Java Web 应用开发：J2EE 和 Tomcat

蔡 剑 , Ph.D.

本讲内容 Web 层技术 (IV)

JSTL Web Security Web Application Architecture

Review: J2EE Framework

(X)HTMLXML

Applet

ClientApplication

JAF

JMS

JDB

C

JTA

JND

I

JSTL

Servlets JSPs

Web Container

SessionBeans

EntityBeans

EJB Container

J2EEApplicationServer

RDMS

Mail Server

JavaApplication

CORBAServer

DirectoryService

Message Queue

JDBC

JavaMail

RMI

IIOP

JNDI

JMS

HTTP

MessageBeans

Application Client Container

JAXRPC

SAAJ

JAX

RJA

CC

Mgmt

JMX

JAF

JMS

JDB

C

JTA

JND

I

JAXRPC

SAAJ

JAX

RJA

CC

Mgmt

JMX

JAXRPC

SAAJ

JAX

RJM

S

Mgmt

JMX

Review: JSP using XML

Web Server

XMLXML

XMLJSP

CustomTag

JavaBeans

SAX/DOM

JSTL Types

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %> 核心标签

<%@ taglib uri="http://java.sun.com/jstl/xml" prefix="x" %> XML 标签

<%@ taglib uri="http://java.sun.com/jstl/fmt" prefix="fmt" %>国际化标签

<%@ taglib uri="http://java.sun.com/jstl/sql" prefix="sql" %> 数据库标签

Core JSTL: Flow Control

<c:choose> <c:when test="${task.startDate.year <='1995'}"> You are far from the Y2K problem! </c:when>   <c:when test="${task.startDate.year <='1998'}"> You were facing the Y2K problem! </c:when> <c:when test="${task.startDate.year >= '2000'}" > You have overcome the Y2K problem! </c:when> <c:otherwise>     You are in the Y2K year! </c:otherwise>

</c:choose>

Core JSTL: Iteration<TABLE BORDER=1 ALIGN=CENTER >

<TR BGCOLOR='#99cee6'> <TH> Name</TH> <TH>Value </TH> </TR>

<c:forEach var="head" items="${headerValues}">

<TR><TD> <c:out value="${head.key}"/></TD>

<TD>

<c:forEach var="val" items="${head.value}">

<c:out value="${val}"/>

</c:forEach>

</TD>

</c:forEach>

</TABLE>

XML Tag<x:parse xml="${taskXML}" var="taskresult"/>……<CENTER><H3>The Task List Using JSTL XML Tags: </H3>……<x:forEach select="$taskresult/tasklist/task"

var="sigletask"><tr> <td> <x:out select="taskid"/> </td><td> <x:out select="name"/> </td><td> <x:out select="start"/> </td><td> <x:out select="end"/> </td></tr></x:forEach>……

P245

XML Tag Example Result

SQL Tag ： DataSource and Query

<sql:setDataSource

var="workflow"

driver="RmiJdbc.RJDriver" url="jdbc:rmi://localhost:1099/jdbc:cloudscape:CloudscapeDB;create=true">

<c:set var="nametofind" value="${param.taskname}"/> <sql:query var="tasks" >  select * from PUBLIC.tasks where name = ?  

<sql:param value="${nametofind}" />

</sql:query>

SQL Tag: Transaction and Update

<sql:transaction>…… <sql:update var="tasks" sql="update PUBLIC.tasks

set days= days + ? where id = ?" >          <sql:param value="${time.duration}" />          <sql:param value="${taskid}" />        </sql:update>……</sql:transaction>

<c:forEach var="task" begin="0" items="${tasklist.rows}">  <p><c:out value="${task.taskname}"/></p>  <p><c:out value="${task.start}"/></p>  <p><c:out value="${task.end}"/></p> </c:forEach>

I18N Tag<%@ taglib prefix="c"

uri="http://java.sun.com/jstl/core" %><%@ taglib prefix="fmt"

uri="http://java.sun.com/jstl/fmt" %><jsp:useBean id="now" class="java.util.Date" /><fmt:timeZone value="GMT"> <fmt:formatDate value="${now}" type="both"

dateStyle="full" timeStyle="full" var="gmtdate"/> <fmt:parseDate value="${formatted}" type="both"

dateStyle="full" timeStyle="full" timeZone="PST" var="pstdate"/>

</fmt:timeZone><c:out value="${gmtdate}"/><BR></BR><c:out value="${pstdate}"/>

Wednesday, November 20, 2002 7:37:49 AM GMTTue Nov 19 23:37:49 PST 2002

Web Application Security 验证 (Authentication), 个体必须由验证机制确定它

的身分。 授权 (Authorization). 当一位被验证通过的本体设法

访问程序资源 , 系统要根据安全政策确定是否该本体有权限进行这样的操作

声明性 (Declarative) 安全机制 , 规定了网络程序和网络服务器之间的安全配置协议 . 网络服务器根据web.xml 中定义的安全要求实现对网络资源的保护 .

程序性 (Programetic) 安全机制较声明性安全机制更直接 . 网络程序自身通过 Java 程序实现其安全保护 .

