Cooperation between applets and servletsCooperation between applets and servlets

AppletsApplets Applets runs on the clientsside, the servlet on

the server side Suitable for presentations and logic that belongs

on the client, for example:Advanced graphics or animationSpecial GUI controls (eg. WYSIWYG editor)

Problem: how does applets and servlets communicate

ConstraintsConstraints

Applets runs in a sandbox,therefore limitations. Can only contact the network resource from

which the applet originated. The applet can therefore only retreive

information from its ”home”.

Technique 1: control the applet from the server

Technique 1: control the applet from the server

Technique : configurable appletTechnique : configurable applet

<html> <head> <title>Drawing applet examplel</title> </head>

<body> <applet width="300"

height="200" code=”drawing.class"> <param name=”drawing" value="0-255-255-255-0-0; 5-0-0-300-200-0; 0-255-0-0-0-0;

1-18-18-188-288-0; 1-20-10-400-10-0; 5-45-29-22-23-3;frode; 4-200-30-0-0-my name is frode"> </applet> </body></html>

The AppletThe Appletimport java.util.*;import java.awt.*;import java.applet.*;

public class drawing extends Applet { String drawing; public void init() { // retreive drawing parameters from the server drawing = getParameter(”drawing"); } public void paint(Graphics g) { parseTegning(g); }

public void parseDrawing(Graphics g) { // retreive all commands StringTokenizer commands = new StringTokenizer(drawing,";"); while (commands.hasMoreElements()) { try { int op, arg1, arg2, arg3 = 0, arg4 = 0; String arg5 = ""; String fullcommand = commands.nextToken(); // tokenize the command StringTokenizer parts = new StringTokenizer(fullcommand,"-"); op = Integer.parseInt(parts.nextToken()); arg1 = Integer.parseInt(parts.nextToken()); arg2 = Integer.parseInt(parts.nextToken()); arg3 = Integer.parseInt(parts.nextToken()); arg4 = Integer.parseInt(parts.nextToken()); arg5 = parts.nextToken(); draw(g,op,arg1,arg2,arg3,arg4,arg5); } catch (Exception e) { // Syntax errors that occur in command input are ignored in this example } } }

public void draw(Graphics g,int op,int a1, int a2,int a3,int a4,String a5) { switch (op) { case 0: g.setColor(new Color(a1,a2,a3)); break; case 1: g.drawLine(a1,a2,a3,a4); break; case 2: g.drawOval(a1,a2,a3,a4); break; case 3: g.drawRect(a1,a2,a3,a4); break; case 4: g.drawString(a5,a1,a2); break; case 5: g.fillRect(a1,a2,a3,a4); break; case 6: g.fillOval(a1,a2,a3,a4); break; } }

Technique 2: the applet contact the serverTechnique 2: the applet contact the server

Functionality: user clicksAnd the text follows

<html> <head> <title>Drawing applet example</title> </head>

<body> <applet width="300"

height="200" code="dynamicdrawing.class"> <param name=”source" value="/drawing.jsp"> </applet> </body></html>

drawing.jspdrawing.jsp

<% response.setHeader(”drawing", "1-10-10-100-100-0;1-100-10-20-200-0;4-"

+request.getParameter("x")+"-"+request.getParameter("y") +"-0-0-Hi here I am");%>

public void init() { kilde = getParameter(”source"); contactServer(-1,-1); addMouseListener(this); }

public void contactServer(int x,int y) { try { URL server = new URL(getCodeBase().getProtocol(), getCodeBase().getHost(), getCodeBase().getPort(), source+"?x="+x+"&y="+y); URLConnection connection = tjener.openConnection(); connection.setUseCaches(false); drawing = connection.getHeaderField(”drawing"); } catch (Exception e) { } Runtime.getRuntime().gc(); } public void mouseClicked(MouseEvent h) { contactServer(h.getX(),h.getY()); repaint(); }}

Filtering og filtersFiltering og filters

client

ServletJSP-page

filter

filter

filter

filter

request

response

Application areasApplication areas

Catch requests and inspect contect and http-headers

Catch and modify requests before they reach the actual resource (servlet or jsp-page)

Catch responses from resource and inspect content and http-headers

Catch and modify responses from resources

ExamplesExamples

Compression filters Encryption filters Image conversion filters Log and account filters Security and autentication filters XSLT transformation filters

Example 1:Catch and block requests

Example 1:Catch and block requests

package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;public class IEfilter implements Filter { private FilterConfig filterConfig;

public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; } public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; String browser = req.getHeader( "User-Agent" ); System.out.println(”Before if check "+browser); if ( nettleser.indexOf("IE") == -1 ) { request.setAttribute("filtercheck", ”Approved by frode's filter"); chain.doFilter(request, response); } svar.sendError(res.SC_FORBIDDEN); } public void init(FilterConfig c) { this.filterConfig = c; } public void destroy() { this.filterConfig = null; } }

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app> <filter> <filter-name>MSblocker</filter-name> <filter-class>filter.IEfilter</filter-class> </filter>

<filter-mapping> <filter-name>MSblocker</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping></web-app>

Example 2:Filter chaining – avoid html injection

Modifying request

Example 2:Filter chaining – avoid html injection

Modifying request

<h1> &lt;hi&gt;

