1. Java Web 应用开发： J2EE 和 Tomcat 蔡 剑, Ph.D.

2. 本讲内容 Web 层技术 (IV) JSTL Web Security Web Application Architecture

3. Review: J2EE Framework (X)HTML XML Applet Client Application JAFJMSJDBC JTA JNDI JSTL Servlets JSPs Web Container Session Beans Entity Beans EJB Container J2EE Application Server RDMS Mail Server Java Application CORBA Server Directory Service Message Queue JDBC JavaMail RMI IIOP JNDI JMS HTTP Message Beans Application Client Container JAX RPC SAAJ JAXRJACC Mgmt JMX JAFJMSJDBC JTA JNDI JAX RPC SAAJ JAXRJACC Mgmt JMX JAX RPC SAAJ JAXR JMS Mgmt JMX

4. Review: JSP using XML Web Server XML JSP Custom Tag JavaBeans SAX/DOM

5. JSTL Types 核心标签 XML 标签 国际化标签 数据库标签

6. Core JSTL: Flow Control You are far from the Y2K problem! You were facing the Y2K problem! = '2000'}" > You have overcome the Y2K problem! You are in the Y2K year!

7. Core JSTL: Iteration Name Value

8. XML Tag …… The Task List Using JSTL XML Tags: …… …… P245

9. XML Tag Example Result

10. SQL Tag ： DataSource and Query <sql:setDataSource var="workflow" driver="RmiJdbc.RJDriver" url="jdbc:rmi://localhost:1099/jdbc:cloudscape:Cl oudscapeDB;create=true"> select * from PUBLIC.tasks where name = ?

11. SQL Tag: Transaction and Update …… ……

12. I18N Tag Wednesday, November 20, 2002 7:37:49 AM GMT Tue Nov 19 23:37:49 PST 2002

13. Web Application Security 验证 (Authentication), 个体必须由验证机制确定 它的身分。 授权 (Authorization). 当一位被验证通过的本体 设法访问程序资源, 系统要根据安全政策确定是 否该本体有权限进行这样的操作 声明性 (Declarative) 安全机制, 规定了网络程序 和网络服务器之间的安全配置协议. 网络服务器 根据 web.xml 中定义的安全要求实现对网络资源 的保护. 程序性 (Programetic) 安全机制较声明性安全机 制更直接. 网络程序自身通过 Java 程序实现其安 全保护.

14. Role, Group, and User <user username="user1" password="password1" roles="admin,manager,engineer"/> <user username="user2" password="password2" roles="engineer"/>

15. Set Naming Resources <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved"> factory org.apache.catalina.users.MemoryUserDatabaseF actory pathname conf/tomcat-users.xml

16. Using Database as Realm <Realm className="org.apache.catalina.realm.JDB CRealm" debug="99" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/au thority" connectionName="test" connectionPassword="test" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />

17. Authentication Approaches 网络容器实现用户验证 : HTTP 基本验证 (Basic authentication) 基于表单验证 (Form-based authentication) 客户凭证验证 (Client-certificate authentication) 摘要验证 (Digest authentication) 网络程序本身实现验证方式 : 网络程序表单验证 程序性安全机制

18. Basic Authentication …… BasicLogin Map to Basic Login Page /control/signin_ba GET POST no description manager no description NONE

19. Defined in Web.xml BASIC default

20. Form-based Login FORM default /jsp/signin_cfb.jsp /control/error

21. Login Form Container Form-Based Login ' > Username: Password: ……

22. No Secure End-to-End Model

23. Public Key and Private Key

24. Config SSL Connection <!-- <Connector className="org.apache.coyote.tomcat4.CoyoteCo nnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="false" acceptCount="10" connectionTimeout="60000" debug="0" scheme="https" secure="true"> <Factory className="org.apache.coyote.tomcat4. CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" /> -->

25. Security Connection via SSL

26. Web Application Deployment

27. Web Application Architecture: MVC Model Model Encapsulates application state Responds to state queries Exposes application functionality Notifies views of changes Model Encapsulates application state Responds to state queries Exposes application functionality Notifies views of changes View Renders the models Request updates from models Sends user gestures to Controller Allows controller to select View View Renders the models Request updates from models Sends user gestures to Controller Allows controller to select View Controller Define application behavior Maps user actions to model updates Select view for response One for each functionality Controller Define application behavior Maps user actions to model updates Select view for response One for each functionality State Query State Change View Selection User gestures Change Notice

28. Use Case Analysis

29. Components Screen definition XML Request mapping XML Database Main Servlet Main Servlet Page Flow Manager Request Processor Project Handler User Handler Task Handler Assignment Handler Signin Handler Logout Handler Project Model/DAO User Model/DAO Task Model/DAO Assignment Model/DAO RoleCheck Filter I18N Filter Action Listener Project UseBean User UseBean Task UseBean Project JSPs User JSPs Task JSPs Assign JSPs Assignment UseBean Template JSP ViewControlModel Other JSPs request response dispatch Mail Sender Session Web Server

30. Major Data Entity Classes

31. Directory Structure

32. Class Diagram

33. Sequence Diagram

34. Login Page

35. Struts Framework 一个 Web 应用的控制器 （是 Struts 的 中心控制 Servlet ） 一组用来实现 “ 模型 ” 的 Java Bean 和 帮助类 一组用来在 JSP 实现界面的标签库 Struts 用一个配置文件将这三方面的构 件组合起来，这些构件具备 Web 应用的 基本骨架。

36. File Structure

37. Config Files 目录或者文件名称用法 META-INF 包括程序所使用的元信息 WEB-INF/classes 放 Struts 程序的 Java 类 WEB- INF/classes/org/apache/struts/webapp/example s/MessageResource.properties 包括程序使用的消息内容的文本 WEB-INF/lib/struts.jar 包括 Struts 使用的 servlet, 帮助类，和 taglib 代 码等等 WEB-INF/*.tld Struts 的标签库 WEB-INF/struts-config.xml Struts 的配置文件，指定其参数和使用方法 WEB-INF/web.xml Web 应用对应 servlet 容器的配置文件

38. Struts Components 浏览器 struts-config.xml 控制器： ActionServlet 模型 Action ActionForm 视图： Jsp 文件 应用资源属性 （ properties 文件） 标签库

39. JPetstore Architecture http://www.ibatis.com/jpetstore/jpetstore.html

40. A Real Example

41. Cost Model of Struts