2. Server-side programming
• In many cases, client-side applications will be
insufficient
– Heavy processing
– Communication with other clients
– Data available on server-side only
• It may be useful to send the request to the
server, and to process it there.
• A number of technologies available:
CGI, Servlets, JSP, ASP, PHP and others
• We will look at CGI, Servlets and JSP.
4. Dynamic Pages
Request service
Do Computation
Generate HTML
page with results
of computation
Return dynamically
generated HTML file
5. Common Gateway Interface (CGI)
• CGI stands for Common Gateway Interface
• CGI is a standard programming interface to Web
servers that allows building dynamic and
interactive Web sites
• CGI is not a programming language.
– It is just a set of standards (protocols)
– The standards specify how Web-applications can be
executed on the server-side
6. Common Gateway Interface (CGI)
• CGI can be implemented
– in an interpreted language such as PERL
– in a compiled language such as C
• Any program can be converted to a CGI program
– It just has to follow the CGI rules
• The rules define
– How programs get and sends data (i.e., communication
protocol)
– How to make sure Web server knows that a program is a
CGI program.
7. CGI
• A CGI program is
– Stored on the server,
– Executed on the server,
– Executed in response to request from client.
• By running a CGI program, rather than delivering a
static HTML page, the server can:
– Put dynamic and updated information on web page
(e.g., weather forecast, stocks price, product
availability, etc…).
– Respond appropriately to user input.
– Store user data on server-side in a file or DB.
8. Dynamic Pages
Request service
Run CGI program
…
…
…
print $result
Return dynamically
generated HTML file
<HEADER>
<BODY
</BODY>
9. Calling CGI Program
• CGI program can be called in the same way that
static HTML pages.
– For example, a link that when clicked, will run CGI
program on the server-side
<a href=“http://www.mysite/cgi-bin/myprog”>
Run my CGI program </a>
• It can be invoked by a form
<form action=“cgi-prog.cgi” method=“POST”>
. . .
</form>
• CGI programs are usually executed as processes
10. How does it know its CGI?
• How does the Web server know whether the
request deals with static HTML page, or with
invoking a CGI program?
– The Web server is configured in a way that provides
clear distinction between HTML and CGI files.
– Unix servers usually put the CGI programs in a cgi-
bin directory.
• Access permissions are restricted, such that
writing to this directory is allowed to super-
users, while executing is allowed to everybody.
11. CGI invocation
• HTTP GET request:
GET /webp/cgi-bin/printenv.pl HTTP/1.0
• Looks like standard HTTP request, but actually will
not return printenv.pl file, but rather the output
of running it.
• Different behaviors:
– regular directory => returns the file
– cgi-bin => returns output of the program
• The behavior is determined by the server
– E.g., if the path is cgi-bin, pass to CGI handler
12. CGI Input Data
• Input parameters can be passed to a CGI program
• For example, HTML forms wrap and encode the
form fields as a string looking like:
var1=val1&var2=val2&var3=val3&…
• This string is concatenated to the CGI URL, after the
? character
• Example: GET /webp/cgi-bin/printenv.pl?
var1=val1&var2=val2&var3=val3
• The parameters can be extracted by the CGI through
environment variables
13. GET vs. POST
• Above examples used the GET method to handle the
data from the form.
• The form data was concatenated to the CGI URL
• In the POST method the data is sent to the CGI
separately, in the request body.
• GET method is not secure, the data is visible in URL.
• GET is suitable for small amounts of data (limited to
1K), but not for larger amounts.
• What about refreshing in GET and POST?
14. Security issues with CGI
• Publicly accessible CGI program allows anyone to
run a program on the server.
• Malicious users may be able to exploit security
breaches, and harm to the server.
• Because of this many Web hosts do not let ordinary
users create CGI programs.
– Where the use of CGI, is permitted special wrapper
programs may be required that enhance security checks
and to limit the CGI program permissions.
15. CGI Summary
• CGI is a standard for interfacing Web client
to the programs running on server-side.
