Servlets:%20HTTP%20Request%20Header%20Contents%20and%20Responses - PowerPoint PPT Presentation

About This Presentation
Title:

Servlets:%20HTTP%20Request%20Header%20Contents%20and%20Responses

Description:

Case Study 2: Basic Web Security. Restricting by User Name/Password. HTTP ... When a user submits a browser request to a web server, it sends two ... deflate ... – PowerPoint PPT presentation

Number of Views:535
Avg rating:3.0/5.0
Slides: 38
Provided by: ceramiupda
Category:

less

Transcript and Presenter's Notes

Title: Servlets:%20HTTP%20Request%20Header%20Contents%20and%20Responses


1
ServletsHTTP Request Header Contentsand
Responses
2
Road Map
  • Recap and Overview
  • Reading HTTP Request Headers
  • Generating the Server Response
  • Case Study 1 Search Engines
  • Case Study 2 Basic Web Security
  • Restricting by User Name/Password

3
Recap and Overview
4
Overview
  • Interaction between browser and web server.

Request
Web Browser
Web Server
Response
5
Client Request Data
  • When a user submits a browser request to a web
    server, it sends two categories of data
  • Form Data Data that the user explicitly typed
    into an HTML form.
  • For example registration information.
  • HTTP Request Header Data Data that is
    automatically appended to the HTTP Request from
    the client.
  • For example cookies, browser type, etc,

6
Reading HTTP Request Headers
7
Sample HTTP Request
  • A sample HTTP Request to Yahoo.com
  • GET / HTTP/1.1
  • Accept /
  • Accept-Language en-us
  • Accept-Encoding gzip, deflate
  • User-Agent Mozilla/4.0 (compatible MSIE 5.0
    Windows NT DigExt)
  • Host www.yahoo.com
  • Connection Keep-Alive
  • Cookie B2td79o0sjlf5rb2

Tip Check out http//www.web-sniffer.net
8
Accessing HTTP Headers
  • As in the SnoopServlet Example
  • To access any of these Headers, use the
    HTTPServletRequest getHeader() method.
  • For example
  • String connection req.getHeader(Connection)
  • To retrieve a list of all the Header Names, use
    the getHeaderNames() method.
  • getHeaderNames() returns an Enumeration object.
  • For example
  • Enumeration enum req.getHeaderNames()

9
Additional HTTP Information
  • getMethod()
  • Indicates the request method, e.g. GET or POST.
  • getRequestURI()
  • Returns the part of the URL that comes after the
    host and port. For example, for the URL
    http//randomhost.com/servlet/search, the request
    URI would be /servlet/search.
  • getProtocol()
  • Returns the protocol version, e.g. HTTP/1.0 or
    HTTP/1.1

10
Reading Browser Types
  • The User-Agent HTTP header indicates the browser
    and operating system.
  • For example
  • user-agent Mozilla/4.0 (compatible MSIE 6.0
    Windows NT 5.1)
  • You can use this header to differentiate browser
    types or simply log browser requests.

11
Example User-Agents
  • Internet Explorer
  • user-agent Mozilla/4.0 (compatible MSIE 6.0
    Windows NT 5.1)
  • Mozilla
  • Mozilla/5.0 (Windows U Windows NT 5.1 en-US
    rv1.4) Gecko/20030624
  • For strange historical reasons, IE identifies
    itself as Mozilla

12
Generating the Server Response
13
Sample HTTP Response
  • As a refresher, heres a sample HTTP response
  • HTTP/1.1 200 OK
  • Date Mon, 06 Dec 2004 205426 GMT
  • Server Apache/1.3.6 (Unix)
  • Last-Modified Fri, 04 Oct 2002 140611 GMT
  • Content-length 327
  • Connection close
  • Content-type text/html
  • lttitlegtSample Homepagelt/titlegt
  • ltimg src"/images/oreilly_mast.gif"gt
  • lth1gtWelcomelt/h2gtHi there, this is a simple web
    page. Granted, it may

14
Generating Responses
  • Servlets can return any HTTP response they want.
  • Useful for lots of scenarios
  • Redirecting to another web site.
  • Restricting access to approved users.
  • Specifying content-type other than text/html.
  • Return images instead of HTML.

