29 Web Browsers and Servers in the Enterprise 30 Traditional Web Programming and Java 31 XML 32 Java Servlets 33 JavaServer Pages
- 794 -
Building Java Enterprise Systems with J2EE
Chapter 29. Web Browsers and Servers in the Enterprise IN THIS CHAPTER • • • • • •
Web Web Java Web Web Web
Browsers Browser Security Plug-in Servers Server Security Server Availability
We described the basic approach to developing Web-based Java applets in Chapter 4, "Java Foundations for Enterprise Development," and the basic communications infrastructure of the Web and HTTP in Chapter 13, "Web Communications." This chapter builds on those concepts with an introduction to the two primary computing platfor ms used to Web-enable an enterprise: Web browsers and Web servers. Understanding the basic architecture of Web browsers and Web servers, as well as understanding the common problems and solutions encountered with their use, is fundamental to understanding how to Web-enable an enterprise using the Java enterprise technologies discussed in subsequent chapters. This chapter thus simply provides a basic conceptual framework for you to understand how Web browsers and servers are constructed, as well as the most significant facts for you to consider with their use in an enterprise. In this chapter, you will learn: • • • • • •
The architecture of Web browsers and the types of Web browsers most commonly used in the enterprise. The problems and solutions of Web browser security. The Java Plug-in software for using an alternative Java Virtual Machine inside of a Web browser. The architecture of Web servers and the types of Web servers most commonly used in the enterprise. The problems and solutions of Web server security. The options for building highly available Web server applications.
Web Browsers A Web browser is an application whose primary role is to transform GUI requests into HTTP requests and to transform HTTP responses into GUI display content. HTTP requests are, of course, sent to Web servers, and HTTP responses are received from Web servers. - 795 -
Building Java Enterprise Systems with J2EE
Requests for Web content are cast in the form of URLs that identify remote resource media accessible via the Internet. Web responses are often in the form of Web page documents with multimedia and HTML-based presentation content such as text, static and animated images, hyperlinks, GUI components, audio clips, and video clips. Additionally, referenced documents of various types managed by external handlers, Java applets, and executable browser script language commands (for example, JavaScript) can also be returned in an HTTP Web response. Because HTTP is the standard protocol for the World Wide Web (WWW), Web browsers become the GUI windows to the WWW. However, current Web browser GUI component types, the bandwidth for most HTTP connections, and the nature of HTTP itself constrain the GUI designs of current Web browser–based document content. Some Web browsers may take advantage of more sophisticated GUI component interactions, but often at the cost of standards compliance or additional bandwidth consumption. It is for these reasons that the state of the art for most Web browser Web pages tends to be limited to supporting a set of core multimedia features for use over the Internet and limited Web page presentation features with the bulk of presentation being HTML related. Web Browser Architecture Figure 29.1 presents a basic conceptual architecture for Web browsers to provide a glimpse into their underlying structure. At the heart of a Web browser is a main controller process, which manages the caching and state management of information, manages stimulation of Web request and response handling, invokes the configuration of browser properties, and drives the basic presentation of Web page content. Request handlers map GUIbased requests into HTTP network requests, and response handlers map HTTP responses into GUI-based events and requested display content. Each request and response drives the I/O of HTTP data to and from a network interface. An HTTP protocol is used for unsecured connections, and HTTPS is used for HTTP with SSL-based connections. Figure 29.1. The Web browser architecture.
- 796 -
Building Java Enterprise Systems with J2EE
A cache manager is often employed within Web browser architectures to store previous request and response data in an effort to avoid making unnecessary network requests. A state manager may also be employed to provide some management of session information using cookies or to facilitate some other form of session tracking. Furthermore, a configuration manager may be used to configure the properties and behavior of a Web browser. A document presentation interface is used to drive the actual display of GUI-based browser content. Web browsers typically support one or more of the following types of document presentation interfaces: •
•
•
•
•
•
HTML Presentation Manager: All Web browsers have some form of HTML-based presentation manager to output HTML display content and receive user inputs via HTML entities such as input forms and hyperlinks. XML Presentation Manager: A few current Web browser implementations and more Web browsers in the future are expected to support parsing of XML documents. We describe XML in more detail in Chapter 31, "XML" . Java Runtime Environment: A Java runtime environment may be embedded into a Web browser to execute Java applets, as well as to invoke the services of downloaded JavaBean components. ActiveX Runtime Engine: A Microsoft ActiveX runtime engine is embedded into Microsoft browsers to execute downloaded ActiveX/COM components. Scripting Language Runtime Engine: One or more runtime scripting language engines may also be used to execute scripting commands that were embedded into HTML pages (for example, JavaScript). External Content Handler: External content handlers may be used to dynamically execute the content of retrieved URL
- 797 -
Building Java Enterprise Systems with J2EE
•
information in an application that runs in a process external to the Web browser (for example, Adobe Acrobat PDF viewer). Plug-In Content Handler: Alternatively, certain content handlers can execute the content of retrieved URL information directly within a Web browser window in a separate thread via a content handler plug-in.
