5.1 Identify the interface and methods for each of the following:
Retrieve a session object across multiple requests to the same or different servlets within the same WebApp
Store objects into a session object
Retrieve objects from a session object
Respond to the event when a particular object is added to a session
Respond to the event when a session is created and destroyed
Expunge a session object
5.2 Given a scenario, state whether a session object will be invalidated.
5.3 Given that URL rewriting must be used for session management, identify the design requirements on sessionrelated HTML pages.
OAuth 2.0
Oauth2.0 is an âauthorizationâ framework for web applications. It permits selective access to a userâs resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Â
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
OAuth 2.0
Oauth2.0 is an âauthorizationâ framework for web applications. It permits selective access to a userâs resource without disclosing the password to the website which asks for the resource.
Agenda for the session:
What is Oauth 2.0
Oauth 2.0 Terminologies
Oauth workflow
Exploiting Oauth for fun and profit
Reference
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Â
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
http://www.justin.tv/hackertv/49975/Tech_Talk_1_Leah_Culver_on_OAuth
Tech talk about OAuth, and open standard for API authentication. Originally broadcast on Justin.tv.
Autodiscover flow in an exchange on premises environment non-active director...Eyal Doron
Â
Autodiscover flow in an Exchange on-Premises environment | non-Active Directory environment| Part 2#3 | Part 27#36
Detailed description of the Autodiscover flow that is implemented between Autodiscover client and his Autodiscover Endpoint (Exchange server) in a scenario, in which the Exchange infrastructure is - Exchange on-Premises and, the Autodiscover Endpoint is located in a non-Active Directory based environment.
This is the second article, in a series of three articles.
http://o365info.com/autodiscover-flow-in-an-exchange-on-premises-environment-non-active-directory-environment-part-2-of-3-part-27-of-36
Eyal Doron | o365info.com
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Â
Roland Hedberg, UmeĂĽ University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Oktaâs growing support for OpenID Connect.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OKâŚin reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Autodiscover flow in an exchange on premises environment non-active director...Eyal Doron
Â
Autodiscover flow in an Exchange on-Premises environment | non-Active Directory environment| Part 2#3 | Part 27#36
Detailed description of the Autodiscover flow that is implemented between Autodiscover client and his Autodiscover Endpoint (Exchange server) in a scenario, in which the Exchange infrastructure is - Exchange on-Premises and, the Autodiscover Endpoint is located in a non-Active Directory based environment.
This is the second article, in a series of three articles.
http://o365info.com/autodiscover-flow-in-an-exchange-on-premises-environment-non-active-directory-environment-part-2-of-3-part-27-of-36
Eyal Doron | o365info.com
CIS14: Working with OAuth and OpenID ConnectCloudIDSummit
Â
Roland Hedberg, UmeĂĽ University
All you need to know about OpenID Connect, with concrete examples and hands-on demos that illustrate how OpenID Connect can be used in web and mobile scenarios.
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Oktaâs growing support for OpenID Connect.
OAuth and OpenID Connect are the two most important security specs that API providers need to be aware of. In this session, Travis Spencer, CEO of Curity, will cram in as much about these two protocols as will fit into 20 minutes.
If it were just BI, Kerberos, and you alone in a jungle, would you be able to survive the encounter? You will after you attend this once in a lifetime event! OKâŚin reality, if you come to this session, you will understand an important component you need to setup Microsoft Business Intelligence solutions with SharePoint and SQL. You will the learn basics of how Kerberos (an authentication protocol) works, when you want to use it, configuration tips, and what delegation is all about.
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
[@IndeedEng] Boxcar: A self-balancing distributed services protocol indeedeng
Â
Video available at: http://www.youtube.com/watch?v=E1ok08TVxDw
Indeed's flagship job search product has evolved over the years to meet new challenges. It began as a single, monolithic web application. This grew larger and increasingly complex as we built new features. To remedy this growing problem, we implemented a service-oriented architecture to improve system availability, scalability, and maintainability. We examined common practices for service-oriented architectures, and we discovered ways to improve on the state of the art. We developed these ideas into a new framework called Boxcar. In this talk, we will discuss the scaling problems we solved, the innovative ideas behind boxcar, and how we built the scalable architecture that we now use throughout our systems.
R.B. Boyer is a Software Engineer who has been with Indeed since late 2007. Over the years he has worked on a variety of projects, including distributed storage, authentication, and service architectures.
