Notes on Servlets

What is a Servlet? - public void init(ServerConfig sc) throws

A Java program that extends the functionality of a web server,
generating dynamic content, and interacting with web clients
(browsers) using the request-response paradigm support provided by
the web container (standalone or embedded into a web server) in
which the servlet resides.
In Model-View-Controller (MVC) pattern servlets fit as Controller
– process HTTP request and manage application’s workflow.
In n-tier architecture, servlets sit in web tier. It receives HTTP
requests (who made, user-entered data, headers), extract info from it,
generates dynamic content and providing business logic and
delegating it through EJB, database, another servlet or JSP and sends
back formed HTTP response (text[html/plane], binary[image],
headers, cookies etc).
Need of Servlets
- No CGI (traditional way of adding functionality to a web server)
limitations like high overhead and extensive server resource
requirement
- Solution to ISAPI/NSAPI which were fast but if buggy then can
crash web server as well. CORBA based WAI was a solution but
these all are server specific
- Servlets are powerful, reliable, efficient (thread [and not a separate
process as in CGI] in same JVM, serves multiple requests, single
class image in memory), extensible (jsp), platform and server
independent, secure (java features), auto-reloading, support by 3rd
parties, and improves scalability, and reusability (component based).
Servlet API
Packages:
javax.servlet
javax.servlet.http
Interface:
javax.servlet.Servlet
Classes:
Either implement the interface or extend following classes
implementing Servlet interface
javax.servlet.GenericServlet: Protocol-independent derivations
javax.servlet.HttpServlet: Extends GenericServlet class to provide
support for HTTP protocol
javax.servlet.HttpSession: Maintains session-wide state information
HttpServletRequest, HttpServletResponse: Extensions of
ServletRequest & ServletResponse. Objects created by the container
to be used in service() method.
Exceptions:
javax.servlet.ServletException: General
javax.servlet.UnavailableException
Servlet Life Cycle
Stage 1: Initialization
- When servlet is loaded into server memory either at server
startup (pre-loading) or when they are accessed
(dynamically) - Configurable
- LoadInstantiateInitialize
ServletException
- ServerConfig is optional
- Called once for set-up operations like opening database
connections, creating session objects, naming services, etc.
Stage 2: Service
- Called after initialization for every HTTP request
- Extracts information from HTTP request, performs
required tasks, collate needed info and finally post response
- Dispatches to public void
doGet/Post/Put/Delete(HttpServletRequest req,
HttpServletResponse res)
- doGet and doPost can be chained
- GenericServlet is an abstract class because service() is
abstract there and is implemented in HttpServlet class
Stage3: Destruction
- Invoked when container determines that servlet should be
removed from service (e.g. when server is being shutdown
or more memory is required)
- public void destroy()
- Called once to release any previously allocated resources
To get information about servlet like author, company, address , use
getServletInfo()  normally called by other servlets
ServletContext
- Permits multiple servlets within a web application to have
access to shared information and resources.
- One instance per Web application per JVM
- With this object, a servlet can log events, set and get
attributes, and obtain URLs
- To get ServletContext, use
ServletContext getServletContext()
- To get Context-wide attribute, use
getServletContext().getAttribute(String)
- To get servlet context path, use
HttpServletRequest.getContextPath()
- To log, use SC.log(String) method
- Unlike System.out. log is buffered, fast, predictable and
retrievable using built-in functions
- To retrieve initialization parameters specified in
deployment descriptor using <context-param> tags, use
public String getInitParameter(String name)
//These are not user-entered parameters
public Enumeration getInitParameterNames()
HTTPServletRequest Methods
http://[host]:[port]/[request_path]?[query_string]
request_path =
Context: /context (root) of web app
Sevlet Name: /component alias
Path Information: rest of it
query_string= set of parameters and values entered by user
public String getParameter(String name)
//different from getInitParameter()
public Enumeration getParameterNames()
public String[] getParameterValues(String name)
public int getContentLength() // 76, -1 if unknown