Web Browser Implementations Various Web browser implementations exist, but the Netscape Navigator (NN) and Microsoft Internet Explorer (IE) Web browser products are by far the most popular. NN runs on various platforms, whereas IE is targeted for Microsoft platforms. Both browsers support the latest and greatest in HTML presentation standards, as well as various extensions to HTML. Both browser implementations also support a JavaScript scripting language runtime environment and a Java applet execution environment. Despite the presence of standards, NN and IE do differ in feature support. Thus, it is often a challenge for developers of Web page content to determine the lowest common denominator of support across both NN and IE. However, by designing to such a lowest common denominator, you can help ensure a maximal level of Web client base support. Another interesting Web browser implementation is the HotJava browser from Sun. Implemented entirely in Java, it provides a customizable environment for extending the browser implementation following the configurable JavaBeans component model. The HotJava browser has built-in support for managing HTML, JavaScript, and Java runtime environment (JRE) applet presentation environments. Additionally, HotJava can also support various IE- and NN-specific extensions to the standard HTML specifications.
Web Browser Security Web browsers expose their host machines to a wide range of security risks. Because of the growth in usage and the widely distributed nature of the WWW, the use of Web browsers introduces exposure to a whole new slew of risks for client machines that have never before been seen by industry. Hackers now take advantage of an easier means to funnel malicious code to client machines, as well as a greater opportunity for tapping security-critical resources and information on client machine environments. It is for these reasons of enhanced risk exposure that Web browser and document presentation manager implementations often consider security from the outset of product development. This section briefly examines
- 798 -
Building Java Enterprise Systems with J2EE
the security problems associated with Web browser usage and security solutions to these problems. Web Browser Security Problems Security-critical resources on the machine in which a Web browser sits can be maliciously corrupted, referenced, or replaced by malicious content executing within a Web browser. Access to client machine resources can also be denied or delayed by malicious Web browser content. The following is a partial list of the more significant types of security problems that can plague a Web browser environment: •
•
•
•
•
•
•
•
•
Exposed HTML Presentation Manager Flaw Attacks: Flaws in certain HTML presentation manager implementations can be exploited. This may result in privacy and confidentiality concerns, as well as cause denial of service via exploited memory management faults. Exposed Runtime Engine Flaw Attacks: Flaws in scripting language, Java, and ActiveX runtime engine implementations can be exploited to perform operations on a client's machine to tap security-critical resources. Java Applet and ActiveX Component Attacks: Without proper controls, malicious Java applets and Microsoft ActiveX components that have been downloaded by a user may be used to access security-critical resources on the client machine. External Content Handler Attacks: External content handlers can be used to spawn infected documents (for example, Microsoft Word documents with a Word Macro virus). Plug-in Content Handler Attacks: Malicious plug-in content handlers that are downloaded and installed into a Web browser environment have complete access to the client machine's security-critical resources. Client Information Request Attacks: Malicious Web sites may solicit security-critical information from users (for example, credit-card information and passwords). Sensitive HTTP Requests and Response Data: Certain HTTP requests and responses may contain certain securitycritical data that needs protection over the wire. Client Privacy Violations: Certain machine, configuration, and session information sent from a Web browser to a Web server can be used to disseminate certain private information about a Web user. Falsified Client Identification: Malicious Web users can falsely identify themselves as a particular Web user to a Web site.
- 799 -
Building Java Enterprise Systems with J2EE
Web Browser Security Solutions Web browser and document presentation manager implementers, as well as developers of Web browser content, can address the security issues that plague Web browsers in various ways. The integrity and confidentiality of Web browser requests and responses are both addressed to various degrees by Web browser implementations. The authorization, identity, and authenticity of Web users and visited sites also play a key role in Web browser security solutions. Various means for providing secure Web browser environments based on the previously mentioned Web browser security problems are listed here: • •
• •
•
•
• •
•
•
Browser Implementation Updates: Users should frequently update their browsers with the latest patches. Java Security Restrictions: Java has been built with security in mind as a primary design consideration. The Java 1.0 security sandbox model, Java 1.1 signed applet code restrictions, or Java 1.2/2.0 fine-grained access control restrictions may all be used to limit which and how securitycritical resources can be accessed. Authenticode Restrictions: ActiveX code can be signed using Microsoft's Authenticode technology. Java Plug-in Updates: The security of an embedded Java runtime environment implementation can be enhanced by using a more rigorously tested JVM implementation that can be added to your Web browser environment using the Java Plug-in. Runtime Engine Disabling: As a more draconian measure, scripting-language engines and Java runtime engines can often be disabled within a Web browser's configuration. External Content Handler Security: Users need to manage the security inside of their external content handlers and should be wary of the external documents they download and spawn. Users can run a virus checker on documents before activating them with a content handler. SSL Confidentiality: SSL is built into many Web browsers to enable secure transfer between Web browser and server. SSL Client Authentication: A client-side certificate can be sent to a Web server during SSL handshaking to authenticate a particular client's identity. SSL Server Authentication: A server-side certificate can be sent to a Web browser during SSL handshaking to authenticate a particular server's identity. Anonymizer Sites: In the name of privacy, certain Web sites exist that can redirect your Web requests to other Web
- 800 -
Building Java Enterprise Systems with J2EE
sites after removing certain privacy-related information from the HTTP request.