• Specifies location of files (so server knows
to execute them!) and how input data is
handled.
• The output is displayed according to it.
• Simple examples using shell script, but need
more serious language for complex ones.
• Security breaches of CGI should be handled
16. Servlets vs. CGI
• Servlet – Java-based CGI
– Executed by servlets container
• Golden goals:
"performance, flexibility, portability, simplicity and
security"
• Faster and thinner
– No fork-process execution like Perl
– No need to initialize for each request
– Only lightweight thread context switching
– Built-in multithreading
17. Servlets vs. CGI
• Multi-threaded execution allows to:
– share data across successive requests
– share data between concurrent requests
– use hidden fields, cookies, or sessions
• Java supports “write once, run anywhere” paradigm
– Easier than unportable Perl
• Java provides enhanced security
• Supports all HTTP request methods
– GET, POST, PUT, DELETE, and others
18. Servlet Architecture: 3-Tier system
• Tier 1: Client
– HTML browser
– Java client
• Tier 2: Servlets
– embody business logic
– secure, robust
• Tier 3: Data Sources
– Java can talk to SQL, JDBC, OODB, files, etc…
19. Web Application model
Enterprise Information
Client Tier Middle Tier System (EIS) Tier
SQL
application Web Container
Servlet Database
Servlet
browser JSP
…
File
system
20. Servlet Name
• Servlet is invoked using his name
– Servlet should be located in appropriate directory
• A servlet’s name is its class name
• Name is usually a single word
– Possibly with a package name and dots
• Standard names: DateServlet (echoes current
date/time), EchoServlet (bounces back CGI
parameters), and many others
• Refer the server documentation
21. Servlet Invocation
• Can be invoked directly using the <servlet> tag
– pass servlet parameters in param tags
– codebase of the servlet can be specified
<servlet code=DateServlet.class
codebase=http://servlets.foo.com/>
<param name=serviceParam1 value=val3>
<param name=serviceParam2 value=val4>
</servlet>
• Typically invoked by form’s action attribute
22. The Servlet API
• Defined in javax.servlet package
• Independent of
– Web protocol
– server brand or platform
– whether it is local or remote servlet
• Provides core servlet functionality
– just extend it
• CGI-like functionality
– generic interface
– accepts query, returns response
23. The Servlet API
• javax.servlet
– Basic servlet API definitions.
– What are the inputs and outputs to/from Servlet
– Not tied to any specific protocol (e.g., HTTP)
– These low-level classes/interfaces usually are not used
• javax.servlet.http
– HTTP-related definitions
– Extension of the basic interfaces to handle the HTTP
protocol functionality
– This package will be heavily used
24. Servlet Architecture Overview
Servlet
GenericServlet
• Servlet Interface Interface
– methods to manage servlet
Clas implements
s
• GenericServlet HttpServlet extends
– implements Servlet doGet()
Clas doPost()
• HttpServlet s service()
...
– extends GenericServlet extends
UserServlet
Override one or more of:
– exposes HTTP-specific Class doGet()
doPost()
Class
functionality service()
...
25. Servlet Architecture Overview
• ServletRequest
– Request sent by the client to the server
• ServletResponse
– Response sent by the server to the client
– Is being sent only after processing the request
• HttpServletRequest, HttpServletResponse
– HTTP-specific request and response
– In addition to the regular request and response, tracking
client information and manages the session
26. The HelloWorld Servlet
import javax.servlet.*;
import java.io.*;
public class HelloServlet extends GenericServlet
{
public void service(ServletRequest req,
ServletResponse res) throws IOException,
ServletException{
res.setContentType("text/plain");
ServletOutputStream out = res.getOutputStream();
out.println("Hello, World!");
}
}
27. Servlet Lifecycle Overview
• Server loads and instantiates servlet
• Server calls init() method
• Loop
– Server receives request from client
– Server calls service() method
– service() calls doGet() or doPost() methods
• Server calls destroy() method
• More detail to come later...
