 4) The browser reissues the request for the page. In the HTTP request, the browser indicates the Authorization string: GET /servlet/coreservlets.ProtectedPage HTTP/1.1 Accept: image/gif, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt) Host: www.ecerami.com Connection: Keep-Alive Authorization: Basic bWFydHk6bWFydHlwdw==

31 HTTP Requests & Responses30 Basic Authentication Cont. 5. Web Server checks the user name and password. If User Name/Password is correct, web server displays the protected page. If the User Name/Password is incorrect, web server issues a second authentication challenge.

32 HTTP Requests & Responses31 Almost there… Before we examine the actual servlet code, there are two pieces of Java coding we need to examine: sun.misc.BASE64Decoder. java.util.Properties

33 HTTP Requests & Responses32 Base 64 Encoding Sun provides a class called: sun.misc.BASE64Decoder. You can use the decodeBuffer() method to decode the Base 64 String sent from the user: String userInfo = “bWFydHk6bWFydHlwdw==” BASE64Decoder decoder = new BASE64Decoder(); String nameAndPassword = new String(decoder.decodeBuffer(userInfo)); After this code, nameAndPassword will be set to “marty:martypd”

34 HTTP Requests & Responses33 java.util.Properties A utility class for reading in property files. For example, suppose you have the following password.properties file: #Passwords #Sat Aug 26 11:15:42 EDT 2000 nathan=nathanpw marty=martypw lindsay=lindsaypw bj=bjpw

35 HTTP Requests & Responses34 java.util.Properties You can easily and automatically load the password file and parse its contents: passwordFile = "passwords.properties"; passwords = new Properties(); passwords.load(new FileInputStream(passwordFile)); Then, you can extract the password for a specific user name: String password = properties.getProperty ("marty“);

36 HTTP Requests & Responses35 ProtectedPage.java Here’s how the Servlet Works: 1)Initialization: Read in a Password file of valid user names and passwords. 2)Check for the HTTP Authorization Header. 3)Decode the Authorization Header using Base 64 to obtain user name and password. 4)Check the User Name and Password against the valid names list. If valid, show protected page. Else, issue another authentication challenge.

37 HTTP Requests & Responses36 Form Authentication System BASE64 not secure Need secure solution! Use HTML form Example: FormAuthenticate Access of servlet attempts to access protected data User redirected to login form web page Example takes any combination Once authenticated, redirected to desired page Session object used to store desired destination during login diversion

38 HTTP Requests & Responses37 Summary Lots of hidden HTTP data, including headers and cookies are sent from browser to the server. HTTP Header data can also be sent from server to the browser, e.g. error codes, redirection codes, etc.

Download ppt "HTTP Requests & Responses1 Servlets: HTTP Request Header Contents and Responses."

Similar presentations

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.

HTTP HyperText Transfer Protocol. HTTP Uses TCP as its underlying transport protocol Uses port 80 Stateless protocol (i.e. HTTP Server maintains no information.
HTTP – HyperText Transfer Protocol

HTTP – HyperText Transfer Protocol
Chapter 9 Application Layer, HTTP Professor Rick Han University of Colorado at Boulder

Chapter 9 Application Layer, HTTP Professor Rick Han University of Colorado at Boulder
1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.

1 HTTP – HyperText Transfer Protocol Part 1. 2 Common Protocols In order for two remote machines to “ understand ” each other they should –‘‘ speak the.
CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.

CS320 Web and Internet Programming Handling HTTP Requests Chengyu Sun California State University, Los Angeles.
CS320 Web and Internet Programming Generating HTTP Responses

CS320 Web and Internet Programming Generating HTTP Responses
16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.

16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
1 Web Search Interfaces. 2 Web Search Interface Web search engines of course need a web-based interface. Search page must accept a query string and submit.

1 Web Search Interfaces. 2 Web Search Interface Web search engines of course need a web-based interface. Search page must accept a query string and submit.
Web, HTTP and Web Caching

Web, HTTP and Web Caching
1 CS6320 – Servlet Request and Response L. Grewe.

1 CS6320 – Servlet Request and Response L. Grewe.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
CSC 2720 Building Web Applications Servlet – Getting and Setting HTTP Headers.

CSC 2720 Building Web Applications Servlet – Getting and Setting HTTP Headers.
PL-IV- Group A HTTP Request & Response Header

PL-IV- Group A HTTP Request & Response Header
Definition Servlet: Servlet is a java class which extends the functionality of web server by dynamically generating web pages. Web server: It is a server.

Definition Servlet: Servlet is a java class which extends the functionality of web server by dynamically generating web pages. Web server: It is a server.
Network Protocols: Design and Analysis Polly Huang EE NTU

Network Protocols: Design and Analysis Polly Huang EE NTU

Similar presentations

Ads by Google