Java Plug-in The Java Plug-in defines an approach for enabling the use of an alternative Java runtime environment inside of a Web browser instead of using the browser's built-in JRE. This is particularly useful for enabling your Web browsers used throughout an enterprise to take advantage of the latest JRE platform, APIs, and enhancements. The latest JDK v1.2.2, for example, can be downloaded to your enterprise users'Web browsers simply by use of a few special tags inside of an HTML document. Both Java applets and JavaBean components can thus be downloaded for use in a Web browser and can take advantage of the latest JDK library releases. After the libraries are downloaded, they are stored on the user's local hard disk and are simply used whenever the need for such alternative libraries is designated from within a Web page. Installing the Java Plug-in into a Web Browser Use of the Java Plug-in focuses on the definition of special tags in an HTML document that direct a Web browser to use a special JRE to process the downloaded Java code. The specification of such tags differs from browser to browser. After a Java Plug-in is installed inside of a user's Web browser environment, subsequent demands for such a JRE are forwarded to the user's local machine installation. Updates to the JRE are less time-consuming after the initial installation time. However, initial installation may require download times over a local area network that are anywhere from 3 to 10 minutes. Wide area network download times, such as over the Internet, are significantly longer. Use of the Java Plug-in with IE relies on IE's built-in extension mechanism for augmenting IE with additional COM and ActiveX components that can be called from within a Web page. A pair of tags is inserted into an HTML document to designate the use of an IE extension mechanism. If no Java Plug-in has been installed yet, and the user visits a site which designates that a Java Plug-in should be used, an IE browser first asks the user whether it is acceptable to download and install a signed ActiveX component. If the user answers Yes, a Java Plug-in ActiveX wrapper is downloaded to the Web browser that in turn manages the download and install of the new JRE. Netscape's built-in plug-in mechanism is used to extend the NN browser to download and install native code to be used as a
- 801 -
Building Java Enterprise Systems with J2EE
browser plug-in. The tags are inserted into an HTML document to designate the use of an NN plug-in. If no Java Plug-in is yet loaded, an empty plug-in picture is displayed within the browser window, and the user is asked to download the appropriate plug-in. The user then downloads and installs the Java Plug-in for NN by following the instructions. Designating the Use of a Java Plug-in JRE As we just mentioned, the installation of a Java Plug-in JRE can be initiated via the specification of the appropriate tags in a Web page. The Java Plug-in HTML Specification at http://java.sun.com/products/plugin/1.2/docs/tags.html defines the syntax needed within a Web page for designating the use of the Java Plug-in with an associated Java applet or JavaBean component. The Java Plug-in HTML Converter tool is also available and can be used to automatically mark up HTML documents with the necessary tags for using the Java Plug-in (http://java.sun.com/products/plugin/1.2/features.html). We only briefly describe the syntax of such tags from within an HTML document here to give you a flavor for what referencing the Java Plug-in from within a browser environment looks like. We encourage you to examine the Java Plug-in HTML Specification for more information and to use the Java Plug-in HTML Converter for ease of mapping your Java applet tags to Java Plug-in–style tags. For example, suppose that we wanted to run a Java applet inside of a Web browser and use the Java Plug-in. A normal Java applet tag designation, such as the format described in Chapter 4, may be defined as shown here:
We might then decide that our applet should operate inside of a JRE v1.2.2 environment and therefore require the use of a Java Plug-in HTML Specification as shown here:
- 802 -
Building Java Enterprise Systems with J2EE
classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" codebase="http://java.sun.com/products/plugin/1.2.2 /jinstall-1_2_2-win.cab#Version=1,2,2,0" width="400" height="300"> No Java 2.0 support is possible for this applet. In this rather convoluted tag sequence, multiple needs were satisfied. We've encapsulated all information within an IE OBJECT tag pair such that IE can use its extension mechanisms to process the applet. Per the Java Plug-in HTML Specification, certain standard applet tags map to OBJECT attributes, and others map to PARAM tags within an OBJECT tag scope. Additionally, the statically defined classid and codebase values within the OBJECT tag attributes are defined to point to the appropriate Java Plug-in ActiveX component wrapper to use. Such a wrapper may be downloaded from the codebase if it is not already loaded onto the client's machine. The necessary tags for use of the Java Plug-in within NN browsers are defined within the COMMENT tags shown above. IE ignores the COMMENT tags, and NN will not recognize the leading OBJECT tag. Thus, the information within the EMBED tags is interpreted only by NN browsers. As you can see, the various APPLET tag elements also map to attributes of the EMBED tag. The special pluginspage
- 803 -
Building Java Enterprise Systems with J2EE
attribute defines the location from which to locate the special Java Plug-in for NN browsers. The location from which to load a Java Plug-in can actually be defined to be a particular Web site within the domain of an enterprise, but we have shown only standard locations from the Sun site here.