28. Servlet interface
• Central abstraction in the Servlet API
• All servlets implement this interface
– Either directly, or
– By extending another class that implements it
• Defines abstract methods for managing the servlet
and its communications with clients
• Servlet writers provide these methods
– While developing servlets
– Implementing the interface
29. Servlet classes
• GenericServlet class
– implements Servlet
– also implements Serializable, ServletConfig
– implements all Servlet methods
• HttpServlet class
– extends the GenericServlet class
– provides a framework for handling the HTTP protocol
– has its own subclasses of ServletRequest and
ServletResponse that do HTTP things
30. HttpServlet methods
• HTTPServlet class provides helper methods for
handling HTTP requests
– doGet (GET and HEAD)
– doPost (POST)
– doPut, doDelete (rare)
– doTrace, doOptions (not overridden)
• The service() method dispatches the requests to the
appropriate do* methods
31. Generic Servlet vs. HTTP Servlet
GenericServlet
Client
request
Server service ( )
response
HTTPServlet
Browser
request doGet ( )
HTTP service ( )
Server
response doPost ( )
32. ServletRequest class
• Encapsulates the clientserver communication
• Allows the Servlet access to
– Names of the parameters passed in by the client
– The protocol being used by the client
– The names of the remote host that made the request and
the server that received it
– The input stream, ServletInputStream, through which
the servlet gets data from clients
• Subclasses of ServletRequest allow the servlet to
retrieve more protocol-specific data
– HttpServletRequest for accessing HTTP-specific header
information
33. ServletRequest - Client Info
• getRemoteAddr()
– Returns the IP address of the client that sent the request
• getRemoteHost()
– Returns the fully qualified host name of the client that
sent the request
• getProtocol()
– Returns the protocol and version of the request as a string
<protocol>/<major version>.<minor version>.
34. ServletRequest - URL Info
• getScheme()
– Returns the scheme of the URL used in this request, for
example "http", "https", or "ftp".
• getServerName()
– Returns the host name of the server receiving the request
• getServerPort()
– Returns the port number on which this request was received
• getServletPath()
– Returns the URL path that got to this script, e.g.
“/servlet/com.foo.MyServlet”
– Useful for putting in a <FORM> tag
35. ServletRequest - Contents
• getContentLength()
– Returns the size of the request data
• getContentType()
– Returns the MIME type of the request data
• getInputStream()
– Returns an input stream for reading binary data in the
request body.
• getReader()
– Returns a buffered reader for reading the request body.
36. ServletRequest - Parameters
• String getParameter(String)
– Returns a string containing one value of the specified
parameter, or null if the parameter does not exist.
• String[] getParameterValues(String)
– Returns the values of the specified parameter as an array
of strings, or null if the named parameter does not exist.
– Useful for parameters with multiple values, like lists
• Enumeration getParameterNames()
– Returns the parameter names as an enumeration of
strings, or an empty enumeration if there are no
parameters or the input stream is empty.
37. ServletResponse class
• Encapsulates the serverclient communication
– Gives the servlet methods for replying to the client
– Allows the servlet to set the content length and MIME
type of the reply
– Provides an output stream, ServletOutputStream through
which the servlet can send the reply data
• Subclasses of ServletResponse give the servlet
more protocol-specific capabilities.
