servlets http request header contents and responses
Download
Skip this Video
Download Presentation
Servlets: HTTP Request Header Contents and Responses

Loading in 2 Seconds...

play fullscreen
1 / 37

Servlets: HTTP Request Header Contents and Responses - PowerPoint PPT Presentation


  • 231 Views
  • Uploaded on

Servlets: HTTP Request Header Contents and Responses. Road Map. Recap and Overview Reading HTTP Request Headers Generating the Server Response Case Study 1: Search Engines Case Study 2: Basic Web Security Restricting by User Name/Password. Recap and Overview. Overview.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Servlets: HTTP Request Header Contents and Responses' - gautier


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
road map
Road Map
  • Recap and Overview
  • Reading HTTP Request Headers
  • Generating the Server Response
  • Case Study 1: Search Engines
  • Case Study 2: Basic Web Security
    • Restricting by User Name/Password

HTTP Requests & Responses

recap and overview

Recap and Overview

HTTP Requests & Responses

overview
Overview
  • Interaction between browser and web server.

Request

Web

Browser

Web

Server

Response

HTTP Requests & Responses

client request data
Client Request Data
  • When a user submits a browser request to a web server, it sends two categories of data:
    • Form Data: Data that the user explicitly typed into an HTML form.
      • For example: registration information.
    • HTTP Request Header Data: Data that is automatically appended to the HTTP Request from the client.
      • For example: cookies, browser type, etc,

HTTP Requests & Responses

reading http request headers

Reading HTTP Request Headers

HTTP Requests & Responses

sample http request
Sample HTTP Request
  • A sample HTTP Request to Yahoo.com

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)

Host: www.yahoo.com

Connection: Keep-Alive

Cookie: B=2td79o0sjlf5r&b=2

Tip: Check out:

http://www.web-sniffer.net

HTTP Requests & Responses

accessing http headers
Accessing HTTP Headers

As in the SnoopServlet Example:

  • To access any of these Headers, use the HTTPServletRequest getHeader() method.
  • For example:
    • String connection = req.getHeader(“Connection”);
  • To retrieve a list of all the Header Names, use the getHeaderNames() method.
    • getHeaderNames() returns an Enumeration object.
  • For example:
    • Enumeration enum = req.getHeaderNames();

HTTP Requests & Responses

additional http information
Additional HTTP Information
  • getMethod()
    • Indicates the request method, e.g. GET or POST.
  • getRequestURI()
    • Returns the part of the URL that comes after the host and port. For example, for the URL: http://randomhost.com/servlet/search, the request URI would be /servlet/search.
  • getProtocol()
    • Returns the protocol version, e.g. HTTP/1.0 or HTTP/1.1

HTTP Requests & Responses

reading browser types
Reading Browser Types
  • The User-Agent HTTP header indicates the browser and operating system.
  • For example:
    • user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  • You can use this header to differentiate browser types or simply log browser requests.

HTTP Requests & Responses

example user agents
Example User-Agents
  • Internet Explorer:
    • user-agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
  • Mozilla
    • Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
  • For strange historical reasons, IE identifies itself as “Mozilla”

HTTP Requests & Responses

generating the server response

Generating the Server Response

HTTP Requests & Responses

sample http response
Sample HTTP Response
  • As a refresher, here’s a sample HTTP response:

HTTP/1.1 200 OK

Date: Mon, 06 Dec 2004 20:54:26 GMT

Server: Apache/1.3.6 (Unix)

Last-Modified: Fri, 04 Oct 2002 14:06:11 GMT

Content-length: 327

Connection: close

Content-type: text/html

<title>Sample Homepage</title>

<img src="/images/oreilly_mast.gif">

<h1>Welcome</h2>Hi there, this is a simple web page. Granted, it may…

HTTP Requests & Responses

generating responses
Generating Responses
  • Servlets can return any HTTP response they want.
  • Useful for lots of scenarios:
    • Redirecting to another web site.
    • Restricting access to approved users.
    • Specifying content-type other than text/html.
    • Return images instead of HTML.