Introduce the Java Enterprise (J2EE) model
Present the Hypertext Markup Language (HTML) tags
Present the Hypertext Transmission Protocol (HTTP)
Define an HTTP client request, server response, and HTTP request methods
THE FOLLOWING SUN CERTIFIED WEBCOMPONENT DEVELOPER FOR J2EEPLATFORM EXAM OBJECTIVES COVERED IN THIS CHAPTER:
1.1 For each of the HTTP methods,GET,POST, and PUT, identify the corresponding method in the HttpServlet class.
1.2 For each of the HTTP methods,GET ,POST, and HEAD, identify triggers that might cause a browser to use the method, and identify benefits or functionality of the method.
Azure AD B2C Webinar Series: Custom Policies Part 2 Policy WalkthroughVinu Gunasekaran
Â
Agenda:
Reviewing the Exercise â Collect a Loyalty Number from your Customers
Getting Started with Azure AD B2C Custom Policies
Setting up the Policy
Defining the Loyalty Number Claim
Configuring Profile Editing to Include the Loyalty Number
Configure Reading and Writing the Claim
Updating the User Journey
Relying Party Declaration Updates
Http Service will help us fetch external data, post to it, etc. We need to import the http module to make use of the http service. Let us consider an example to understand how to make use of the http service.
Dear students get fully solved assignments
Send your semester & Specialization name to our mail id :
â help.mbaassignments@gmail.com â
or
Call us at : 08263069601
(Prefer mailing. Call in emergency )
Azure AD B2C Webinar Series: Custom Policies Part 1Vinu Gunasekaran
Â
Agenda:
Introducing Custom Policies in Azure AD B2C
Custom Policy Components
Relying Party and User Journeys
Claims Definitions
Technical Profiles
Getting Started with Azure AD B2C Custom Policies
Transaction processing is very important and also necessary to maintain data integrity in both your application and database.
The transaction design patterns that are described in the next are :
Client Owner Transaction Design Pattern
Domain Service Owner Transaction Design Pattern
Server Delegate Owner Transaction Design Pattern
Transaction management in Java does not have to be complicated using the transaction design patterns described in this chapter makes transaction processing easy to understand, implement, and maintain.
8.1 Write the opening and closing tags for the following JSP tag
types: Directive ,Declaration ,Scriptlet ,Expression .
8.2 Given a type of JSP tag, identify correct statements about its purpose or use.
8.3 Given a JSP tag type, identify the equivalent XML-based tags.
8.4 Identify the page directive attribute, and its values, that:
Import a Java class into the JSP page
Declare that a JSP page exists within a session
Declare that a JSP page uses an error page
Declare that a JSP page is an error page
8.5 Identify and put in sequence the following elements of the JSP page life cycle: Page translation ,JSP page compilation, Load class,Create instance,Call jspInit,Call _jspService ,Call jspDestroy .
8.6 Match correct descriptions about purpose, function, or use with any of the following implicit objects: request, response ,out ,session ,config ,application ,Page ,pageContext, exception .
8.7 Distinguish correct and incorrect scriptlet code for: A conditional statement , An iteration statement
9.1 Given a description of required functionality, identify the JSP page directive or standard tag in the correct format with the correct attributes required to specify the inclusion of a web component into the JSP page.
2.1 Identify the structure of a web application and web archive file, the name of the WebApp deployment descriptor, and the name of the directories where you place the following:
The WebApp deployment descriptor
The WebApp class files
Any auxiliary JAR files
2.2 Match the name with a description of purpose or functionality, for each of the following deployment descriptor elements:
Servlet instance
Servlet name
Servlet class
Initialization parameters
URL to named servlet mapping
1.1 For each of the HTTP methods,GET,POST, andPUT, identifythe corresponding method in the HttpServletclass.
1.3 For each of the following operations, identify the interfaceand method name that should be used:
Retrieve HTML form parameters from the request
Retrieve a servlet initialization parameter
Retrieve HTTP request header information
Set an HTTP response header
set the content type of the response
Acquire a text stream for the response
Acquire a binary stream for the response
Redirect an HTTP request to another URL
1.4 Identify the interface and method to access values and resources and to set object attributes within the following three web scopes:
Request
Session
Context
1.5 Given a life-cycle method: init,service , or destroy, identify correct statements bout its purpose or about how and when it is invoked.
