Cutting Edge Research in Engineering of Web Applications Part 1 What is a Web Application? Jeff Offutt Professor of Software Engineering George Mason University

Cutting Edge Research in Engineering of Web

ApplicationsPart 1

What is a Web Application?

Jeff OffuttProfessor of Software Engineering

George Mason University

http://www.cs.gmu.edu/~offutt/[email protected]

A. Who am I ?B. Who are you ?

Outline

July 2013 © J Offutt 2

Part1 (13:00-15:00)1. Web Apps Overview2. How the Interweb

Works3. Web Software

(Servlets)

Part 2 (19:00-21:00)4. Control Flow & State

Handling is Different5. State Handling in JSP

Part 3 (Friday13:00-15:00)

6. Web Software Security

7. Modeling Web Apps8. Testing Web Apps9. Engineering Process

Who Am I?• Professor of Software Engineering

– > 150 refereed publications, H-index = 51– Editor-in-Chief: Journal of Software Testing, Verif.,

and Reliability– Co-Founder: IEEE Intl Conf. on Software Testing– Author: Introduction to Software Testing– Several teaching awards at Mason

• George Mason University– Suburban Washington, DC– “Most diverse” campus in the USA– 34,000 students

• MS Software Engineering– Established 1987– 60 to 80 graduates per year– 24 different graduate coursesJuly 2013 © J Offutt 3

Who Are You?

• Where are you from ?

• What was your undergraduate major ?

• What do you think of software engineering?



Outline




(Servlets)



Part 3 (Friday13:00-15:00)



Motivation – Overview• Modern web applications are:

– Distributed (world-wide)– Heterogeneous (hardware and software)– Highly user interactive– Built on new technologies

• The software is:– Very loosely coupled– Written in multiple languages– Often generated dynamically


Diverse: In terms of software, communication, and people


Motivation – Overview (2)

• Web application software has to be better than most shrink-wrap or contract software

• The combination of higher quality requirements and unique technologies make for a very interesting situation(Academics think “interesting” means fun,

managers think “interesting” is scary …)

This talk discusses why and in what ways web software must be better

Software Deployment• Bundled : On your computer when you buy it• Shrink-wrapped : Bought at a store on a CD

– Downloaded from company’s website or OSS site• Contract : Single customer• Embedded : Installed on an electronic device• Web application : On the web through a URL

– Component-based– Concurrent / distributed– One copy on the server– Can be updated at any time (fast update cycle)– User interactive


July 2013

© J Offutt

9

Important Quality Attributes for Traditional Software

Traditional1. Efficiency of process (time-to-

market)2. Efficiency of execution

(performance)50.Reliability51.Safety52.Maintainability53.Security


Important Quality Attributes for Web Software

1. Reliability2. Usability3. Security

Customers have little “site loyalty” and will switch quickly, thus time to market is much less important than in other application areas.

(but still important!)

4. Availability5. Scalability6. Maintainability7. Performance & Time to

MarketBased on an informal survey of around a dozen software

development managers, 2000


Common N-Tier Architecture

Client WebServer

ApplicationServer

DBServer

BrowserJavascripts

HTMLCGIJSP, etc

Java

networkmiddleware

middleware

Client-server … 3-tier … N-tier …

Problems Can Occur Anywhere

• 1995 : Web sites were 100% interface• 1998 : Web sites were about 90% interface• 2001 : Web sites are less than 50% interface• 2005 : Web applications about 25% interface• 2013 : Web application development

dominates the software industry


There is a huge shortage of knowledgeable, skilled web

programmers and software engineers

Summary : Concerns of Software


Traditional1. Efficiency of process

(time to market)2. Efficiency of

execution

Web Software1. Reliability2. Usability3. Scalability4. Security5. Availability6. Maintainability7. Performance & Time to

Market

50.Reliability51.Safety52.Maintainability53.Security


Outline




(Servlets)



Part 3 (Friday13:00-15:00)



15

Hypertext Transport Protocol

• HTTP is based on the request-response communication model :– Client sends a request– Server sends a response