HTTP Requests & Responses

setting the http status code
Setting the HTTP Status Code
  • Normally, your Servlet will return an HTTP Status code of: 200 OK to indicate that everything went fine.
  • To return a different status code, use the setStatus() method of the HttpServletResponse object.
  • Be sure to set the status code before sending any document content to the client.

HTTP Requests & Responses

using setstatus
Using setStatus()
  • setStatus takes an integer value. But, it’s best to use the predefined integers in the HttpServletResponse. Here are a few:
  • SC_BAD_REQUEST
    • Status code (400) indicating the request sent by the client was syntactically incorrect.
  • SC_FORBIDDEN
    • Status code (403) indicating the server understood the request but refused to fulfill it.
  • SC_INTERNAL_SERVER_ERROR
    • Status code (500) indicating an error inside the HTTP server which prevented it from fulfilling the request.
  • SC_NOT_FOUND
    • Status code (404) indicating that the requested resource is not available.

HTTP Requests & Responses

sending redirects
Sending Redirects
  • You can redirect the browser to a different URL by issuing a Moved Temporarily Status Code:
    • SC_MOVED_TEMPORARILY: Status code (302) indicating that the resource has temporarily moved to another location.
  • Because this is so common, the HttpServletResponse interface also has a sendRedirect() method.
    • Example:

res.sendRedirect( “http://www.yahoo.com”);

HTTP Requests & Responses

example search engines

Example: Search Engines

HTTP Requests & Responses

multiple search engines
Multiple Search Engines

SearchEngines Servlet

  • Enables users to submit a search query to one of four search engines.
    • Google
    • AllTheWeb
    • Yahoo
    • AltaVista, etc.
  • The code exploits the HTTP Response Header to redirect the user to the correct search engine.

HTTP Requests & Responses

architecture
Architecture

SearchEngines

Servlet

“I want to search for

Bill Gates on Google”

Web

Browser

“Go to Google”

“I want to search for

Bill Gates on Google”

Google

“Your results…”

HTTP Requests & Responses

searchspec java
SearchSpec.java
  • The SearchSpec object contains information about connecting to a specific search engine
    • public String makeURL (String searchString, String numResults)
    • You provide this method with a search string and the number of results, and it returns the URL and search query specific to Google, Yahoo, HotBot, etc.
    • Class is contained in SearchEngines.java on acad

HTTP Requests & Responses

searchutilities java
SearchUtilities.java
  • The SearchUtilities.java code has an array of SearchSpec objects: one for Google, one for Yahoo, etc.
  • It also provides a makeUrl method…

HTTP Requests & Responses

searchengines java
SearchEngines.java
  • The main servlet code.
  • This code:
    • Extracts the searchEngine parameter.
    • If no such parameter exists, it sends an HTTP Error.
    • Otherwise, it calls SearchUtilities to construct the correct URL.
    • Finally, it redirects the user to this new URL.

HTTP Requests & Responses

example basic web security

Example: Basic Web Security

HTTP Requests & Responses

http authentication
HTTP Authentication
  • The HTTP Protocol Includes a built-in authentication mechanism.
  • Useful for protecting web pages or servlets that require user name / password access.
  • First, let’s examine the basic mechanism and the HTTP Headers involved.
  • Then, let’s figure out how to build a servlet that exploits this mechanism.

HTTP Requests & Responses

basic authentication
Basic Authentication
  • If a web page is protected, the Web Server will issue an authentication “challenge”:

HTTP/1.1 401 Authorization Required

Date: Sun, 27 Aug 2000 17:51:25 GMT

Server: Apache/1.3.12 (Unix) ApacheJServ/1.1 PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a

WWW-Authenticate: BASIC realm="privileged-few"

Keep-Alive: timeout=90, max=150

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html

HTTP Requests & Responses

www authenticate
WWW-Authenticate

WWW-Authenticate: BASIC realm=“realm"

  • When you issue a return status code of 401, “Authorization Required”, you need to tell the browser what type of authentication is required.
  • You do this via the WWW-Authenticate Header. This header has two parameters:
    • BASIC: Basic authorization requiring user name and password.
    • Realm: you can create multiple “realms” of authentication for different users, e.g. “Admin”, “User”, “Super_User”, etc.