Prepared by: Syed Feroz Zainvi

 Notes on Servlets
public getContentType() // app/x-www.., -1 if unknown
public getCharacterEncoding() //null
public getProtocol() // HTTP/1.1
public getRemoteAddr() //122.40.10.09
public String getRemoteHost() //pross
public String getRemoteUser() //null if not authenticated
public getScheme() //http
public getServerName() //localhost
public getServerPort() //80
public Cookie[] getCookies()
public int cookies.length
public String cookies[].getName()
public String cookies[].getValue();
public Enumeration getHeaderNames() //e.g. user-agent
public String getHeader(String) // Mozilla/4.0
public Enumeration getHeaders(String)
public int getIntHeader(String)
public getRequestURI()
public setAttribute(String, Object) //for use with
RequestDispatcher(). Some attributes are set by container itself
public HttpSession getSession()
public Locale getLocale()
ResourceBundle getBundle(String, Locale)
public Boolean isSecure() //for HTTPS
public ServerInputStream getInputStream()
public java.io.BufferedReader getReader()
String getAuthType()
boolean isUserInRole(String) //logical role
HTTPServletResponse Methods
public void setStatus(int statusCode) //100-599 or enums
public void sendError(int err_code) //--do--
public void sendError(int err_code, String err_msg)
//Web container generates default error page. Custom error pages can
also be configured through deployment descriptor
public void setHeader(String name, String val) //arbitrary header
public void setDateHeader(String name, long milSec) //since 1970
public void setIntHeader(String hdr, int val) //intString
public void addHeader, addDateHeader, addIntHeader //for
adding new instances instead of replacing
public void setContentType(String)
public void setContentLength(int) //for persistent HTTP
public void addCookie(String)
public void sendRedirect(String url)
public int getLastModified()
// preferably use above methods to set Content-Type, Content-
Length, Set-Cookie, Location, Last-Modified Headers. Other headers
are Content-Encoding, Cache-Control(in 1.1) and Pragma(in 1.0)
public ServletOutputStream getOutputStream() // for binary
public PrintWriter getWriter() // for character output
public encodeRedirectURL(String) //Before sendRedirect() to add
session id if page supports that
public encodeURL(String) // except for sendRedirect()
HTTPSession Methods
getAttribute(String name)
setAttribute(String name, String val)
get/setMaxInactiveInterval(int seconds) //default:1800 – for
destroying session objects e.g. logout if inactive
invalidate() // destroy session object and release resources
getID() //temp primary key for uniquey identifying a session – used
with cookies and in query strings
getCreationTime() // when the session was created
getLastAccessTime() // when the session was last accessed
Session Management
StateAbility to save the information – Required in e-commerce
systems – Can be stored as cookies or in database – Can last for any
length of time : page, session, permanent storage
Scope  lifespan of state, or the length of time over
which state is maintained and can be accessed.
Servlets and JSPs have 4 scopes:
i) Page: Data is available between page initialization
and destruction. This scope is available for JSP only.
ii) Session: One interactive session between web client
and server. Exists until timeout, browser is closed, or
communication fails. Used for authentication and in
systems like shopping cart
iii) Application: Relates to all servlets and JSPs in a Web
application.
Transcends to individual users and used for hit-
counters and support systems like JDBC connection
pool. Maintained until App Server restarts or
application is redeployed.
iv) Request: Relates to request that launched the page.
Scope may be forwarded further to other servlets and
JSPs and maintained until response object is sent back.
A Session is a series of requests that originates from the same user at
the same time.
HTTP, being stateless, cannot recognize that sequence of requests are
all from same client. Following techniques can be used to remember
state information:
1. Hidden Form Fields
<input name=”pageid” type=”hidden” value=”5”>
Servlet can access it like regular field through
getParameter()
Limitation: Apparently hidden (Visible in View Source)
2. URL Rewriting
Appended to URL using ? and & as parameter-value pairs.
http://myserver/servlets/srvltEmp?EMPID=1009&DID=10
Limitation: Query string is visible and browser limits it
length as well. Alternatively, post these attributes as form
data and access through get methods
3. Persistent Cookies
A cookie is a small text file that is stored on
the client system. The file contains a single