Role, Group, and User

<?xml version='1.0'?><tomcat-users><role rolename="admin"/><role rolename="manager"/><role rolename="engineer"/><user username="user1" password="password1"     roles="admin,manager,engineer"/><user username="user2" password="password2"     roles="engineer"/></tomcat-users>

Set Naming Resources<GlobalNamingResources> <Resource name="UserDatabase" auth="Container"

type="org.apache.catalina.UserDatabase" description="User database that can be updated and

saved"></Resource> <ResourceParams name="UserDatabase"> <parameter> <name>factory</name>

<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>

</parameter> <parameter> <name>pathname</name> <value>conf/tomcat-users.xml</value> </parameter> </ResourceParams>  </GlobalNamingResources>

Using Database as Realm

<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"

driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority"

connectionName="test" connectionPassword="test"

userTable="users" userNameCol="user_name" userCredCol="user_pass"

userRoleTable="user_roles" roleNameCol="role_name" />

Authentication Approaches

网络容器实现用户验证 : HTTP 基本验证 (Basic authentication) 基于表单验证 (Form-based authentication) 客 户 凭 证 验 证 (Client-certificate

authentication) 摘要验证 (Digest authentication)

网络程序本身实现验证方式 : 网络程序表单验证 程序性安全机制

Basic Authentication<security-constraint>……<web-resource-collection> <web-resource-name>BasicLogin</web-resource-name> <description>Map to Basic Login Page</description> <url-pattern>/control/signin_ba</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>no description</description> <role-name>manager</role-name> </auth-constraint> <user-data-constraint> <description>no description</description> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint>

Defined in Web.xml <login-config>

<auth-method>BASIC</auth-method>

<realm-name>default</realm-name>

</login-config>

Form-based Login <login-config> <auth-method>FORM</auth-method> <realm-name>default</realm-name> <form-login-config> <form-login-page>/jsp/signin_cfb.jsp</form-login-page> <form-error-page>/control/error</form-error-page> </form-login-config> </login-config>

Login Form<center><font size=2>Container Form-Based Login</font><form method="POST" action='<%=

response.encodeURL("j_security_check") %>' > <table border="0" cellspacing="5"> <tr> <th align="right">Username:</th> <td align="left"><input type="text" name="j_username"

value="tomcat"></td> </tr> <tr> <th align="right">Password:</th> <td align="left"><input type="password" name="j_password"

value="sqe"></td> </tr>……</table></center></form>

No Secure End-to-End Model

Public Key and Private Key

Config SSL Connection<!--    <Connector      className="org.apache.coyote.tomcat4.CoyoteConnector

"      port="8443" minProcessors="5"       maxProcessors="75"      enableLookups="false"      acceptCount="10"       connectionTimeout="60000" debug="0"      scheme="https" secure="true">    <Factory      className="org.apache.coyote.tomcat4.             CoyoteServerSocketFactory"             clientAuth="false" protocol="TLS" />    </Connector>-->

Security Connection via SSL

Web Application Deployment

Web Application Architecture: MVC Model

Model• Encapsulates application state

•Responds to state queries• Exposes application functionality

•Notifies views of changes

Model• Encapsulates application state

•Responds to state queries• Exposes application functionality

•Notifies views of changes

View• Renders the models

• Request updates from models• Sends user gestures to Controller

• Allows controller to select View

View• Renders the models

• Request updates from models• Sends user gestures to Controller

• Allows controller to select View

Controller• Define application behavior

• Maps user actions to model updates• Select view for response•One for each functionality

Controller• Define application behavior

• Maps user actions to model updates• Select view for response•One for each functionality

State Query State Change

ViewSelection

User gestures

Change Notice

Use Case Analysis

Components

Screendefinition

XML

Requestmapping

XML

Database

Main Servlet

Main Servlet

Page Flow Manager

RequestProcessor

ProjectHandler

UserHandler

TaskHandler

AssignmentHandler

SigninHandler

LogoutHandler

ProjectModel/DAO

UserModel/DAO

TaskModel/DAO

AssignmentModel/DAO

RoleCheckFilter

I18NFilter

ActionListener

ProjectUseBean

UserUseBean

TaskUseBean

ProjectJSPs

UserJSPs

TaskJSPs

AssignJSPs

AssignmentUseBean

TemplateJSP

View Control Model

OtherJSPs

request

responsedispatch

MailSender

Session

Web Server

Major Data Entity Classes

Directory Structure

Class Diagram

Sequence Diagram

Login Page

Struts Framework

•一个 Web 应用的控制器 （是 Struts的中心控制 Servlet ）

•一组用来实现“模型”的 Java Bean和帮助类

•一组用来在 JSP 实现界面的标签库

Struts 用一个配置文件将这三方面的构件组合起来，这些构件具备 Web 应用的基本骨架。

File Structure

Config Files

目录或者文件名称 用法

META-INF 包括程序所使用的元信息

WEB-INF/classes 放 Struts 程序的 Java 类

WEB-INF/classes/org/apache/struts/webapp/examples/MessageResource.properties

包括程序使用的消息内容的文本

WEB-INF/lib/struts.jar 包括 Struts 使用的 servlet, 帮助类，和 taglib代码等等

WEB-INF/*.tld Struts 的标签库

WEB-INF/struts-config.xml Struts 的配置文件，指定其参数和使用方法

WEB-INF/web.xml Web 应用对应 servlet 容器的配置文件

Struts Components

浏览器

struts-config.xml

控制器：ActionServlet

模型

Action

ActionForm

视图：Jsp 文件 应用资源属性

（ properties 文件）

标签库

JPetstore Architecturehttp://www.ibatis.com/jpetstore/jpetstore.html

A Real Example

Cost Model of Struts