EMTM 600 Software Development

1
EMTM 600Software Development

• Spring 2007
• Lecture Notes 2

2
Assignments for next time

• Read again the use cases and user stories in the
  handout Elements of a Case Study used in EMTM
  600 in 2006. Describe
• 2 user stories that should be easy to add and
  implement, assuming that all the other user
  stories in the handout have been implemented. For
  each user story explain why it should be easy.
• 2 user stories that are technologically feasible
  but that would be very hard to add and
  implement, again assuming that all the other user
  stories have been implemented. For each user
  story explain why it should be easy.
• About 2 pages long. Groups of 3-4 students
  OK. We may revisit these in the last assignment
  so keep a copy.
• Recall the Pet Store application shown in class.
  Give 2 user stories that you think should be
  implemented. Half a page. Groups of 3-4 students
  OK.
• Read chapter 3 of the textbook. Two days before
  the next lecture email me ONE QUESTION about
  something you didnt understand. Each student.

3
Layers and servers in Java EE architecture
Java EE application server
Web server
data source
presentation
data mapping
controller
domain
Eg.,
Eg.,
Eg.,
Eg.,
Eg.,
Session EJBs
Entity EJBs
Servlets
JSP
JDBC
browser
DB
4
Strict layering a good idea!

• Clear interface contracts exist between layers
• The only references are from layer k to layer k1
• Pros
• Limited propagation of changes in other layers
• Entire layers can be replaced when interfaces are
  the same
• Interfaces can be changed affecting only adjacent
  layers (mostly)
• Distributed deployment possible for layers
  (requires comm. protocols)
• Increased security
• Cons
• Performance suffers from the overhead of
  propagation through layers
• Extensibility and changeability suffers if
  interfaces are not robust enough (hmm that is a
  problem of all architectures!)

5
Static and Dynamic Web Content

• static plain HTML, just hypertext interaction
• dynamic, on the client side
• Applets (Java)
• Dynamic HTML
• scripts (JavaScript/Jscript, VBScript)
• forms
• dynamic, on the server side
• CGI (Common Gateway Interface), written in any
  language
• Servlets (Java)
• JSP (Java Server Pages, Sun)
• ASP (Active Server Pages, MS)

6
Java EE presentation layer technologies

• Servlet/JSP
• Java-based standard for generating dynamic
  content.
• Content can be in HTML directly or in XML/XSLT.
• XML/XSLT
• Separates data from its presentation. XSLT
  stylesheets translate XML to HTML.
• For example, Java and C programs may generate
  XML data, then apply the same stylesheet!
• Allows for limited-capability browsers.
• Much data may be already in XML, if it comes from
  Web services or B2B interactions.
• GUI Applications
• User interfaces implemented by applications using
  Java Swing.
• Swing provides platform-independent graphical
  widgets.
• The client platform must run the JVM (Java
  Virtual Machine).
• Easier deployment can be achieved if the
  application is an applet.
• This is delivered through a Web browser and uses
  the JVM built into the browser.

7
Java EE presentation layer patterns

• Model-View-Controller (MVC)
• The grandaddy of all design patterns!
• The View is about user input and how to display
  output to the user.
• The Controller understands the input and decides
  which data to display.
• The Model has the domain objects that capture the
  state of the application, hence what the data
  consists of at any given time.
• Model 2 a small specialization of MVC
• The View doesnt get the data directly from the
  Model, but through Controller.
• Display is modeled by special objects, possibly
  created dynamically.
• The view has a standard way of displaying such
  objects.

8
Servlets

• This is the further specialization of Model 2
• the View is based on a browser.
• the browser sends HTTP(GET/POST) requests to the
  Web server.
• the Web server passes requests to a servlet.
• the servlets responses
• print HTML (like CGI), or
• Java Server Pages (JSP), see the pattern
• View Helper / Template Based
  Strategy in textbook

9
MVC - Model 2 (Servlet/JSP)
Request (HTTP)
Controller object (servlet)
View instance (browser)
Response (HTTP)
Display object (JSP)
Domain object (EJB)
10
Developing Complex Views

• Take a look at a busy news website. The view is
  large and complicated!
• JSPs that implement complicated views are hard to
  write and debug.
• Use a pattern called Composite View.
• Its really about modular development of JSPs.
• Goal minimize the scriptlets inside JSPs.
• Some help from Standard Tags , eg.,
  ltjspinclude
  pageblock.jsp/gt
• Big help from Custom Tags!
• User-defined, open-source libraries are
  available
• Tag Libs (eg., http//jakarta.apac
  he.org/taglibs)
• Good tutorials at THE WEB TIER (http//www.jspolym
  pus.com)

