java web 应用开发: j2ee 和 tomcat 蔡 剑, ph.d.. 本讲内容 web 层技术 (iv) jstl web...
TRANSCRIPT
Java Web 应用开发:J2EE 和 Tomcat
蔡 剑 , Ph.D.
本讲内容 Web 层技术 (IV)
JSTL Web Security Web Application Architecture
Review: J2EE Framework
(X)HTMLXML
Applet
ClientApplication
JAF
JMS
JDB
C
JTA
JND
I
JSTL
Servlets JSPs
Web Container
SessionBeans
EntityBeans
EJB Container
J2EEApplicationServer
RDMS
Mail Server
JavaApplication
CORBAServer
DirectoryService
Message Queue
JDBC
JavaMail
RMI
IIOP
JNDI
JMS
HTTP
MessageBeans
Application Client Container
JAXRPC
SAAJ
JAX
RJA
CC
Mgmt
JMX
JAF
JMS
JDB
C
JTA
JND
I
JAXRPC
SAAJ
JAX
RJA
CC
Mgmt
JMX
JAXRPC
SAAJ
JAX
RJM
S
Mgmt
JMX
Review: JSP using XML
Web Server
XMLXML
XMLJSP
CustomTag
JavaBeans
SAX/DOM
JSTL Types
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %> 核心标签
<%@ taglib uri="http://java.sun.com/jstl/xml" prefix="x" %> XML 标签
<%@ taglib uri="http://java.sun.com/jstl/fmt" prefix="fmt" %>国际化标签
<%@ taglib uri="http://java.sun.com/jstl/sql" prefix="sql" %> 数据库标签
Core JSTL: Flow Control
<c:choose> <c:when test="${task.startDate.year <='1995'}"> You are far from the Y2K problem! </c:when> <c:when test="${task.startDate.year <='1998'}"> You were facing the Y2K problem! </c:when> <c:when test="${task.startDate.year >= '2000'}" > You have overcome the Y2K problem! </c:when> <c:otherwise> You are in the Y2K year! </c:otherwise>
</c:choose>
Core JSTL: Iteration<TABLE BORDER=1 ALIGN=CENTER >
<TR BGCOLOR='#99cee6'> <TH> Name</TH> <TH>Value </TH> </TR>
<c:forEach var="head" items="${headerValues}">
<TR><TD> <c:out value="${head.key}"/></TD>
<TD>
<c:forEach var="val" items="${head.value}">
<c:out value="${val}"/>
</c:forEach>
</TD>
</c:forEach>
</TABLE>
XML Tag<x:parse xml="${taskXML}" var="taskresult"/>……<CENTER><H3>The Task List Using JSTL XML Tags: </H3>……<x:forEach select="$taskresult/tasklist/task"
var="sigletask"><tr> <td> <x:out select="taskid"/> </td><td> <x:out select="name"/> </td><td> <x:out select="start"/> </td><td> <x:out select="end"/> </td></tr></x:forEach>……
P245
XML Tag Example Result
SQL Tag : DataSource and Query
<sql:setDataSource
var="workflow"
driver="RmiJdbc.RJDriver" url="jdbc:rmi://localhost:1099/jdbc:cloudscape:CloudscapeDB;create=true">
<c:set var="nametofind" value="${param.taskname}"/> <sql:query var="tasks" > select * from PUBLIC.tasks where name = ?
<sql:param value="${nametofind}" />
</sql:query>
SQL Tag: Transaction and Update
<sql:transaction>…… <sql:update var="tasks" sql="update PUBLIC.tasks
set days= days + ? where id = ?" > <sql:param value="${time.duration}" /> <sql:param value="${taskid}" /> </sql:update>……</sql:transaction>
<c:forEach var="task" begin="0" items="${tasklist.rows}"> <p><c:out value="${task.taskname}"/></p> <p><c:out value="${task.start}"/></p> <p><c:out value="${task.end}"/></p> </c:forEach>
I18N Tag<%@ taglib prefix="c"
uri="http://java.sun.com/jstl/core" %><%@ taglib prefix="fmt"
uri="http://java.sun.com/jstl/fmt" %><jsp:useBean id="now" class="java.util.Date" /><fmt:timeZone value="GMT"> <fmt:formatDate value="${now}" type="both"
dateStyle="full" timeStyle="full" var="gmtdate"/> <fmt:parseDate value="${formatted}" type="both"
dateStyle="full" timeStyle="full" timeZone="PST" var="pstdate"/>
</fmt:timeZone><c:out value="${gmtdate}"/><BR></BR><c:out value="${pstdate}"/>
Wednesday, November 20, 2002 7:37:49 AM GMTTue Nov 19 23:37:49 PST 2002
Web Application Security 验证 (Authentication), 个体必须由验证机制确定它
的身分。 授权 (Authorization). 当一位被验证通过的本体设法
访问程序资源 , 系统要根据安全政策确定是否该本体有权限进行这样的操作
声明性 (Declarative) 安全机制 , 规定了网络程序和网络服务器之间的安全配置协议 . 网络服务器根据web.xml 中定义的安全要求实现对网络资源的保护 .