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app><filter>

<filter-name>ltFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>

<param-name>find</param-name> <param-value><![CDATA[<]]></param-value>

</init-param><init-param>

<param-name>replace</param-name> <param-value>&amp;lt;</param-value>

</init-param></filter>

<filter> <filter-name>gtFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>

<param-name>find</param-name> <param-value><![CDATA[>]]></param-value>

</init-param><init-param>

<param-name>replace</param-name> <param-value><![CDATA[&gt;]]></param-value>

</init-param></filter>

<filter> <filter-name>ampFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>

<param-name>find</param-name> <param-value><![CDATA[&]]></param-value>

</init-param><init-param>

<param-name>replace</param-name> <param-value><![CDATA[&amp;]]></param-value>

</init-param></filter>

<filter> <filter-name>quotFilter</filter-name> <filter-class>filter.SensureFilterConfig</filter-class> <init-param>

<param-name>find</param-name> <param-value><![CDATA["]]></param-value>

</init-param><init-param>

<param-name>replace</param-name> <param-value><![CDATA[&quot;]]></param-value>

</init-param></filter>

<filter-mapping> <filter-name>ampFilter</filter-name> <url-pattern>*.jsp</url-pattern>

</filter-mapping>

<filter-mapping> <filter-name>ltFilter</filter-name> <url-pattern>*.jsp</url-pattern>

</filter-mapping>

<filter-mapping> <filter-name>gtFilter</filter-name> <url-pattern>*.jsp</url-pattern>

</filter-mapping>

<filter-mapping> <filter-name>quotFilter</filter-name> <url-pattern>*.jsp</url-pattern>

</filter-mapping></web-app>

The FilterThe Filter

package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;import filter.SensureWrapperConfig;

public class SensureFilterConfig implements Filter { private FilterConfig filterConfig; private String find, replace;

public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }

public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { SensureWrapperConfig req = new SensureWrapperConfig((HttpServletRequest)request, find, replace); chain.doFilter(req,response); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }

We need a wrapperWe need a wrapper

Because a request cannot be modified once it is created – (read only)

package filter;import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import java.util.*;

// This class is reading and mofifying the parameter list

public class SensureWrapperConfig extends HttpServletRequestWrapper { private String find, replace; public SensureWrapperConfig(HttpServletRequest req) { super(spørsmål); } public SensureWrapperConfig(HttpServletRequest req, String find, String replace) { super(req); this.find = find; this.replace = replace; } public String getParameter(String param) { String value = super.getParameter(param); value = value.replaceAll(find,replace); return value; } }

Example 3:Modify the response

Example 3:Modify the response

<body><head> <link rel="stylesheet" href="style.css" type="text/css"/> </head> <body>

<web-app><filter>

<filter-name>postFilter</filter-name> <filter-class>filter.BodyFilter</filter-class> <init-param>

<param-name>find</param-name> <param-value><![CDATA[<body>]]></param-value>

</init-param><init-param>

<param-name>replace</param-name> <param-value><![CDATA[ <head> <link rel="stylesheet" href="style.css" type="text/css"/> </head>

<body>]]></param-value>

</init-param></filter>

<filter-mapping> <filter-name>postFilter</filter-name> <url-pattern>*.jsp</url-pattern>

</filter-mapping></web-app>

The FilterThe Filter

import filter.BodyWrapper;

public class BodyFilter implements Filter { private FilterConfig filterConfig; private String find, replace;

public void setFilterConfig(final FilterConfig filterConfig) { this.filterConfig = filterConfig; }

public void doFilter(final ServletRequest request, final ServletResponse response, FilterChain chain) throws IOException, ServletException { OutputStream out = response.getOutputStream(); KroppsWrapper res = new KroppsWrapper((HttpServletResponse)response); chain.doFilter(request, res); String body = new String(svar.getData()); body = body.replaceAll(find,replace); out.write(body.getBytes()); out.close(); } public void init(FilterConfig c) { this.filterConfig = c; find = filterConfig.getInitParameter("find"); replace = filterConfig.getInitParameter(”replace"); } public void destroy() { this.filterConfig = null; } }

The WrapperThe Wrapper

package filter;import javax.servlet.*;import java.io.*;

public class BodyStream extends ServletOutputStream { private DataOutputStream stream; public BodyStream(OutputStream output) { stream = new DataOutputStream(output); }

public void write(int b) throws IOException { stream.write(b); }

public void write(byte[] b) throws IOException { stream.write(b); }

public void write(byte[] b, int off, int len) throws IOException { stream.write(b, off, len); } }

package filter;

import javax.servlet.*;import javax.servlet.http.*;import java.io.*;import filter.BodyStream;

public class BodyWrapper extends HttpServletResponseWrapper { private ByteArrayOutputStream output; private int contentLength; private String contentType;

private FilterConfig filterConfig; private String find, replace; public KroppsWrapper(HttpServletResponse res) { super(res); output = new ByteArrayOutputStream(); }

public byte[] getData() { return output.toByteArray(); }

public ServletOutputStream getOutputStream() { return new KroppsStream(output); }

Part 1

public void setContentLength(int length) { this.contentLength = length; super.setContentLength(length); }

public int getContentLength() { return contentLength; }

public void setContentType(String type) { this.contentType = type; super.setContentType(type); }

public String getContentType() { return contentType; }

public PrintWriter getWriter() { return new PrintWriter(getOutputStream(), true); } }

Part 2

Have a nice weekend

Have a nice weekend