Web Servers A Web server is a server-side application whose primary role is to handle or delegate HTTP requests and to generate or route HTTP responses. Web servers come in various flavors and can support various needs. The most simplistic form of Web server may simply receive GET or POST requests, read a local file based on a requested URL, and stream the file data back to the Web client. Higher-end enterprise-class Web servers support concurrent requests from a scalable number of clients, implement some form of secure access control, and support various APIs for extending the functionality of a Web server to dynamically generate Web documents in an application-specific fashion. This section briefly describes a generic architecture for Web servers and highlights those commercial Web server implementations currently pervading the marketplace. Web Server Architecture Figure 29.2 presents a basic conceptual architecture of a Web server. The Web server controller serves to represent the main process controller context in which a Web server runs. A Web server controller typically manages a pool of threads that are used to handle requests from clients as they are received. A Web handler thread is allocated to manage a particular client request and response. Each request and response passes through a network interface. The HTTP protocol is used for unsecured connections, and HTTPS is used for HTTP with SSL-based connections. Figure 29.2. The Web server architecture.
- 804 -
Building Java Enterprise Systems with J2EE
A Web server controller may also maintain session management information between successive requests from a client such that statefulness for the otherwise stateless HTTP protocol may be implemented. Caches of response information may also be maintained by a Web server such that successive instances of the same request may be used to rapidly generate a cached response. The behavior of the Web server will often be manageable through some means of configuring the server environment. Management of the Web server environment may also include the specification of ACLs limiting access to server-side resources for particular Web users. Furthermore, most Web server environments will also provide some mechanism for logging Web server requests and responses. Interfaces that can generate Web-based documents according to HTTP requests are central to a Web server architecture. Web servers typically support one or more of the following types of document-serving interfaces: •
•
File Request Handler: Most Web servers have file request handlers that map a URL to a file (for example, an HTML file) local to the Web server that is to be read and sent back to the client in an HTTP response stream. CGI Engine: The Common Gateway Interface (CGI) provides a standard interface mech anism for spawning external processes implemented in any language to handle HTTP requests and generate HTTP responses.
- 805 -
Building Java Enterprise Systems with J2EE
•
•
•
•
•
ISAPI: The Internet Server Application Program Interface (ISAPI) defines an interface for calling Microsoft platform DLLs to handle HTTP requests and generate HTTP responses. NSAPI: The Netscape Server Application Programming Interface (NSAPI) defines an interface for calling binary libraries to handle HTTP requests and generate HTTP responses. Script Language Runtime Engine: Script language runtime engines allow scripting language commands, such as JavaScript and VBScript, stored in HTML files to be executed within the Web server's process space. Such commands are used to generate dynamic HTML content to be sent back to the requesting client. Java Servlet Engine: Java Servlet engines allow Java code adhering to a particular interface to be executed within the Web server's process space to handle HTTP requests and generate HTTP responses. JSP Engine: JavaServer Pages (JSP) engines are used to compile special Java scripting language commands into executable Java Servlet content, which is then executed within a Web server's process space to handle HTTP requests and generate HTTP responses.
Web Server Implementations Web server implementations can be extremely simplistic in nature or support various sophisticated enterprise-class features. Web servers may be started from the command line and be configured from a simple text file, or they may come equipped with a nifty GUI interface for starting, stopping, creating, deleting, and configuring server instances. We've already seen an example of a simple Web server implementation such as the one used in Chapter 16, "RMI Communications," for dynamic RMI code downloading. However, more sophisticated Web servers are needed for commercial and enterprise-class applications. Netscape provides the Netscape FastTrack Server for low-end Web server applications. The Netscape Enterprise Server (NES) is used in many scalable Web server applications with security requirements. NES provides a fancy GUI for managing and configuring Web server applications and offers many extensions for document serving. Document serving interfaces offered by NES include file serving, CGI, NSAPI, JavaScript runtime, and Java Servlet support. The Microsoft Internet Information Server (IIS) is used on serverside Microsoft platforms as the Microsoft platform-specific solution for Web serving. IIS is tightly integrated with Windows NT and Windows 2000 platforms and can be used with Microsoft's other - 806 -
Building Java Enterprise Systems with J2EE
enterprise solutions. IIS provides document serving interfaces such as file serving, CGI, ISAPI, and the Active Server Pages (ASP) scripting environment. The Java Web Server (also called Jeeves) is a Web server implemented completely in Java and thus offers a platformindependent Web server solution. The Java Web Server provides document serving interfaces for file serving, CGI, and Java Servlets. The BEA WebLogic Server is an enterprise-class Web server and is also largely built on top of the Java platform. Web servers that come equipped with BEA WebLogic Server v5.0 follow the J2EE model and offer an environment for both Java Servlets and JSPs. In addition to file serving and CGI support, the BEA WebLogic Server also supports basic NSAPI and ISAPI document serving interfaces. The Apache Web Server is a freeware server and has been developed according to the open source shareware model of development. Apache operates on UNIX and Windows platforms and is actually used in many enterprise-class Web serving applications. The Apache Web Server not only includes basic file serving and CGI support, but has also been extended for use with various scripting languages and Java Servlets. Many other Web server implementations exist beyond the core products mentioned here. The J2EE enables you to create Web server–based applications with Java Servlet and JSP technol ogy that is independent of the underlying Web server vendor implementation. J2EE-compliant Web server implementation vendors are required to provide J2EE-compliant container environments within which Java Servlet and JSP components run. These container environments are standardized versions of the previously mentioned document serving engines for such technologies. Many of the Web server implementations mentioned here either have already implemented or have begun to implement J2EE-compliant container environments. Even if a particular Web server vendor's J2EE Web environment is not up to snuff, many vendor implementations make it easy for you to plug in third-party Web container environments. For example, the JRun Servlet engine from Live Software has been a popular separately purchasable Java Servlet environment of choice for use with some of the Web server vendor products mentioned previously.