程序性 (Programetic) 安全机制较声明性安全机制更直接 . 网络程序自身通过 Java 程序实现其安全保护 .
Role, Group, and User
<?xml version='1.0'?><tomcat-users><role rolename="admin"/><role rolename="manager"/><role rolename="engineer"/><user username="user1" password="password1" roles="admin,manager,engineer"/><user username="user2" password="password2" roles="engineer"/></tomcat-users>
Set Naming Resources<GlobalNamingResources> <Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase" description="User database that can be updated and
saved"></Resource> <ResourceParams name="UserDatabase"> <parameter> <name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter> <parameter> <name>pathname</name> <value>conf/tomcat-users.xml</value> </parameter> </ResourceParams> </GlobalNamingResources>
Using Database as Realm
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority"
connectionName="test" connectionPassword="test"
userTable="users" userNameCol="user_name" userCredCol="user_pass"
userRoleTable="user_roles" roleNameCol="role_name" />
Authentication Approaches
网络容器实现用户验证 : HTTP 基本验证 (Basic authentication) 基于表单验证 (Form-based authentication) 客 户 凭 证 验 证 (Client-certificate
authentication) 摘要验证 (Digest authentication)
网络程序本身实现验证方式 : 网络程序表单验证 程序性安全机制
Basic Authentication<security-constraint>……<web-resource-collection> <web-resource-name>BasicLogin</web-resource-name> <description>Map to Basic Login Page</description> <url-pattern>/control/signin_ba</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>no description</description> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>
Defined in Web.xml <login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
Form-based Login <login-config> <auth-method>FORM</auth-method> <realm-name>default</realm-name> <form-login-config> <form-login-page>/jsp/signin_cfb.jsp</form-login-page> <form-error-page>/control/error</form-error-page> </form-login-config> </login-config>
Login Form<center><font size=2>Container Form-Based Login</font><form method="POST" action='<%=
response.encodeURL("j_security_check") %>' > <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="j_username"
value="tomcat"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="j_password"
value="sqe"></td> </tr>……</table></center></form>
No Secure End-to-End Model
Public Key and Private Key
Config SSL Connection<!-- <Connector className="org.apache.coyote.tomcat4.CoyoteConnector
" port="8443" minProcessors="5" maxProcessors="75" enableLookups="false" acceptCount="10" connectionTimeout="60000" debug="0" scheme="https" secure="true"> <Factory className="org.apache.coyote.tomcat4. CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> </Connector>-->
Security Connection via SSL
Web Application Deployment
Web Application Architecture: MVC Model
Model• Encapsulates application state
•Responds to state queries• Exposes application functionality
•Notifies views of changes
Model• Encapsulates application state
•Responds to state queries• Exposes application functionality
•Notifies views of changes
View• Renders the models
• Request updates from models• Sends user gestures to Controller
• Allows controller to select View
View• Renders the models
• Request updates from models• Sends user gestures to Controller
• Allows controller to select View
Controller• Define application behavior
• Maps user actions to model updates• Select view for response•One for each functionality
Controller• Define application behavior
• Maps user actions to model updates• Select view for response•One for each functionality
State Query State Change
ViewSelection
User gestures
Change Notice
Use Case Analysis
Components
Screendefinition
XML
Requestmapping
XML
Database
Main Servlet
Main Servlet
Page Flow Manager
RequestProcessor
ProjectHandler
UserHandler
TaskHandler
AssignmentHandler
SigninHandler
LogoutHandler
ProjectModel/DAO
UserModel/DAO
TaskModel/DAO
AssignmentModel/DAO
RoleCheckFilter
I18NFilter
ActionListener
ProjectUseBean
UserUseBean
TaskUseBean
ProjectJSPs
UserJSPs
TaskJSPs
AssignJSPs
AssignmentUseBean
TemplateJSP
View Control Model
OtherJSPs
request
responsedispatch
MailSender
Session
Web Server
Major Data Entity Classes
Directory Structure
Class Diagram
Sequence Diagram
Login Page
Struts Framework
•一个 Web 应用的控制器 (是 Struts的中心控制 Servlet )
•一组用来实现“模型”的 Java Bean和帮助类
•一组用来在 JSP 实现界面的标签库
Struts 用一个配置文件将这三方面的构件组合起来,这些构件具备 Web 应用的基本骨架。
File Structure
Config Files
目录或者文件名称 用法
META-INF 包括程序所使用的元信息
WEB-INF/classes 放 Struts 程序的 Java 类
WEB-INF/classes/org/apache/struts/webapp/examples/MessageResource.properties
包括程序使用的消息内容的文本
WEB-INF/lib/struts.jar 包括 Struts 使用的 servlet, 帮助类,和 taglib代码等等
WEB-INF/*.tld Struts 的标签库
WEB-INF/struts-config.xml Struts 的配置文件,指定其参数和使用方法
WEB-INF/web.xml Web 应用对应 servlet 容器的配置文件
Struts Components
浏览器
struts-config.xml
控制器:ActionServlet
模型
Action
ActionForm
视图:Jsp 文件 应用资源属性
( properties 文件)
标签库
JPetstore Architecturehttp://www.ibatis.com/jpetstore/jpetstore.html
A Real Example
Cost Model of Struts