1.6 Use a RequestDispatcher to include or forward to a web resource.
7.1 Identify which attribute scopes are thread-safe:
Local variables
Instance variables
Class variables
Request attributes
Session attributes
Context attributes
7.2 Identify correct statements about differences between the multithreaded and single-threaded servlet models.
7.3 Identify the interface used to declare that a servlet must use the single thread model.
7.1 Identify which attribute scopes are thread-safe:
Local variables
Instance variables
Class variables
Request attributes
Session attributes
Context attributes
7.2 Identify correct statements about differences between the multithreaded and single-threaded servlet models.
7.3 Identify the interface used to declare that a servlet must use the single thread model.
6.1 Identify correct descriptions or statements about the security issues:
Authentication
authorization
Data integrity
Auditing
Malicious code
Website attacks
6.2 Identify the deployment descriptor element names, and their structure, that declare the following:
A security constraint
A web resource
The login configuration
A security role
6.3 Given authentication type: BASIC, DIGEST, FORM, and CLIENT-CERT, identify the correct definition of its mechanism.
3.1 Identify the uses for and the interfaces (or classes) and methods to achieve the following features:
Servlet context init. Parameters
Servlet context listener
Servlet context attribute listener
Session attribute listeners
3.2 Identify the WebApp deployment descriptor element name that declares the following features:
Servlet context init. Parameters
Servlet context listener
Servlet context attribute listener
Session attribute listeners
3.1 Identify the uses for and the interfaces (or classes) and methods to achieve the following features:
Servlet context init. Parameters
Servlet context listener
Servlet context attribute listener
Session attribute listeners
3.2 Identify the WebApp deployment descriptor element name that declares the following features:
Servlet context init. Parameters
Servlet context listener
Servlet context attribute listener
Session attribute listeners
2.1 Identify the structure of a web application and web archive file, the name of the WebApp deployment descriptor, and the name of the directories where you place the following:
The WebApp deployment descriptor
The WebApp class files
Any auxiliary JAR files
2.2 Match the name with a description of purpose or functionality, for each of the following deployment descriptor elements:
Servlet instance
Servlet name
Servlet class
Initialization parameters
URL to named servlet mapping
1.1 For each of the HTTP methods,GET,POST, andPUT, identifythe corresponding method in the HttpServletclass.
1.3 For each of the following operations, identify the interfaceand method name that should be used:
Retrieve HTML form parameters from the request
Retrieve a servlet initialization parameter
Retrieve HTTP request header information
Set an HTTP response header
set the content type of the response
Acquire a text stream for the response
Acquire a binary stream for the response
Redirect an HTTP request to another URL
1.4 Identify the interface and method to access values and resources and to set object attributes within the following three web scopes:
Request
Session
Context
1.5 Given a life-cycle method: init,service , or destroy, identify correct statements bout its purpose or about how and when it is invoked.
1.6 Use a RequestDispatcher to include or forward to a web resource.
13.1 Given a scenario description with a list of issues, select the design pattern (Value Object, MVC, Data Access Object, or Business Delegate) that would best solve those issues.
13.2 Match design patterns with statements describing potential benefits that accrue from the use of the pattern, for any of the following patterns:
Value Object
MVC
Data Access Object
Business Delegate
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
Â
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Dev Dives: Train smarter, not harder â active learning and UiPath LLMs for do...UiPathCommunity
Â
đĽ Speed, accuracy, and scaling â discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Miningâ˘:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing â with little to no training required
Get an exclusive demo of the new family of UiPath LLMs â GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
đ¨âđŤ Andras Palfi, Senior Product Manager, UiPath
đŠâđŤ Lenka Dulovicova, Product Program Manager, UiPath
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
Â
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
⢠The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
⢠Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
⢠Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
⢠Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Â
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
Â
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
Â
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
Â
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more âmechanicalâ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Â
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Â
Clients donât know what they donât know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clientsâ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Â
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as âpredictable inferenceâ.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Â
Are you looking to streamline your workflows and boost your projectsâ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, youâre in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part âEssentials of Automationâ series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Hereâs what youâll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
Weâll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Donât miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. 2
THE FOLLOWING SUN CERTIFIED WEB COMPONENT
DEVELOPER FOR J2EE PLATFORM EXAM OBJECTIVES
COVERED IN THIS CHAPTER:
5.1 Identify the interface and methods for each of the following:
⢠Retrieve a session object across multiple requests to the same or different
servlets within the same WebApp
⢠Store objects into a session object
⢠Retrieve objects from a session object
⢠Respond to the event when a particular object is added to a session
⢠Respond to the event when a session is created and destroyed
⢠Expunge a session object
5.2 Given a scenario, state whether a session object will be invalidated.
5.3 Given that URL rewriting must be used for session management,
identify the design requirements on sessionrelated HTML pages.