Web Server Security The security of a Web server environment is crucial for the practical usage of Web-enabling technology in most enterprise environments.
- 807 -
Building Java Enterprise Systems with J2EE
Web servers often act as an entry point into the operations of an enterprise when used to generate interfaces that enable enterprise employees to engage in some sort of business with the enterprise via the Web. Web servers also act as business-to-consumer (B2C) and e-commerce portals for customers to conduct Web-based business transactions with an enterprise. Such a portal by way of the Web exposes both the operations and the business of an enterprise to a global network of people, some of whom may be malicious. This is why Web-based security of Web serving environments must be a fundamental consideration when one is Web-enabling the enterprise with a Web server environment. This section briefly examines the security problems associated with Web server usage and security solutions for these problems. Web Server Security Problems Security-critical resources on the server end of a Web connection are plentiful. Enterprise applications and data both represent key resources of an enterprise that must be secured. Security-critical resources on the machine in which a Web server sits or those resources that can be directly affected by the operations of a Web server can be maliciously corrupted, referenced, or replaced under the direction of a malicious hacker. Access to enterprise system resources can also be denied or delayed by malicious Web server hackers. The following is a partial list of the more significant types of security problems that can plague a Web server environment: •
•
•
•
•
•
•
Exposed Implementation Flaw Attacks: Flaws in the implementation of a Web server product or a document server interface may be subject to exploitation by hackers. Denial-of-Service Attacks: Malicious inundation of HTTP or lower-level TCP/IP requests to a Web server can bring the operations of the server to a grinding halt. Credential Sniffing: Passwords and other credential information sent in the clear or over weak encryption links to a Web server can be captured and utilized later by a hacker. Server Information Request Attacks: Malicious Web users may be inclined to solicit security-critical information from enterprise Web servers. Server Command Request Attacks: Malicious Web users may also submit commands to an enterprise Web server to perform some security-critical operation. Sensitive HTTP Requests and Response Data: Certain HTTP requests and responses may contain certain securitycritical data that needs protection. Back Door Service Attacks: Certain processes and services (such as SMTP, FTP, Telnet, and DNS) can provide
- 808 -
Building Java Enterprise Systems with J2EE
•
security holes that when exploited can be used to corrupt Web server processing. Platform Machine Attacks: Flaws in operating systems and environments are primarily breached by way of a breach of physical security and direct access to a system. Nevertheless, other means do exist, such as when a Web server system is also used for potentially unsecure purposes such as WWW browsing and email reading.