HTTP Requests & Responses

basic authentication cont
Basic Authentication Cont.
  • Upon receiving an authentication challenge, the browser will prompt the user with a pop-up box requesting the user name and password.
  • Browser takes the “username:password” from the user and encrypts it using the Base 64 Encoding Algorithm.
    • For example: if the string is “marty:martypd”, the Base 64 string is “bWFydHk6bWFydHlwdw==”
    • We will not cover the details of Base 64, but remember that Base 64 is easy to decode. Therefore, even if your page is protected, someone can easily intercept your Base 64 string and decode it.

HTTP Requests & Responses

basic authentication cont29
Basic Authentication Cont.
  • The browser reissues the request for the page. In the HTTP request, the browser indicates the Authorization string:

GET /servlet/coreservlets.ProtectedPage HTTP/1.1

Accept: image/gif, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)

Host: www.ecerami.com

Connection: Keep-Alive

Authorization: Basic bWFydHk6bWFydHlwdw==

HTTP Requests & Responses

basic authentication cont30
Basic Authentication Cont.
  • Web Server checks the user name and password.
    • If User Name/Password is correct, web server displays the protected page.
    • If the User Name/Password is incorrect, web server issues a second authentication challenge.

HTTP Requests & Responses

almost there
Almost there…
  • Before we examine the actual servlet code, there are two pieces of Java coding we need to examine:
    • sun.misc.BASE64Decoder.
    • java.util.Properties

HTTP Requests & Responses

base 64 encoding
Base 64 Encoding
  • Sun provides a class called: sun.misc.BASE64Decoder.
  • You can use the decodeBuffer() method to decode the Base 64 String sent from the user:

String userInfo = “bWFydHk6bWFydHlwdw==”

BASE64Decoder decoder = new BASE64Decoder();

String nameAndPassword =

new String(decoder.decodeBuffer(userInfo));

  • After this code, nameAndPassword will be set to “marty:martypd”

HTTP Requests & Responses

java util properties
java.util.Properties
  • A utility class for reading in property files.
  • For example, suppose you have the following password.properties file:

#Passwords

#Sat Aug 26 11:15:42 EDT 2000

nathan=nathanpw

marty=martypw

lindsay=lindsaypw

bj=bjpw

HTTP Requests & Responses

java util properties34
java.util.Properties
  • You can easily and automatically load the password file and parse its contents:

passwordFile = "passwords.properties";

passwords = new Properties();

passwords.load(new FileInputStream(passwordFile));

  • Then, you can extract the password for a specific user name:

String password = properties.getProperty ("marty“);

HTTP Requests & Responses

protectedpage java
ProtectedPage.java
  • Here’s how the Servlet Works:
    • Initialization: Read in a Password file of valid user names and passwords.
    • Check for the HTTP Authorization Header.
    • Decode the Authorization Header using Base 64 to obtain user name and password.
    • Check the User Name and Password against the valid names list.
      • If valid, show protected page.
      • Else, issue another authentication challenge.

HTTP Requests & Responses

form authentication system
Form Authentication System
  • BASE64 not secure
    • Need secure solution!
  • Use HTML form
    • Example: FormAuthenticate
      • Access of servlet attempts to access protected data
      • User redirected to login form web page
        • Example takes any combination
      • Once authenticated, redirected to desired page
        • Session object used to store desired destination during login diversion

HTTP Requests & Responses

summary
Summary
  • Lots of hidden HTTP data, including headers and cookies are sent from browser to the server.
  • HTTP Header data can also be sent from server to the browser, e.g. error codes, redirection codes, etc.

HTTP Requests & Responses

ad