4. 4
⢠When a client accesses a web application, they often supply
information that will be used by the application at a later period
during the conversation. If this information could not be retained,
the application would need to ask for the information again. This
is both time-consuming and inefficient.
⢠A servletâs session object is used to resolve this issue. Sessions
provide various ways to monitor and maintain client data. In this
chapter, we will address how to:
⢠Track a clientâs session
⢠Change a sessionâs data
⢠Respond to the creation or destruction of a session object and
its attributes
⢠Invalidate a session
5. 5
Tracking Sessions
⢠When a client interacts with a server application, that client is
likely to make multiple requests to achieve a particular goal.
Because the HTTP protocol is stateless, it closes its connection
after each request.
⢠client data stored within a request is available for only a short
period of time.
⢠For a client object with a longer lifespan, a session is used. A
⢠session object is usually created when a client makes its first
request to an application.
⢠It is unique to a client and can exist longer than a single
request or even longer than the life of a client.
⢠It is an object used to track client-specific data for the duration
of the conversation or a specified period of time.
6. 6
⢠What distinguishes one session from another is its unique
ID. In fact, the container uses this ID to map an incoming
request to the correct session object, which in turn is
associated to a particular client.
⢠The actual client information can be transferred by using
one of three session processes:
1. Using hidden form fields
2. Rewriting the URL
3. Using cookies
7. 7
Using Hidden Form Fields
⢠Transferring information between an HTML form and a
servlet can be done in several ways.
⢠The most basic procedure is to transfer information back
and forth as data values. A form can contain fields with
client-cached values passed between each request.
⢠Because this information does not need to be visible to
the client, it is marked by using a field type of hidden
8. 8
Imagine the following web application scenario:
1.A login screen is displayed.
2.The user enters their login name and password.
3.The servlet verifies the information and returns a web page for the client to
utilize the companyâs services.
4.The new page stores the clientâs login name from the previous servlet.
This information is not visible to the client, but is needed for checkout
purposes.By using hidden HTML values , you can store client data
between servlets to use at a later date. The following HTML code produces
the login screen used for this scenario:
9. 9
⢠After the user enters their login name and password, they
trigger the request by clicking the submit button. The
servlet then verifies the information and constructs a
response containing the clientâs information.
⢠The following code shows this process. (Pay particularly
close attention to the bold text. It highlights how hidden
values are transferred.)
12. 12
⢠Tracking each hidden value in each servlet can become
tedious. Unfortunately,as the session persists and information
increases, passing hidden data back and forth can become
taxing.
⢠The session can persist only through dynamically generated
pages. If there is a need to display static, e-mail, or
bookmarked documents, the session will be lost.
⢠Hidden value transfers are the least secure method of
maintaining information between pages. Because HTTP
transfers all data as clear text, it can be intercepted, extracted,
and manipulated. If someone were watching the transmission
between client and server, they could easily read information
such as the login ID and password.
13. 13
Rewriting the URL
⢠Anonymous session tracking can also be done by using a
technique called URL rewriting.
⢠This approach to session tracking is used when clients do not
accept cookies (URL rewriting is a methodology that
associates a session ID to all URL addresses used
throughout the session.
⢠Using the ID, a developer can map client-related data to the
session object for that client.
⢠The ID is temporarily stored until the session has ended. After
the session has ended, the ID and related data are discarded.
14. 14
⢠Keep in mind that it is important for the session ID to have a
standard name that all containers can recognize.
⢠The specification defines that name as jsessionid . A
standardized name enables the container to associate
requests to their session objects stored on the server.
⢠There are two methodologies used to rewrite a URL.
> One approach is to manually adjust the URL to include the session
ID,
> the second approach is to use provided API methods to encode the
URL.
15. 15
Manual URL Rewriting
⢠Manually rewriting a URL can be done by physically
adding the ID to the constructed URL. How the ID is
stored and accessed from within the URL can vary.
16. 16
In this section, we will show you how to rewrite the URL by
adding a session ID to the URL path. But first, letâs talk about
how the ID is generated.