Web Server Security Solutions Web server and document serving interface implementers, as well as developers of Web document server interface logic, can address the security issues that plague Web serving in various ways. The integrity and confidentiality of Web server requests and responses are both addressed to various degrees by Web server and document serving interface implementations. The authorization, identity, and authenticity of Web users and visited sites also play a key role in Web server and application security. Various means for providing secure Web server environments based on the previously mentioned Web server security problems are listed here: •
• •
•
•
•
•
Server Implementation Updates: Always maintain awareness of patches to exposed server security holes and obtain updates appropriately. This includes patches to both the Web server implementation itself and document server interface implementations (for example, a new Java Servlet engine patch). SSL Confidentiality: SSL is built into many Web servers to enable secure transfer between Web browser and server. SSL Client Authentication: A client-side certificate can be sent to a Web server during SSL handshaking to authenticate a particular client's identity. User Authentication: In addition to SSL client certificate authentication, certain application-specific and more finegrained authentication techniques may be employed to authenticate the identity and role of a particular user. SSL Server Authentication: A server-side certificate can be sent to a Web browser during SSL handshaking to authenticate a particular Web server's identity. Firewalls: Filtering of IP address access to a Web server can restrict access to a server from users within unauthorized IP domains. More sophisticated firewalls can also help limit the effects of a denial-of-service attack. Access Control Lists: Many Web servers use access control lists to restrict which Web resources, such as URLs and
- 809 -
Building Java Enterprise Systems with J2EE
•
•
•
•
•
•
•
document serving interface applications, are available for access by certain identities and roles. Security Auditing: Many Web servers provide logging of incoming HTTP requests and associated IP addresses useful for security auditing. Additionally, higher-level applicationspecific auditing of security-critical activities will also be a key concern in the design of a secure Web server application. Server Redundancy: Redundancy of server processes and threads can help limit the effects resulting from denial-ofservice attacks by switching over to redundant servers in the event of a malicious attack. Auxiliary Service Reduction: Auxiliary processes and services running on the same machine as a Web server should be turned off and removed if possible to close off the potential for an attack via a back door. Secure Document Serving Interface Logic: Because the document serving interface logic has access to back-end enterprise resources, the security of these applications must also be secured. That is, interfaces such as CGI, Java Servlets, JSPs, and server-side scripting language commands all must be implemented in such a way that the security of the system is not compromised. Such assurances are not only specific to the type of interface, but also often application-specific. Secure Web Server Architecture: A significant technique for providing security in an enterprise application is to have an integrated enterprise architecture with security considered as one key aspect of that architecture. The Web server tier can be maintained separately from an application server architecture tier. All security-critical operations of an enterprise (for example, database, EAI access, credential storage) can then be managed behind the wall of an application server with the Web server tier acting primarily as a Web presentation layer. This is the approach advocated in this book for building enterprise systems. Server Analysis Tools: Some tools do exist to independently analyze a Web server offline and at runtime for security weaknesses and suspicious behavior. Because such tools are typically created based on some abstraction of system architecture and behavior, the utility of such tools for many practical and application-specific scenarios can be limited. Platform Security: The security of your operating system and environment should also be secured. Employing credential-based access to a Web server platform and limiting use of a platform for strict Web serving purposes can greatly aid in the security of your Web server environment.
- 810 -
Building Java Enterprise Systems with J2EE
Web Server Availability Without the availability of service provided by a Web server, the ecommerce and business operations of an enterprise can be tremendously affected. We also alluded to the importance of Web server availability in the preceding section when we briefly discussed the problem associated with denial-of-service due to a malicious attack. Web service unavailability not only may be induced by malicious denial-of-service attacks, but also may be the result of excessive client load requests or perhaps due to a flawed architecture design to account for Web server scalability. Building highly available Web server applications can be accomplished within the design of different parts of a Web server architecture. The Web server controller and handler framework implementation itself can be designed to support multiple client requests and offer redundancy management services for availability. The Web document server interface engines can also be designed with availability in mind. Finally, the application-specific design of the logic operating inside of a particular document server interface engine can affect the availability of a Web-enabled enterprise application. Thread pooling is one common technique for achieving availability and is provided by most enterprise-class Web server environments. Pools of handler threads inside Web servers and document serving engines are created and left in a hot state ready to handle a request at any moment. A management facility receives a client request and hands it off to a separate thread to manage the request. Thread pools offer an efficient means for handling requests within a single process. Multiple Web server processes may also be used to operate in a clustered configuration to balance received Web requests among multiple processes. These processes may run on the same or different machines in a network. In addition to load balancing support, such configurations are also useful for purposes of redundant fail-over. That is, when one process or hardware platform fails, another process on another machine may take over. Additionally, clustering may also occur at the level of document server interface engines. Thus, diversely redundant Web servers from different vendors may be used with different document server interface engines (for example, Java Servlet engines) cooperating in a heterogeneous server cluster. The easiest way to build clustered processes is to provide a stateless load balancing configuration. That is, a request is received,
- 811 -
Building Java Enterprise Systems with J2EE
and it is sent to a particular Web server handler without any regard for any maintained session state. More sophisticated clustered processes can persist Web server session state or document server interface engine state such that it can be loaded by another process in the clustered environment. Such environments not only enable the development of more sophisticated Web server applications, but also allow for the support of fail-over to redundant processes in the event of the failure of another process in the cluster.
Conclusions Web browsers and Web servers are the platforms used to Webenable an enterprise. Enterprise users utilize GUI-based Web browsers to submit Web requests from Web servers and receive Web document responses that are to be displayed within the clientside Web browser environment. Issues of security and the means by which Java applets can operate inside of a Web browser are key concerns that can be addressed by the enterprise systems architect via various techniques. Additionally, the selection of a scalable, secure, and highly available Web server is paramount to effective enterprise Web-enabling. This chapter briefly explored the architecture of Web browsers and Web servers with a particular focus on the key issues and options that face the enterprise systems architect and designer in determining how to Web-enable an enterprise.