15
Setting the HTTP Status Code
  • Normally, your Servlet will return an HTTP Status
    code of 200 OK to indicate that everything went
    fine.
  • To return a different status code, use the
    setStatus() method of the HttpServletResponse
    object.
  • Be sure to set the status code before sending any
    document content to the client.

16
Using setStatus()
  • setStatus takes an integer value. But, its best
    to use the predefined integers in the
    HttpServletResponse. Here are a few
  • SC_BAD_REQUEST
  • Status code (400) indicating the request sent by
    the client was syntactically incorrect.
  • SC_FORBIDDEN
  • Status code (403) indicating the server
    understood the request but refused to fulfill it.
  • SC_INTERNAL_SERVER_ERROR
  • Status code (500) indicating an error inside the
    HTTP server which prevented it from fulfilling
    the request.
  • SC_NOT_FOUND
  • Status code (404) indicating that the requested
    resource is not available.

17
Sending Redirects
  • You can redirect the browser to a different URL
    by issuing a Moved Temporarily Status Code
  • SC_MOVED_TEMPORARILY Status code (302)
    indicating that the resource has temporarily
    moved to another location.
  • Because this is so common, the HttpServletResponse
    interface also has a sendRedirect() method.
  • Example
  • res.sendRedirect( http//www.yahoo.com)

18
Example Search Engines
19
Multiple Search Engines
  • SearchEngines Servlet
  • Enables users to submit a search query to one of
    four search engines.
  • Google
  • AllTheWeb
  • Yahoo
  • AltaVista, etc.
  • The code exploits the HTTP Response Header to
    redirect the user to the correct search engine.

20
Architecture
SearchEngines Servlet
I want to search for Bill Gates on Google
Web Browser
Go to Google
I want to search for Bill Gates on Google
Google
Your results
21
SearchSpec.java
  • The SearchSpec object contains information about
    connecting to a specific search engine
  • public String makeURL (String searchString,
    String numResults)
  • You provide this method with a search string and
    the number of results, and it returns the URL and
    search query specific to Google, Yahoo, HotBot,
    etc.
  • Class is contained in SearchEngines.java on acad

22
SearchUtilities.java
  • The SearchUtilities.java code has an array of
    SearchSpec objects one for Google, one for
    Yahoo, etc.
  • It also provides a makeUrl method

23
SearchEngines.java
  • The main servlet code.
  • This code
  • Extracts the searchEngine parameter.
  • If no such parameter exists, it sends an HTTP
    Error.
  • Otherwise, it calls SearchUtilities to construct
    the correct URL.
  • Finally, it redirects the user to this new URL.

24
Example Basic Web Security
25
HTTP Authentication
  • The HTTP Protocol Includes a built-in
    authentication mechanism.
  • Useful for protecting web pages or servlets that
    require user name / password access.
  • First, lets examine the basic mechanism and the
    HTTP Headers involved.
  • Then, lets figure out how to build a servlet
    that exploits this mechanism.

26
Basic Authentication
  • If a web page is protected, the Web Server will
    issue an authentication challenge
  • HTTP/1.1 401 Authorization Required
  • Date Sun, 27 Aug 2000 175125 GMT
  • Server Apache/1.3.12 (Unix) ApacheJServ/1.1
    PHP/4.0.0 mod_ssl/2.6.6 OpenSSL/0.9.5a
  • WWW-Authenticate BASIC realm"privileged-few"
  • Keep-Alive timeout90, max150
  • Connection Keep-Alive
  • Transfer-Encoding chunked
  • Content-Type text/html

27
WWW-Authenticate
  • WWW-Authenticate BASIC realmrealm"
  • When you issue a return status code of 401,
    Authorization Required, you need to tell the
    browser what type of authentication is required.
  • You do this via the WWW-Authenticate Header.
    This header has two parameters
  • BASIC Basic authorization requiring user name
    and password.
  • Realm you can create multiple realms of
    authentication for different users, e.g. Admin,
    User, Super_User, etc.