The goal is to derive a value that is completely random and not
shared. The Remote Method Invocation (RMI) API provides
several methods that help develop such a method.
The common procedure is to create a method that does the
following:
public static String generateSessionID(){
String uid = new java.rmi.server.UID().toString();
return java.net.URLEncoder.encode(uid);
}
17. 17
Now youâre ready to learn how to ârewriteâ the URL to contain the
session ID. Weâll begin by revisiting the URL structure:
Request URL = contextPath + servletPath + pathInfo+querystring
Given a request URL of /games/Chess , you can break the pieces
into their defined categories:
Context path:/games
Servlet path: /Chess
Path info: /null
Query string: /null
18. 18
If you had a session ID with the value 567, that ID could be incorporated into
the URL by adding it to the path info section, as follows:
/games/Chess/567
Literally, this can be done by concatenating the session ID to the ACTION
valueâs URL. For example:
out.println("<FORM ACTION=â/games/Bingo/"
+ sessionID + "/â Method=âPOSTâ>");
out.println("<INPUT TYPE='submit' VALUE='Bingo'>");
When the button is pressed, the current URL is switched to
/games/Bingo/567. This new servlet page provides the session ID
within the URL, which enables the developer to extract any data
stored from previously accessed servlets. To access the session ID,
use the HttpServletRequest method getPathInfo(). This method
returns extraneous information between the servlet and the query
string.
19. 19
you would expect to have a utility class for writing data
and its associated session ID to a location. The class
should also provide functionality to retrieve the client
data based on a unique session ID.
24. 24
Using Methods to Encode the URL
⢠Instead of manually generating a session ID and
physically adding it to the URL, the API provides methods
that manage the task for the developer.
⢠The HttpServletResponse class offers the following two
methods:
⢠public String encodeURL(java.lang.String url)
⢠public String encodeRedirectURL(java.lang.String url)
The encodeURL(âŚ) method rewrites the specified URL to include a session ID if needed. If one is
not needed, the method returns the original URL.
An unchanged URL can result from a server that does not support URL rewriting or from a server
that has the feature turned off. As for the semantics of how the URL is encoded, that feature or
technique is server-specific.
25. 25
⢠The second method is similar to the first in that it, too,
encodes the passed-in URL by adding the session ID. It
differs, however, in when it is used.
⢠At times there is a need for a servlet to temporarily redirect
a response to a different location.
⢠This is done by using the HttpServletResponseâs method
sendRedirect(String url). Before calling this method, the URL
should be encoded by using a method specifically designed
to handle URL encoding for a redirected response:
encodeRedirectURL(String url).
⢠The reason for using a different method is that a redirect
URL is different from a normal URL. For a redirect URL, all
non-ASCII values must be converted to their hexadecimal
values; this includes ampersands and equal Signs
26. 26
The following is an example of a rewritten URL:
http://localhost:8080/servlet/CheckOutServlet jsessionid=4347
To encode links in your URL, you must make slight modifications to the HTML code.
Here is an example of how to rewrite the URL to include an encoded URL in a form:
String urlSession = res.encodeURL("/servlet/CheckOutServlet");
out.println("<FORM ACTION=â" + urlSession + "ââ +â Method='POST'>");
out.println("<INPUT TYPE='submit' VALUE=â Exit â>");
out.println("</FORM></BODY></HTML>");
If your intent is to encode a URL for a link, you simply include an
encoded
String instead of the standard URL:
out.println(âClick â + â<A HREF=ââ+
res.encodeURL(â/servlet/CheckOutServletâ) + ââ>here</A>â);
27. 27
⢠In order for the container to encode the URL with a session ID,
three conditions usually exist:
⢠The browser supports URL encoding.
⢠The browser does not support cookies.
⢠The session tracking feature is turned on.
⢠When using the encodeURL(âŚ) method, the session ID is
stored as a path parameter. As such, you must call
req.getPathInfo() to retrieve the ID value.
You can also access the ID by calling req.getSession() to acquire a handle to the actual
session object (assuming one exists). Using the session instance, the ID value can then be
accessed by calling session.getId().