Chapter 30. Traditional Web Programming and Java IN THIS CHAPTER • • • • •
HTML Programming CGI Programming Scripting Languages Active Server Pages Java-Based Web Programming
Traditional Web programming involves the construction of static HTML documents, CGI programming, and scripting language–based code. Such techniques have traditionally provided rapid Webenabling solutions at the expense of true enterprise-system class support. J2EE's Java Servlet and scripting-based technologies via JSP offer the best of many worlds to enterprise Java developers. This chapter first describes fundamental concepts of HTML that are pertinent to all forms of Web enabling. It then describes traditional models for Web-based programming and provides a context for
- 812 -
Building Java Enterprise Systems with J2EE
understanding the differences between these models and the Javabased models for Web programming. Finally, an introduction to the key Java-based Web programming models is presented. In this chapter, you will learn: • • • • •
The basics behind HTML document structures and components for Web-based interactions The basic approach for implementing CGI programs The basic use of JavaScript, VBScript, and other Web-based scripting techniques for client and server-side Web enabling The basic capabilities and constraints behind using Active Server Pages (ASP) as a Web-enabling technique The main differences between J2EE-based Web programming techniques and traditional Web programming techniques
HTML Programming The Hypertext Markup Language (HTML) is a way to describe how information and certain user-interface controls are to be displayed and handled within a Web browser. HTML documents aka Web pages) can embed formatted text, images, audio, video, and executable content directly in an HTML data stream. Cognizant Web browsers receiving such data can then offer the embedded informational media as an Internet-based user interface. HTML documents that are sent to a Web browser are interpreted to display a GUI and receive input events from the user that are then sent to a Web server. Standard and industry-wide use of HTML didn't truly start to take shape until HTML 2.0 was created in 1994. HTML 3.0 was introduced in 1995 but proved to be unwieldy. Thus, an updated HTML 3.2 superseded 3.0 in 1997. HTML 3.2 also introduced support for Java applets. HTML 4.0 support for dynamic client-side HTML, embedded objects, and style sheets was introduced in 1998 and was the latest HTML standard at the time of this writing. In Chapter 13, "Web Communications," we also reviewed the basics behind HTML interaction and gave a brief history of HTML's evolution from a communications point of view. We'll now expand on HTML in this chapter to describe the features of HTML that you as an enterprise developer need to be familiar with in order to Webenable an enterprise. We do not assume that you will necessarily need to focus on the actual screen layout and display characteristics of HTML. Rather, we assume that the mechanisms involved in HTML interface controls that affect back-end server processing and Websession management will be important to understand. To
- 813 -
Building Java Enterprise Systems with J2EE
understand such concepts, a basic understanding of HTML document structure is also required. We will thus focus in this section on HTML topics that are most widely applicable to enterprise Web enabling. HTML in General HTML document data can be partitioned into two general styles of HTML data content. HTML structure control and display elements describe how an HTML document is to be presented and manipulated by the browser. HTML forms describe how data is to be extracted from a user and submitted back to the Web server. All such elements are described in an ASCII text–based data stream using case-insensitive HTML tags. HTML tags are enclosed within angle brackets, < and >. Some tags stand by themselves whereas others have leading and trailing tags with data inserted in between, such as a leading tag and trailing tag. The various tags also may have attributes embedded within the initial tag, usually in the form of name-value pairs, such as . Colors specified using a hexadecimal identifier or color name and sizes specified in numbers of pixels or percentages of a displayed page are common examples of attributes embedded in various HTML tags. The general structure of an HTML document includes a heading and body. As an alternative to displaying a single HTML page inside of an HTML body, frames may also be used to display and control different windows within the same HTML page. We describe each element of the following sample HTML document structure in the sections that follow:
[ [] [ [HTML Document Title] ] ] [ The Body of your HTML Document here… Document display elements:
- 814 -
Building Java Enterprise Systems with J2EE
Use formatted text, tables, inline images, and hyperlinks. ] []
HTML Structure Control and Display Elements The basic elements and controls used to structure an HTML document for use by the Web browser to display a Web interface are described in more detail here. HTML structure control includes the fundamental HTML document description tags to identify components of an HTML document. The basic HTML structure display elements include formatted text, tables, inline images, and hyperlinks. Each of the following subsections describes one of the basic controls and elements that can be used to display an HTML document. HTML Tags
The HTML tags inform a browser that the information contained within the and tags is an HTML document. HTML documents referenced as files have a .html or .htm file extension. For example
- 815 -
Building Java Enterprise Systems with J2EE
Headings
The HEAD tags inform a browser that the information contained within the and tags is header information associated with an HTML document. Such header information is used by your browser as nondisplayable control information:
Meta-Data
Meta tags indicated by the tag designate information that describes some feature of your HTML document. Such information is not displayed by your Web browser. Rather, the information is associated with your HTML document and is often inserted to enable search engines to learn more about the nature of your particular HTML page. Meta tags can designate any name-value pair of meta information using . Here's an example of a valid generic name-value meta tag pair:
Meta tags can also be used to control the behavior of a Web browser by virtue of encoding HTTP header information into an HTML document using . As an example to encode the HTTP charset header name to a particular value, we have this:
- 816 -
Building Java Enterprise Systems with J2EE
Titles
The TITLE tags inform a browser that the information contained within the and tags designates a title for the HTML document. Titles are often displayed in the title bar of a browser window when the associated HTML document is loaded. Titles are also often the information that is displayed by search engines and hot-lists, so titles often are descriptive enough to convey the content of a particular HTML document. For example
BEESHIRTS.COM
Body
The BODY tags inform a browser that information contained within the and tags designates the portion of an HTML document that is to be displayed in a browser window. You can also set the background, text, and link color default for your document by setting name-value pairs according to the following standard names within the initial tag: • • • • •
to set the background color. to set the link color. to set the link color after it has been followed. to set the link color when it is clicked. to set the text color.