name-value pair and several configuration
parameters to store user-preferences and
client-specific information.
A persistent cookie is intended to maintain
information over more than one browser
session. E.g. storing login and password as
cookie so that you need not enter it again
every time you visit that site
Create cookie using new Cookie(String name,
String val)
Use addCookie(cookiename), getCookies(),
cookies[].getName(), and cookies.getValue()
for setting cookies and retrieving its attributes
Other methods for cookies are:
Prepared by: Syed Feroz Zainvi
 Notes on Servlets
setSecure(false); //if true then sent only when It is a JAR file only with a different extension so let people treat it
HTTPS or SSL is used differently
setVersion(0); //0Original, 1 newer RFC  To create it, move to the directory containing web application
2109 objects and use following comand,
setMaxAge(60*60*24*7) // 1 week; <=0  jar –cf MyWebApp.war *
destroyed when browser is closed To list the contents of a web archive use following command,
setDomain() jar –tvf MyWebApp.war
setPath(String)
Clients cannot reject cookies but can ignore them. In Directory Structure
subsequent requests, servlet can know this. Javascript can App Server will unbundle the WAR into a specific directory
be used to check for a cookie. hierarchy. The root of this hierarchy serves as a document root of the
To avoid overhead of creating multiple cookies, use ‘&’ application for serving files that part of this context.
to concatenate multiple values and use StringTokenizer
Cookies are insecure data storage – user can manipulate
them and secure data should not be there in cookies
 Cookies offer scalable solution if simultaneous multiple -Application’s root directory defined by user
hits but may slow down the webpage whereas Session |
attributes offer speed at the cost of server resources. |
+---------WEB-INF
Cookies can be used to prevent popups also.
| |
| |
4. Session Tracking API
| +----classes (servlet’s .class, utility
- Added in Servlet 2.2 API
| | classes, javabeans)
- Used through getSession(), setAttribute(), setAttribute ()
| |
methods of HTTPSession
| +----lib (.jar, .zip -tags & utility libs
| called by server side classes)
|
Dispatching Requests +---------web.xml (web app deployment descriptor)
|
|
Get a reference to RequestDispatcher object using +---------.tld (tag lib descriptor files used by web
ServletContext sc = this.getServletContext(); | container to validate the tags and also
RequestDispatcher rd = sc.getRequestDispatcher(“/nxtServlet”); | by JSP page development tools)
//jspfile.jsp in case of dispataching request to JSP |
getRequestDispatcher() also available under ServletRequest takes +----------Other Directories (e.g. META-INF, SRC,
relative paths as well JRE etc.)
 To forward the request to another servlet or jsp to fill out the
whole response, response to partially processed request, use
if(rd!=null) rd.forward(req,res) Deployment Descriptors
 forward can be used for servlet chaining.  It is an XML test-based file (usually web.xml) under WEB-INF
forward differs from sendDirect() as forward does not involve  Purpose is to describe the component’s deployment settings:
communication with the client who would be unaware of this  Servlets/JSP definitions
chaining at server side  Mapping requests to servlets/JSP
forwarding servlet must not call getOutputStream or getWriter so  Initialization parameters
as to allow the next servlet to write the response.
 MIME types
To include content (banner, copyright info etc.) from a resource
 Welcome and error pages
(servlet, JSP page, HTML file) in the response, use
if(rd!=null) rd.include(req,res)  Security authorization & authentication
Included web resource has full access to HTTP request but limited  In web.xml, include a header to specify version/location of the
document type definition (DTD) as:
access to HTTP response. They can only write body the response and
commit response. However, they cannot set HTTP response headers <!DOCTYPE web-app PUBLIC
“-//Sun Microsystems, Inc, //DTD Web Application 2.2/EN”
or call methods that can set response headers.
http://java.sun.com/j2ee/dtds/web-app_2_2.dtd>
Remember to catch the Exception and print it using
e.getMessage();  Main body in enclosed between
<web-app> ......</web-app> tags
Inside the body, declare servlets (name, class file) and map them to
Packaging and Deploying a Web Application one or more URL patterns
 Also declare init and context param, error, and welcome pages
Web Application = Servlets + JSP pages + HTML files + other inside the body
resources required by web application like images and documents  Sample deployment descriptor is shown below:

Web Archive (WAR) <web-app>

A .war file defines and represents a single web application. <servlet>
It contains all the elements that make up the web application. <servlet-name>ShoppingCart</servlet-name>
Prepared by: Syed Feroz Zainvi
 Notes on Servlets
<description>Lists items in Cart</description> 2. SimgleThreadModel: By implementing
<display-name>ShoppingCart</display-name> javax.servlet.SingleThreadModel.
<servlet-class>com.MyJ2EE.Servlets.srvltShopCart</servlet-class>  Server will manage a pool of instances
<init-param> and guarantees one thread per instance
<param-name>listOrders</param-name>  Performance over-kill in case of multiple
<param-value>com.MyJ2EE.Act.ItemsAction</param-value> instances – synchronized block is preferred
</init-param>
<context-param> Invoker Servlet: Servlet that executes anonymous
<param-name>contactus</param-name> servlets that are not mentioned in web.xml
<param-value>mail@myserver.com</param-value> Used for debugging and testing purposes
</context-param> Such servlet class is provided by web container
<servlet-mapping> like Tomcat and its entry to be made in web.xml
<servlet-name>ShoppingCart</servlet-name>
<url-pattern>/Servlet/ShoppingCart</url-pattern>
 In Servlet API 2.4 (J2EE 1.4) following were
</servlet-mapping>
added/deleted:
</servlet>
<welcome-page> RequestListener: This is In addition to session
<location>index.html</location> and context listener, to observe as requests are created,
</welcome-page> destroyed and attributes are added or removed from request
<error-page> Invoke Filter under RequestDispatcher
<exception-type>Exception.PageNotFound</exception-type> <locale-encoding-mapping-list> addition to
<location>/errorpage1.html</location> web.xml
</error-page> SingleThreatModel: Being confusing & does
<web-app> not the solve problem completely, this was
deprecated. Synchronized block and avoiding use
 init-param can be get using getInitParameter, of instance variables are recommended.
getInitParameterNames methods of ServletContext
 context-param are parameters that are shared constants within the
web application. References
Enhancements in Servlets
Servlet API 2.3 in (J2EE 1.3) added following: • J2EE Unleashed, Joseph J. Bambara, Paul T. Allen,
 Application Life Cycle Events: Gives greater interaction Techmedia
with ServletContext and HttpSession.
 Event notifications for state change through
session and context listerners – startup, shutdown, creation, • Sang Shin’s presentation on J2EE available at
change in attributes http://www.javapassion.com/j2ee
 Listeners must be registered in web.xml and
get/set methods are available in listener interfaces • Codenotes on J2EE, Gregory Brill, Random House

 Filtering: Filter is a reusable piece of code that can

inspect or transform the content of HTTP request or Coming Next Week
response by performing custom actions like logging,
compression, caching, authentication, access control, • A sample program for servlets demonstrating above
encryption etc. concepts

• Developing servlets in MyEclipse and Netbeans IDE

Filter can be written by implementing
javax.servlet.Filter interface [init, destroy, doFilter()] and
• Deploying servlets on J2EE Reference App Server, JBoss,
must be packaged into .war for the application.
and Tomcat
Filters can be chained and plugged-in at
deployment time
 Filters are specified in web.xml using
<filter>,<filter-name>,<filter-class>, <filter-
mapping>,<url-pattern> tags.

 Servlet Sycnchronization: Mutliple clients can invoke

service() method of a servlet. To avoid race condition and
thereby corrupted data, either of the following
synchronization technique must be used:
1. synchronized(this){} block: Guarantees only
one thread can execute within a section of
code

Prepared by: Syed Feroz Zainvi