28. 28
⢠The servlet can also use the following HttpServletRequest
methods to learn more about the methodology used to
generate the ID, as well as its validity:
⢠public boolean isRequetedSessionIdFromCookie()
⢠public boolean isRequestedSessionIdFromURL()
⢠public boolean isRequestedSessionIdValid()
⢠These methods validate the session object and its place of
origin. If the session is not valid, the servlet can redirect the
user to a new screen to log in again. If the session ID was
obtained from the URL, the servlet might opt to perform a
different task than if it was obtained from a cookie.
29. 29
Using Cookies
⢠Another way to perform session tracking is through
persistent cookies.
⢠Remember, a cookie is an object containing small amounts
of information sent by a servlet to a web browser, then
saved by the browser, and later sent back to the server.
⢠Because the cookieâs value can uniquely identify a client
and maintain client data, using cookies is an optimal way to
track sessions.
⢠A cookie is created by using two parameters: a name and a
value. The constructor is as follows:
⢠public Cookie(String name, String value)
⢠Unlike a hidden value, which must exist in all servlet pages,
a cookie is added to the servletâs response object and is
propagated to all servlets accessed during the session.
30. 30
⢠The servlet specification mandates that the name of the value used to
track the session for a cookie must be called JSESSIONID.
⢠The ID name must be all uppercase when used within a cookie, but
lowercase when used in URL rewriting.
⢠A cookie can be added to an HttpServletResponse object in the following
way:
⢠Cookie cookie = new Cookie(âJSESSIONIDâ, â567â);
⢠res.addCookie(cookie);
⢠If another servlet is interested in accessing this information, it can call the
⢠getCookies() method of the HttpServletRequest class:
⢠public Cookie[] getCookies()
⢠Using our example from the preceding âRewriting the URLâ section, you
⢠can create a cookie to add the session ID. Listing 6.4 demonstrates how
to use cookies to rewrite the OverviewServlet.
33. 33
Using the HttpSession Object
⢠The final and most convenient way to handle session data
is to pass an HttpSession object, which implicitly contains
the clientâs data, back and forth between all session-
related servlets.
34. 34
Using the HttpSession Object
⢠Previously, we discussed ways to track the session
object between client/ server requests, where each
example (cookie or URL rewriting) used a database for
persistent storage of session data.
⢠In this section, the HttpSession object replaces the
database for persistent storage, and uses one of the
methods previously discussed to propagate the session
ID.
⢠Internally, the container determines the method used to
transmit the session ID between the client and server
(whether it used cookies or URL rewriting).
35. 35
⢠To access a session object, use the HttpServletRequest
method:
⢠public HttpSession getSession()
⢠The method returns the HttpSession object tied to the
client requesting the current servlet. If the object does not
exist, the getSession() method will automatically create a
new HttpSession instance.
⢠The other method used to access a session object is as
follows:
⢠public HttpSession getSession(boolean create)
⢠A true value creates a new session object if one does not
already exist.
⢠A false value prevents a session object from being
created if one does not exist.
36. 36
⢠Data is stored to an HttpSession object as attributes:
⢠public void setAttribute(String name, Object value)
⢠The setAttribute(âŚ) method binds a Java object to a
specified key name. Another servlet can then use the
HttpSession object and access its data by using the
following method:
⢠public Object getAttribute(String name)
⢠The getAttribute(âŚ) method uses the key name to find
and return the associated object.
37. 37
Remember, each application has one ServletContext, and each context has multiple
sessions for each client that accesses the application.
38. 38
⢠Adding an attribute is as easy as removing one. To
unbind an attribute, call the method:
⢠public void removeAttribute(String name)
⢠After this method is invoked on an attribute, it is no longer
accessible by any servlet within the application.
⢠list all the attributes associated with the current session:
⢠public Enumeration getAttributeNames()
⢠The getAttributeNames() method returns an Enumeration
object of all current attributes. If a session has no
attributes, a null value is returned.
⢠Sometimes there is a need to respond to changes to a
sessionâs attributes. The servlet API provides several
session listener classes designed specifically for this
purpose. HttpSessionBindingListener
39. 39
HttpSessionBindingListener
⢠By implementing the HttpSessionBindingListener, your
application can be notified when an object is bound or
unbound to a session object.
⢠The interface has two primary methods that must be
defined:
⢠valueBound(HttpSessionBindingEvent event)
⢠valueUnbound(HttpSessionBindingEvent event)
40. 40
⢠The valueBound(âŚ) method is called before the object is
made available through the getAttribute(âŚ) method.