For example, to set the default background color to white and the text color to black using hexadecimal notation for those colors inside of a BODY tag, we have this:
- 817 -
Building Java Enterprise Systems with J2EE
Linking
Hyperlinks are inserted into documents such that user clicks on those links can enable new HTTP requests to be generated or allow one to reference components of an HTML document. The and tags enclose the part of a document that is highlighted as a hyperlink. When you enclose text or some other data within and , the associated URL can be invoked via a click on the highlighted text or data between the tags. For example
You can also name a location inside of an HTML document to be referenced relative to that HTML document by enclosing text and data within the and tags. This location can also be hyperlinked relatively within a document by use of the and tags. For example
Custom Graphics Hand Oven Designs The BR tag is a line break as we'll learn in the next section. … to insert uninterpreted comments into HTML document to insert a horizontal line (aka horizontal rule)
Inline Images
Images are also commonly added to HTML documents for display within the HTML page. The IMG tag designates such image insertion. designates from where such an image file can be obtained relative to the current HTML page's URL. An ALIGN name-value attribute pair can be inserted within the IMG tag to indicate whether the image is to be positioned to the TOP, BOTTOM, MIDDLE, LEFT, RIGHT, or CENTER of the screen. For example
- 819 -
Building Java Enterprise Systems with J2EE
Tables
The TABLE tags inform a browser that information contained within the
and
tags is to be displayed as a table of information in an HTML document. The
and
tags block off a row in the table. The
and
tags block off a table cell in each row. The
and
tags contain table header cells. For example
Small
Medium
Tennis Pro Shirt
Yes
Yes
Millennium Shirt
Yes
Yes
Frames
An HTML frame enables one to partition how HTML information is displayed within the same browser window. A collection of frames can be indicated between tags. Each frame within the FRAMESET tags can then be indicated via a tag. Other FRAMESET tags can also be nested within outer FRAMESET
- 820 -
Building Java Enterprise Systems with J2EE
tags. Various name-value pairs defined within frames and frame sets are as shown here: •
constrain the GUI designs of current Web browserâbased document content. ..... and e-commerce portals for customers to conduct Web-based business ...
Scroll bars are added to your Participant window if it is too small to display the entire contents of the presenter's view. Note: When a presenter grants control of ...
T. Volin. H. Wagner. Cloud computing is a new paradigm that is transforming the ... aspects of providing such architecture while promoting scalability, modularity, and ... IBM offers IaaS services for enterprise customers [4]. This service allows ...
Google Web Security for Enterprise Enforces Policy and Protects All Users. What Google Web ... document hosting and collaboration),. Google Page Creator ...
lists, providing you with dynamic and multi-layered protection. Google Web Security for Enterprise is ... schools, colleges, and universities) and Premier Edition ...
... known malware threats, including malware âphone-homeâ communications. ... through a graphical dashboard, real-time rules-based filters, and a best-in-class.
Page 1 of 7. THE VAMPIRE HUNTER'S DAUGHTER: PART VI: ARCADIA FALLS (VOLUME 6) BY. JENNIFER MALONE WRIGHT. DOWNLOAD EBOOK : THE VAMPIRE HUNTER'S DAUGHTER: PART VI: ARCADIA FALLS (VOLUME 6) BY JENNIFER MALONE WRIGHT PDF. Page 1 of 7 ...
Enabling Advanced Loading Strategies for Data Intensive Web Services ... those applications where data-intensive multiple-interactions ..... development.
in a real implementation of a Web services framework that extends CXF. ... those applications where data-intensive multiple-interactions ..... development.
Visit www.uscyberpatriot.org for more information. CYBERPATRIOT VI. PRE-REGISTRATION NOW OPEN. âHave you got what it takes?â Air Force Association ...
If YES to question 14 or NO to questions 15 or 16, score 1. YES NO REFUSED Prescreen. Score. 14. Is there anybody that thinks you owe them money?. 15. Do you have any money coming in on a regular basis, like a job or government. benefit or even worki
Telnet Client allows a computer to connect to a remote Telnet server and run applications on that server. Once logged on, a ... from the ElMajdal.Net website ...
Analyst, Database Administrator and Database Developer etc. These models are ... example, suppose a data integration specialist wants to change the definition of an ... handle heterogeneous inter-related data that are evolving continuously ...
Watch Friday the 13th Part VI Jason Lives (1986) Full Movie Online.pdf. Watch Friday the 13th Part VI Jason Lives (1986) Full Movie Online.pdf. Open. Extract.
Laboratoria is a forward-thinking Peruvian social enterprise that teaches women from low-income backgrounds how to code and helps them get started in ...