Sie sind auf Seite 1von 5

Lecture topics Let’s start with buzzwords.

J2EE provides:
l J2EE architecture l A component-based approach to design,
development, assembly, and deployment
l Description of the project
° Many components are reusable
l A multi-tiered distributed application model
° Means that different parts of the applications
naturally reside on different machines
l A unified security model
l A flexible transaction control
l Web services support through integrated
data interchange on XML-based open
standards and protocols
° Communication among components is standardized

CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Typical tiers, components, and mapping

Client tier
to hardware
l J2EE applications support clients of different
HTML Application tier
Client machine
pages client ° Web clients
!A Web browser that is capable of displaying pages in
Web mark-up languages (HTML, XML, etc)
JSP tier
pages !Do not perform complex computations -> often called
thin clients
Server machine
Business ° Applets
Persistent tier !Small client applications that execute in the JVM run by
objects the Web browser
!May perform moderately complex computations
° Application clients
Persistent Information DB server machine
store Systems !Applications that directly communicate with objects in
tier the business tier

CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Web tier Business tier

l Servlets l Called this way because it contains logic for
the application
° Java classes that dynamically process requests
and construct responses l Enterprise Java Beans (EJBs):
° Use the HTML protocol ° Concentrate on processing of data from client
programs and the storage system
° The Java version of CGI scripts
l Three kinds of EJBs:
l JSPs (Java Server Pages) ° Session beans
° Text-based documents that combine mark-up !Supports transient “conversations” with clients
structure and Java code !Removed when the client finishes the communication
° Essentially, are used by J2EE to generate ° Entity beans
servlets !Represent persistent data (stored in the DB)
l Code components (classes, often JavaBeans) ° Message-driven beans
!A more complex type of session beans, using Java
° Used by JSPs and servlets Message Service
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

J2EE containers Examples of container services
l Writing a multi-tiered distributed application from l The security model allows configuration of a
scratch is a daunting task
Web application so that only selected kinds
Lots of features have to be supported on the low-level
of users can access a specific functionality
! Multi-threading
! Persistence l The transaction model lets you treat a
! Transactions
! Resource pooling
number of method calls as a single
l Containers in the J2EE architecture provide this transaction
low-level support for user-defined components ° Effects of method calls can be unrolled
A container defines an interface between a component and
Naming and directory lookup services
the low-level platform-specific functionality that supports l
the component
! This is why components have to implement specific interfaces l Remote connectivity
l Container services are configurable ° Call methods on remote objects as if they were in
° The same application can behave differently depending on the same virtual machine
where it is deployed

CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Types of containers Packaging

l EJB container l A J2EE appilcation is delivered in an Enterprise
Archive (EAR) file
° Manages execution of EJBs
° A JAR file with extension .ear
l Web container ° Contains J2EE modules
° Manages execution of servlets and EJBs l A J2EE module consists of
l Application client container ° One or more J2EE components for the same container type
° A deployment descriptor
° Manages execution of application client
! An XML document describing deployment settings
! E.g., for an EJB, can specify access authorizations
l Applet container ° Four types of J2EE modules:
° Manages execution of applets ! EJB modules (.jar extension)
! Web modules (.war extension) - JSPs, servlets, HTML, GIF
° Consists of a browser and a plug-in ! Resource adapter modules (.rar extension) - classes, libraries,
documentation, etc
! Application client modules (.jar extension)
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

J2EE development roles J2EE APIs

l J2EE product provider
l EJBs
° The companies that make/sell the J2EE platform
! Operating system, database system, application server, etc. l Java Database Connectivity (JDBC)
l Tool provider ° Database connectivity (lets you invoke SQL commands)
° Creates development and packaging tools used by the l Servlets
developers, assemblers, and deployers
l Application component provider
° Creates and packages Web components, EJBs, applets, and l Java Message Service (JMS)
application clients ° For sending asynchronous messages among components
l Application assembler l Java Naming and Directory Interface (JNDI)
° Assembles the component JAR files into an EAR file
° Directory operations, e.g. search for objects on the
! May edit deployment descriptors for individual components
network using their attributes
l Application deployer and administrator
l Java Transaction API (JTA)
° Configures and deploys the application
° Enables transactions (commit, rollback functionality)
° Administers the infrastructure on which the application runs
° Is responsible for system-wide security settings
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

J2EE APIs, cont. J2EE APIs, cont.
l JavaMail l J2EE Connector Architecture
° For sending email notifications ° Supports creation of resource adapters
l Java API for XML Processing (JAXP) ° Used to interoperate with EISs
° XML parsing and manipulation
l Java Authentication and Authorization
° Supports DOM, SAX, XSLT Service (JAAS)
l Java API for XML Registries (JAXR) ° Allows configuration managers to creates groups
° Support for two Web registry standards of users and assign subsets of the application
l Java API for XML-Based RPC (JAX-RPC) functionality to them
° Implements XML-based remote procedure calls
l SOAP with Attachments API for Java
° Low-level API used by JAX-RPC
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