⢠In contrast, the valueUnbound(âŚ) method is called after
the object is no longer available via the getAttribute(âŚ)
method of the HttpSession interface.
⢠The listener is passed an HttpSessionBindingEvent,
which contains the session object, the name, and the
value of the object either bound or unbound to the
session.
41. 41
⢠To register session listeners to the container, you must
include the listener tag in the web.xml document.
⢠For example:
<listener>
<listener-class> ConnectionPoolHandler </listener-class>
</listener>
⢠The container determines the type of listener defined and
then establishes an abstract link between the session and the
listener.
⢠When changes occur to the session, the appropriate listener
is notified.
42. 42
Invalidating Sessions
⢠A session can be invalidated in multiple ways. It can
expire automatically,after a specified or default period of
inactivity, or a servlet can explicitly invalidate a session
through method calls.
⢠Before learning about these options, it is important to
understand the effects on the application and client when
a session is nullified.
⢠Basically, all the attribute data is lost.
⢠If you want to retain session information after it is
invalidated, it should be stored to an external resource
such as a database or a long-term cookie.
43. 43
The session-time tag defines the number of inactive minutes
a session will exist before the server terminates the
object.
The following is sample code for the web.xml file used to
change the default termination period:
<web-app>
<session-config>
<session-timeout>15 </session-timeout>
</session-config>
</web-app>
The servlet specification requires that the timeout value be specified in
whole numbers. Some servers allow the use of negative values to indicate
that sessions should not be terminated
44. 44
⢠A second approach to modifying the life of a session is to
have individual servlets define the inactive time period before
a session is destroyed.
⢠The HttpSession interface provides the following methods:
> public void setMaxInactiveInterval(int secs)
> public int getMaxInactiveInterval()
⢠These methods allow fine-grained control. Instead of
applying a time period to the entire application, you can set
the time to specific servlets.
⢠The benefit of this approach is that you can customize the
timeout period per user or after certain activities have taken
place, such as a lengthy database lookup.
Notice that the time is measured in seconds rather than minutes
45. 45
⢠The getMaxInactiveInterval() method returns the value
set. If the set method is not used and the time is set by
using the session-timeout tag, the
getMaxInactiveInterval() method will return the timeout
value defined within the web.xml file.
46. 46
The third approach is pretty abrupt. The
HttpSession interface provides
the following method:
⢠public void invalidate() throws IllegalStateException
⢠After a handle to the session is obtained, the invalidate()
method can be called to close the session and unbind all
associated objects.
⢠If the session is already invalidated, then an
IllegalStateException object is thrown.
47. 47
Now that weâve covered how to end a session, it is
important for you to understand the best practices
associated to a sessionâs timeout period.
49. 49
1. Which of the following best describes an example of
URL rewriting?
A. out.println("<INPUT TYPE=hidden NAME='name'
VALUE= BillyBob>");
B. out.println("<FORM ACTION=â/servlet/TestServlet
/BillyBobâ METHOD=POST>");
C. HttpSession session = req.getSession();
D. session.addAttribute(ânameâ, âBillyBobâ);
E. None of the above
50. 50
⢠1. B. URL rewriting consists of adding data to the
URL. The receiving servlet can then extract the
additional information to utilize the data.
51. 51
2. Which interface provides the method getSession()?
A. ServletRequest
B. ServletResponse
C. HttpServletResponse
D. HttpServletRequest
52. 52
⢠2. D. A session is reliant on HTTP transactions. Because
the applicationâs communication with the client is through
the HttpServletRequest interface, and the session is not
transmitted back to the client, the session object is obtained
via the HttpServletRequest interface.
53. 53
3. Which of the following methods is used to store
objects into a session object?
A. setData(String name, Object obj)
B. setDataAttribute(String name, Object obj)
C. setAttribute(String name, String obj)
D. setAttribute(String name, Object obj)
54. 54
⢠3. D. The setAttribute(String name, Object obj)
method binds
⢠an object with a related key name to the session object.
The other
⢠methods are all illegal.
55. 55
4. Which of the following methods is used to expunge a
session object?
A. end()
B. destroy()
C. invalidate()
D. kill()
56. 56
⢠4. C. The invalidate() method terminates the
associated session and
⢠then unbinds any objects bound to it.
57. 57
5. Which of the following is not a valid methodology for
session management?
A. Cookies
B. HttpSession objects
C. Hidden values
D. ServletContext object
58. 58
⢠5. D. The ServletContext is associated with the web
application, not with the individual client session.