• HTTP is a stateless protocol :– The protocol does not require the server to

remember anything about the client between requests

• The original standards proposal for HTTP :– ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt

July 2013 © J Offutt

(HTTP)

ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt

16

HTTP• Normally implemented over a TCP connection

– 80 is standard port number for HTTP

• Typical browser-server interaction:– User enters Web address in browser– Browser uses DNS to locate IP address– Browser opens TCP connection to server– Browser sends HTTP request over connection– Server sends HTTP response to browser over

connection– Browser displays body of response in the client area

of the browser window

July 2013 © J Offutt

17

HTTP Request

July 2013

Clients send requests to servers to ask for a resource (usually a file or to run a program)

Example: GET http://cs.gmu.edu/~offutt HTTP/1.1

© J Offutt

18

HTTP Response

July 2013

Servers send responses to clients with result of request (error code, a file output of a program)

Example: HTTP/1.1 200 OK

First digit is class of the status code :– 1 = Informational– 2 = Success– 3 = Redirection (with alternate

URL)– 4 = Client Error– 5 = Server Error© J Offutt

19

Client Caching

Browser WebServer

1. HTTP request for image

2. HTTP response containing image

Client Server

Cache

3. Store image

July 2013

I need thatimageagain…

HTTP request for image

HTTP response containing image

The slow way …

Get image

… or the fast way

© J Offutt


Outline




(Servlets)



Part 3 (Friday13:00-15:00)



© J OffuttJuly 2013 21

Server Side Processing

HTTP Response

HTTP Request

Client Server

data

HTML

UI implemented in a browser

Web serverContainer engineProgram

components

Execution Overview


Web server

Server

Container engine

HTTP Respons

e

HTTP Request

Incoming request on port 8080

1

27

63

Request /

Response

Objects

Modified Respons

e Objects

Response back to

requestor

8

Program component

ReturnCreate thread /

call method

4

5

Web Container Engine


Container Engine

Web App 1

Web App 2C1

a

C1c

C1b

Shared

memory

C2a

C2c

C2b

Shared

memory

C2d

Shared

memory

© J Offutt 24July 2013

Compiled Modules

• Compiled modules are executable program components that the server uses

• Common compiled module application plug-ins :– Microsoft’s .NET ASP– J2EE Java servlets

• Compiled modules are efficient and very effective

• They allow programmers to clearly separate the front-end from the back-end– Aids design– Complicates implementation


Scripted Pages

• Scripted pages look like HTML pages that happen to process business logic

• Execution is on the server, not on the client– unlike JavaScripts

• They have HTML with program statements that get and process data

• JSPs are compiled and run as servlets– very clean and efficient


Scripted Pages (2)• Common scripted pages:

– Adobe’s ColdFusion– Microsoft’s Active Server Pages (ASP)– Java Server Pages (JSP)

• Scripted pages are generally easy to develop and deploy

• They mix logic with HTML, so can be difficult to read and maintain

• Not as effective for heavy-duty engineering

© J Offutt 27

Summary Web Programming• The major difference is deployment

– Software is deployed across the Web using HTTP

– Other deployment methods include bundling, shrink-wrapping, embedding, and contracting

• New software technologies• New conceptual language constructs for

programming– Integration– Data management– Control connectionsJuly 2013

These differences affect every aspect of how to engineer high quality software

© J Offutt 28

What are Servlets?• Servlets are small Java classes that

– Process an HTTP request– Return an HTTP response

• Servlet container or engine– Connects to network– Catches requests– Produces responses– Creates object instances of servlet classes– Hands requests to the appropriate object

• Programmers use an API to write servlet classes

July 2013

© J Offutt 29

Servlets vs. Java Applications• Servlets do not have a main()

– The main() is in the server– Entry point to servlet is via call to a method

( doGet() or doPost() )• Servlet interaction with end user is indirect

via request / response object APIs– Actual HTTP request / response processing is

handled by the server• Servlet output is usually HTML

July 2013


Servlet Container (or Engine)• Servlet container is a plug-in for handling Java

servlets• A servlet container has five jobs :