XML Web modules

l eXtended Markup Language l Web resources are J2EE Web components
l A standard for structured text documents and static content files (e.g. images)
Tags are used to classify data
l A web module is the smallest deployable and
Attributes provide additional information inside tags
usable unit of:

l All configuration files (deployment descriptors) in

J2EE use XML ° Web resources
° Server-side utility classes (including EJBs)
<message to=“evil.overlord@pit.hell” from=“evil.minion@raise.hell” ° Client-side classes
subject=“Mission accomplished”>
<text> l Web modules have a well-defined structure
SCO victorious.
</text> l Web modules can be deployed as an unpacked
file structure or packaged in a WAR file

CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Typical Web module structure Dynamic reloading of Web applications

l Downtime for enterprise applications can be
very costly

l Yet, a typical software upgrade requires a

applet classes, etc
l J2EE enables dynamic reloading: upgrades
are done on a running application
web.xml lib classes ° Can change deployment descriptors
!E.g. introduce a new type of user, with associated
access rights
.class files for
.jar files this Web component ° Can change code!
!JSP, .class files, etc.
l The application server checks for changes
and re-deploys the application automatically
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Servlets Servlet lifecycle
l A servlet is a Java class using the request- l Lifecycle of servlets is controlled by the servlet
response programming model
l When the container receives a request mapped to a
° Commonly used with the HTML protocol servlet, it
!Each request contains a URL, identifying a Web ° Checks if the servlet exists. If not, the container will:
component or a static object (HTML page, image file, ! Load the servlet class
etc.) ! Create an instance of the servlet class
!The J2EE server converts the request to an HTTP ! Call the init method of the servlet instance
request object and gives it to the servlet identified by • This method is defined by the servlet programmer and contains
the request URL any code necessary to load the initial data used by the serlvet

!The servlet fills in an HTTP response object ° Invokes a service method of the servlet, passes the request
and response objects to this method
!The J2EE server converts the HTTP response object to
an HTTP response and sends it to the client l Containers can remove servlet instances
l Application code can have listener objects that are
notified of events in servlet lifecycle
° E.g., you can log every request to a specific servlet
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Servlet service methods

l For HttpServlet, methods doGet, doPost,
doPut, doDelete, doOptions, doTrace l JSP technology lets you specify scripting
public class BookDetailsServlet extends HttpServlet {
!public void doGet (HttpServletRequest request,!HttpServletResponse response)
language commands inline with formatted text
!!throws ServletException, IOException {
l Used by the J2EE server to generate
!!!!response.setBufferSize(8192); responses to clients’ requests
!!!!PrintWriter out = response.getWriter();
!!!!out.println("<html>" + "<head><title> +!…!+</title></head>"); l Essentially, the server executes the scripting
commands in a JSP page and inserts the
!!!!String bookId = request.getParameter("bookId");
!!!!if (bookId != null) {
!!!!!!try {
produced output in the dynamic page
!!!!!!!!BookDetails bd =!bookDB.getBookDetails(bookId); ° The formatted text (HTML, XML) is left as is
!!!!!!!!out.println("<h2>" + bd.getTitle() + "</h2>" +!...
!!!!!!} catch (BookNotFoundException ex) {
l The JSP 2.0 standard uses Java as the
!!!!!!!!response.resetBuffer(); scripting language, but in future other
!!!!!!!!throw new ServletException(ex);
!!!!!!} languages will be supported
l JSPs are converted into servlets in the
application server
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

JSP page composition JSP example

<%@ page session=false %>
l A JSP is composed of <% String title = "Hello, world!"; %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
° Template data <head>
! Static presentation content (HTML, XML) <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
° Directives <%= title %>
! JSP elements that are interpreted at translation time </title>
• Tell a JSP compiler to include other files in the compilation of a </head>
JSP <body bgcolor=white>
• Define attributes about the JSP page being translated <%= title %>
• Define libraries of custom elements used in the JSP </h1>
° Scripting elements </body>

! JSP elements that define

• Variable and method declarations
• Expressions to be evaluated
• Scriplets (blocks of commands)
° Action elements
! Tags, e.g. forward requests to other resources, look up
JavaBean objects, etc.

CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

JavaBeans EJBs
l A JavaBean is a Java class that follows certain l Beans on steroids
design conventions
° EJB container adds a lot
l JavaBeans have properties
° A property can be read-only, write-only, or read-write
l Types of EJBs
° A property does not have to correspond to a field ° Session beans
° For each readable property, the bean must have a method ° Entity beans
of the form
PropertyClass getProperty() {…} ° Message-driven beans
° For each writable property, the bean must have a method
of the form
PropertyClass setProperty() {…}
l A JavaBean must have a constructor with no
l Special JSP tags make it convenient to use
JavaBeans with JSPs
CS 916, Application Security © Gleb Naumovich CS 916, Application Security © Gleb Naumovich

Session beans
l A session bean represents a single client
inside the J2EE server
l The client invokes the session bean’s methods
l A session bean is not shared and not
l Two types of session beans
° Stateful
!The state of the bean is preserved as its fields
° Stateless
!Although a bean may have fields, they are not used to
hold data across method invocations on this bean
!Usually, these are more efficient than stateful beans
CS 916, Application Security © Gleb Naumovich