Consequently, data stored to the context is not unique to
a client.
59. 59
6. The session-timeout tag defines the number of
inactive _________ a session will exist before being
terminated.
A. Milliseconds
B. Seconds
C. Minutes
D. Hours
60. 60
⢠6. C. The timeout tag defines the minimum number of
minutes of inactivity that can pass before a session can
be inactive before being terminated by the server.
61. 61
7. Which of the following statements is invalid?
A. The session timeout value determines how long a
session lasts.
B. A session is associated with a client.
C. The setMaxInactiveInterval(âŚ) method is used by the
servlet via the HttpSession object.
D. If a session timeout is not set, the server will
terminate sessions by using a default time value.
62. 62
⢠7. A. A session timeout value tells the amount of time
the session will stay alive only during an inactive period,
not its entire life.
63. 63
8. What is the recommended timeout period that a
shopping cart application should have?
A. Short
B. Medium
C. Long
D. Irrelevant
64. 64
⢠8. C. Because a client usually collects multiple items
in a cart, a shortlived inactive period could cause
problems and irritation to the user.
⢠This could result in a loss of business because the user
might not want
⢠to return or might forget what they already selected.
65. 65
9. Which of the following best describes what is
returned when the getMaxInactiveInterval() method is
called?
A. The default inactive timeout period, in minutes, for a
session to exist before termination.
B. The number of seconds an inactive session can exist
when using the setMaxInactiveInterval(int sec) method.
C. The default inactive timeout period, in seconds, for a
session to exist before termination.
D. It depends on how the server or application handles
the session timeout period.
66. 66
⢠9. D. Depending on how the session timeout period is
set, the
⢠getMaxInactiveInterval() method will return the number of
⢠seconds that the inactive session will exist before
termination.
67. 67
10. Which of the following is not a valid way to change
the inactive period of a session before the server
terminates the session?
A. <session-timeout>60</session-timeout>
B. setMaxInactiveInterval(500)
C. <session-config>30</session-config>
D. Do nothing
68. 68
⢠10. C. The session-config tag requires the session-
timeout tag to
⢠define the number of minutes a session can be inactive.
As for doing
⢠nothing, the server usually has a default inactive period
defined
⢠automatically.
69. 69
11. Which of the following methods is used to retrieve a
bound session object?
A. getBoundObject(String name)
B. getData(String name)
C. getSessionObject(String name)
D. getAttribute(String name)
70. 70
⢠11. D. The getAttribute(String name) method returns
the object bound to the session by using the associated
name reference.
71. 71
12. Which of the following is an example of URL
rewriting by using the encodeURL(String url) method?
(Choose all that apply.)
A. http://localhost:8080/servlet/play;jsessionid=567
B. http://localhost:8080/servlet/play
C. http://localhost:8080/servlet/play?jsessionid=567
D. None of the above
72. 72
⢠12. A, B. The encodeURL(String url) method encodes
the specified
⢠URL by including the session ID in it. If encoding is not
needed, the
⢠method returns the URL unchanged.
73. 73
13. Which of the following methods is called when an
object is removed from a session object?
A. valueUnbound(HttpSessionEvent e)
B. valueUnBound(HttpBindingSessionEvent e)
C. valueUnbound(HttpSessionBindingEvent e)
D. valueUnBound(HttpSession e)
74. 74
⢠13. C. The valueUnbound, lowercase b, method is
called when an object
⢠is unbound from the session object. An
HttpSessionBindingEvent is
⢠passed to the method containing the session object, and
the name and
⢠value of the object removed can be gathered from this
event object.
75. 75
14. Which of the following statements is true?
A. The valueBound(âŚ) method is called before the
object is made available through the getAttribute()
method.
B. The valueBound(âŚ) method is called after the object
is made available through the getAttribute() method.
C. The valueBound(âŚ) method is called at different
times depending on the serverâs preference.
D. None of the above
76. 76
⢠14. A. The servlet specification mandates that the
valueBound(âŚ)
⢠method should be called before the object is made
available through
⢠the getAttribute() method.
77. 77
15. Which of the following listeners is called when a
session is destroyed?
A. HttpSessionBindingListener
B. HttpSessionListener
C. HttpSessionChangedListener
D. SessionListener
78. 78
⢠15. B. The HttpSessionListener is called when a
session is created and
⢠destroyed