1. Creates servlet instance2. Calls init()3. Calls service() whenever a request is made

1. service() calls a method written by a programmer to handle the request

2. doGet() to handle GET requests, doPost() to handle POST requests

3. More on this later …

4. Calls destroy() before deleting the servlet object5. Destroys instance


Servlet Container (2)

1. If there is an active object for the servlet, the container creates a Java thread to handle the request

2. If there is no active object for the servlet, the container instantiates a new object of that class, then creates a Java thread on the object to handle the request

When a request comes to a servlet, the servlet container does one of two things:



• When it gets destroyed is not specified by the servlet rules

• Most servlet containers destroy the object N minutes after the last request

• N is usually 15 or 30, and can be set by the system administrator

• Container can also be configured to never destroy a servlet object

A servlet instance runs until the container decides to destroy it :



• What if the same servlet gets multiple requests ?

• More than one thread for the same servlet may be running at the same time, using the same memory

Risky …

Client 1

Client 2

Server containerservlet thread 1servlet thread 2

Sharedmemory

space


Servlet Object Thread Lifecycle

Does not exist

UnavailableInitialized

and/or ready for requests

Destroyed Service

instantiation based on a

request or at container startup

release reference

initialization

initialization failed

back to service if temporarily unavailable(optional)

temporary or

permanent failuretimeout or a

container shutdown

HTTP requests

from clients

end of service thread

Instantiated


Simple Servlet Exampleimport javax.servlet.*;import javax.servlet.http.*;import java.io.*;public class hello extends HttpServlet{public void doGet (HttpServletRequest req, HttpServletResponse res) throws servletException, IOException{ res.setContentType (“text/html; charset=\”UTF-8\””); PrintWriter out = res.getWriter (); out.println (“<HTML>”);


Simple Servlet (2)

out.println (“<HEAD>”); out.println (“<TITLE>Servlet example</TITLE>”); out.println (“</HEAD>”); out.println (“<BODY>”); out.println (“<P>My first servlet. </P>”); out.println (“</BODY>”); out.println (“</HTML>”); out.close ();} // end doGet()} // end hello


Servlet Parameters – requests

Parameters are conveniently stored in objects

• String req.getParameter (String KEY)– Returns value of field with the name = KEY– Names are defined in HTML, and values supplied by the users

• String[ ] req.getParameterValues (String KEY)– Returns all values of KEY– For example checkboxes

• Enumeration req.getParameterNames ()– Returns an Enumeration object with a list of all

parameter names• String req.getQueryString ()

– Returns the entire query string

© J Offutt 38

Transmitting Servlet Parameters• Parameter data is the Web analog of

arguments in a method call :– System.out.println (“aString”);– http://www.example.com/servlet/PrintThis?arg=aString

• Query string syntax and semantics– Multiple parameters are separated by ‘&’ http://www.example.com/servlet/PrintThis?

color=red&arg=aString– Order of parameters does not matter http://www.example.com/servlet/PrintThis?

arg=aString&color=red– All parameter values are strings http://www.example.com/servlet/PrintThis?arg=&age=39

July 2013

Empty string


Summary—Examples

1. hello : Prints lots of hellos2. name : Accepts and prints a name from a form3. goldGetPost : Differences between GET and POST4. formHandler : Displays arbitrary data from a form5. twoButtons : Processing two submit buttons6. abstracts : Processes form data and sends through

email7. loan : Compute time to pay off a loan8. convert : Convert values9. convert2 : Better value conversion10. fileLoad : Uploads a file to a server11. studInfo : Our student info system – small web app12. showRequestHeaders : Shows information about the

requests

http://www.cs.gmu.edu/~offutt/classes/642/examples/servlets/






Documents

Cutting Edge Research in Engineering of Web Applications Part 1 What is a Web Application? Jeff Offutt Professor of Software Engineering George Mason University