28
Basic Authentication Cont.
  • Upon receiving an authentication challenge, the
    browser will prompt the user with a pop-up box
    requesting the user name and password.
  • Browser takes the usernamepassword from the
    user and encrypts it using the Base 64 Encoding
    Algorithm.
  • For example if the string is martymartypd,
    the Base 64 string is bWFydHk6bWFydHlwdw
  • We will not cover the details of Base 64, but
    remember that Base 64 is easy to decode.
    Therefore, even if your page is protected,
    someone can easily intercept your Base 64 string
    and decode it.

29
Basic Authentication Cont.
  • The browser reissues the request for the page.
    In the HTTP request, the browser indicates the
    Authorization string
  • GET /servlet/coreservlets.ProtectedPage HTTP/1.1
  • Accept image/gif, /
  • Accept-Language en-us
  • Accept-Encoding gzip, deflate
  • User-Agent Mozilla/4.0 (compatible MSIE 5.0
    Windows NT DigExt)
  • Host www.ecerami.com
  • Connection Keep-Alive
  • Authorization Basic bWFydHk6bWFydHlwdw

30
Basic Authentication Cont.
  • Web Server checks the user name and password.
  • If User Name/Password is correct, web server
    displays the protected page.
  • If the User Name/Password is incorrect, web
    server issues a second authentication challenge.

31
Almost there
  • Before we examine the actual servlet code, there
    are two pieces of Java coding we need to examine
  • sun.misc.BASE64Decoder.
  • java.util.Properties

32
Base 64 Encoding
  • Sun provides a class called sun.misc.BASE64Decod
    er.
  • You can use the decodeBuffer() method to decode
    the Base 64 String sent from the user
  • String userInfo bWFydHk6bWFydHlwdw
  • BASE64Decoder decoder new BASE64Decoder()
  • String nameAndPassword
  • new String(decoder.decodeBuffer(userInfo))
  • After this code, nameAndPassword will be set to
    martymartypd

33
java.util.Properties
  • A utility class for reading in property files.
  • For example, suppose you have the following
    password.properties file
  • Passwords
  • Sat Aug 26 111542 EDT 2000
  • nathannathanpw
  • martymartypw
  • lindsaylindsaypw
  • bjbjpw

34
java.util.Properties
  • You can easily and automatically load the
    password file and parse its contents
  • passwordFile "passwords.properties"
  • passwords new Properties()
  • passwords.load(new FileInputStream(passwordFile))
  • Then, you can extract the password for a specific
    user name
  • String password properties.getProperty
    ("marty)

35
ProtectedPage.java
  • Heres how the Servlet Works
  • Initialization Read in a Password file of valid
    user names and passwords.
  • Check for the HTTP Authorization Header.
  • Decode the Authorization Header using Base 64 to
    obtain user name and password.
  • Check the User Name and Password against the
    valid names list.
  • If valid, show protected page.
  • Else, issue another authentication challenge.

36
Form Authentication System
  • BASE64 not secure
  • Need secure solution!
  • Use HTML form
  • Example FormAuthenticate
  • Access of servlet attempts to access protected
    data
  • User redirected to login form web page
  • Example takes any combination
  • Once authenticated, redirected to desired page
  • Session object used to store desired destination
    during login diversion

37
Summary
  • Lots of hidden HTTP data, including headers and
    cookies are sent from browser to the server.
  • HTTP Header data can also be sent from server to
    the browser, e.g. error codes, redirection codes,
    etc.
Write a Comment
User Comments (0)
About PowerShow.com