– HttpServletResponse for manipulating HTTP-specific
header information
38. ServletResponse
• Embodies the response
• Basic use:
response.setContentType("text/html");
PrintWriter out = response.getWriter();
out.println(
"<HTML><BODY>Hello</BODY></HTML>");
• setContentType() is usually called before calling
getWriter() or getOutputStream()
39. ServletResponse - Output
• getWriter()
– for writing text data
• getOutputStream()
– for writing binary data
– or for writing multipart MIME
• And many other methods, similarly to the methods
of ServletRequest
• Refer the documentation
40. Servlet Example Servlets are not part of the standard SDK,
import java.io.*; they are part of the J2EE
import javax.servlet.*;
import javax.servlet.http.*; Servlets normally extend HttpServlet
public class ServWelcome extends HttpServlet The response to be sent to the client
{
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, ServletException
{ Details of the HTTP request from the client
response.setContentType("text/html");
PrintWriter out = response.getWriter();
Set the response type to text/html (this is
normal)
out.println("<HTML>");
out.println("<HEAD><TITLE>First Servlet Program</TITLE></HEAD>");
out.println("<BODY>");
out.println("<H1>Welcome to Servlets</H1>");
out.println("</BODY>");
out.println("</HTML>");
out.close(); Do not forget to close the
This HTML text is
} connection with the client
sent to the client
}
41. Date Servlet Example
public class DateServlet extends HttpServlet {
public void service(HttpServletRequest req,
HttpServletResponse res) throws ServletException,
IOException {
Date today = new Date();
res.setContentType("text/plain");
ServletOutputStream out = res.getOutputStream();
out.println(today.toString());
}
public String getServletInfo() {
return "Returns a string representation of the
current time";
}
}
42. Hello Servlet
public class HelloHttpServlet extends HttpServlet
{
public void doGet(HttpServletRequest req,
HttpServletResponse res) throws IOException,
ServletException{
String name = req.getParameter("name");
if (name == null) name = “guest";
res.setContentType("text/plain");
ServletOutputStream out =
res.getOutputStream();
out.println("Hello, " + name + "!");
}
}
43. Hello Servlet
• Reads in a single input parameter
• Can be used from a form
<FORM METHOD=GET
ACTION=”/servlet/HelloHttpServlet”>
<INPUT NAME=name>
</FORM>
• Can use right in a URL
http://localhost/servlet/HelloHttpServlet?
name=Fred
• Generates HTML output
44. Servlet Lifecycle: init()
• public void init(ServerConfig cfg)
• Is called only once
– when servlet loads
– upon clients request
• Do not worry about synchronization
• Perform costly setup here, rather than for each request
– open database connection
– load in persistent data
– spawn background threads
45. init() details
• init() should be completed before starting to handle
requests
• If init() fails, UnavailableException is thrown
• Invocation process allows to look-up for the
initialization parameters from a configuration file
– getInitParameter(paramName) method is used to read the
parameters
– init() parameters are set by the administrator
– servlet parameters are set by the invocation
46. Servlet Lifecycle: service()
• After the service loads and initializes the
servlet, the servlet is able to handle client requests
• public void service(ServletRequest
req, ServletResponse res)
– takes Request and Response objects
– called many times, once per request
• Each request calls the service() method
– service() receives the client's request, invokes appropriate
handling method (doPost(), doGet() etc…) and sends the
response to the client
47. service() and concurrency
• Servlets can run multiple instances of service()
method concurrently
– service() must be written in a thread-safe manner
– it is developer’s responsibility to handle synchronized
access to shared resources
• It is possible to declare a servlet as single-threaded
– implement SingleThreadModel (empty) interface
– guarantees that no two threads will execute the service()
method concurrently
– performance will suffer as multiple simultaneous can not
be processed
48. Servlet Lifecycle: destroy()
• Servlets run until they are removed
• When a servlet is removed, it runs the destroy()
method
• The destroy() method is run only once
– the servlet will not run again unless it is reinitialized
• public void destroy()
– takes no parameters
– afterwards, servlet may be garbage collected
49. Servlet Lifecycle: destroy() details
• Releasing the resources is the developer’s
responsibility
– close database connections
– stop threads
• Other threads might be running service requests, so
be sure to synchronize, and/or wait for them to quit
• Destroy can not throw an exception
– use server-side logging with meaningful message to
identify the problem
50. Technical details
• getServletInfo() method overrides the method
inherited from Servlet class
– Returns a string containing information about the
servlet: author, version, etc…
• Servlet can be dynamically reloaded by the server
at the run-time
– HttpServlet.getLastModified returns the time the servlet
was last modified
– Improves performance on browser/proxy caching
• Debugging servlets through printing to HTML
51. Scalability of servlets
• The servlet is only recompiled if it was changed
otherwise the already compiled class is loaded
– Faster response times because the servlet does not need
to be recompiled
• The servlet can be kept in memory for a long time
to service many sequential requests
– Faster response times because the servlet does not need
to be reloaded
• Only one copy of the servlet is held in memory
even if there are multiple concurrent requests
– Less memory usage for concurrent requests and no
need to load another copy of the servlet and create a
new process to run it.