11
AJAX (Asynchronous Java Script and XML)

• A combination of technologies that relies on more
  work in the browser.
• Improves user experience with Java Script
  interpreted in the browser.
• Java Script execution leads to exchanges with the
  Web server that are not too noticeable to the
  user (refreshes only part of the displayed page).
• The Web server sends XML which is then processed
  in the browser by CSS (cascading stylesheets,
  uploaded separately). The visual features can be
  confined to the CSS while the exchange of XML
  focuses on content.
• Special class XMLHttpRequest has objects that
  govern the exchanges between Java Script and Web
  Server. With MS Web servers its Active
  Xobject
• Can combine with Tag Libs!
• But writing large Java Script code is hard and
  buggy!

12
Controller patterns

• Assume Servlet/JSP.
• We have two main choices for the
  controller/servlet
• Multiple Servlet (a pattern called Page
  Controller)
• Not in the textbook not recommended widely
  used!
• Needs multiple entry points which need to be
  encoded in HTTP requests.
• Easier for team development.
• But may hard-code URIs for the servlets JSP hard
  to reorganize.
• Single Servlet (a pattern called Front
  Controller)
• Single entry point, a gate-keeping servlet,
• which then creates controller instances.
• More opportunities to generalize/extend
  uniformly.
• Needs a dispatching mechanism to route requests
  to the right controlling code.
• This can be cumbersome, luckily there is Struts.

13
The Apache Struts Framework

• Robust open source implementation of the
  single servlet as controller specialization of
  MVC/Model2/Servlet/JSP. See the pattern
  Application Controller in the textbook.
• Single servlet is implemented already by the
  framework.
• The structure is given by a set of JSPs.
• The different controllers are implemented as
  classes that extend an existing Action class.
• Each controller is invoked by a form in a page
  and responds with another page.
• Support for encoding form fields into Java Bean
  objects.
• Support for validation and errors.

Source JSP
Request
Controller Action.perform()
Destination JSP
POST (form params)
14
Controller layer session state

• Problem multiple users, same controller
  (servlet) with re-entrant code.
• Web apps should be stateless! (This does not
  include persistent info in the domain layer
  and/or the back-end!)
• Two solutions Cookies and/or URL rewriting
• Cookie unique id returned by Web server to
  browser on first contact
• browser maintains cookies by
  URL-domain, attaches them
• to further requests. Can be
  encrypted well see later the
• J2EE automates this
• HttpSession.objects using a special
• JSESSIONID cookie
• One problem is that some potential customers are
  very security-conscious and disable cookies in
  their browser!

15
More about session state

• URL rewriting session id is attached (encoded)
  into the URL used for
• the return page Web
  server decodes and provides
• servlet with session id.
• Java EE helps HttpServletResponse.encodeURL()
• HttpServletRequest.getRequestedSessionId
  ()))
• However, URL rewriting is more complicated to
  implement requires JSP (no plain HTML returned
  and consistency encode ALL URLs otherwise
  session is lost
• J2EE helps cookies and URL rewriting can be used
  together in the same app., and when the client
  browser does cookies, the application server
  cookies makes URL rewriting a no-op (thus less
  performance loss).

16
Multiple servers and session state
Java EE App Server

Web Server

Edge Network Dispatcher
Web Server
Java EE App Server

• Session state must be available to ALL servers!
• Save session data in a database
• Make copies of session data in several servers
  obtain them by messaging(M2M)

17
Security

• Java EE architecture weak spots
• Browser to Web server communication
• (Web container to domain container communication)
• Issues
• Authentication prove that you are who you say
  you are!
• Authorization I know who you are, but you are
  not welcome )
• Privacy both Jim and Jules are authorized
  clients but they shouldnt see each others
  accounts!
• Integrity who is masquerading as Jim?
• All four are relevant to browser-web server
  communication.
• (Between web container and domain container, the
  Java EE framework handles authentication and
  integrity automatically.)

18
JAAS

• Java Authentication and Authorization Service
• A general API for customizable authentication,
  authorization and access control mechanisms.
• It can be used to implement any of
• the servlet security methods in the J2EE
  specification
• HTTP basic authentication (optionally with
  encrypted password)
• Form-based authentication
• Certificate based authentication (HTTPS uses
  encryption through SSL)