52. Java Server Pages – JSP
• Java Servlets can be awkward to use.
– Servlets often consist mostly of statements to write out
HTML (with just a few dynamic calculations, database
access etc…).
– It may be difficult to write servlets to produce attractive
well “styled” pages.
• JSP allows to mix standard static HTML pages
with dynamically generated HTML.
• Hybrid of HTML and servlets
53. Java Server Pages – JSP
• JSP technically can not do anything that servlets
can not do
• Following example illustrates how we to get JSP
code embedded in the HTML
<html>
<head> … </head>
<body>
<h1> Todays date is:</h1>
<%= new java.util.Date() %>
</body>
</html>
54. Java Server Pages – JSP
• JSPs execute as part of a Web server by special
JSP container
• Basically, on first access to JSP code
– it is automatically converted into servlet code
– stored as servlets on the server
– will be invoked on fouture requests
• Notice the “first invocation delay”
• JSP errors
– Translation-time errors - occur when JSP is translated
into servlets
– Request-time errors - occur during request processing
55. JSP example
<body>
<% // begin JSP
String name = request.getParameter("firstName");
if ( name != null ) {
%> <%-- end of JSP --%>
<h1> Hello <%= name %>, <br />
Welcome to JavaServer Pages! </h1>
<% // continue JSP
}
else {
%> <%-- end of JSP --%>
<form action = "welcome.jsp" method = "get">
<p>Type your name and press Submit</p>
<p><input type = "text" name = "firstName" />
<input type = "submit" value = "Submit" />
</p>
</form>
<% // continue JSP
} // end else
%> <%-- end scriptlet --%>
</body>
56. JSP vs. Servlets
• JSP
– Look like standard HTML
• Normally include HTML markup tags
• HTML codes can be written easily
– Used when content is mostly fixed-template data
• Small amounts of content generated dynamically
• Servlets
– HTML codes have to be written to the PrintWriter or
OutputStream
– Used when small amount of content is fixed-template data
• Most content generated dynamically
57. Tomcat
• Tomcat is the Servlet Engine than handles servlet
requests for Apache application server
– It is best to think of Tomcat as a “servlet container”
– Tomcat can handle Web pages, Servlets, and JSPs
• Apache can handle many types of Web services
– Apache can be installed without Tomcat
– Tomcat can be installed without Apache
• It is easier to install Tomcat standalone than as part
of Apache
• Apache and Tomcat are open source (free)
• One of the coming classes will focus on Tomcat
58. Which Should I Use? Client- or
Server-Side?
• If you want to have dynamic client forms with
client-side validation, you must use client-side
programming.
• If you want your site to have highly interactive
pages, you should use client-side programming.
• If you need to provide your client with advanced
functionality that can be created only using
ActiveX controls (or Flash, or …), you must use
client-side programming.
59. Which Should I Use? Client- or
Server-Side?
• If you want to control the user's browser (i.e., to
turn off the menus or place the browser in kiosk
mode), you must use client-side programming.
• If your Web site must work with every browser on
the market, and you do not want to create several
different versions for different browsers, you
should avoid client-side programming.
• If you want to protect your source code, you must
use only server-side programming. Client-side
source code is transferred to the browser.
60. Which Should I Use? Client- or
Server-Side?
• If you need to track user information across
several Web pages to create a "Web
application“, you must use server-side
programming.
• If you need to interact with server-side
databases, you must use server-side programming.
• If you need to use server variables or check the
capabilities of the user's browser, you must use
server-side programming.