OCEJWCD-12.Web application security

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

12.1. Understand the role of the container in security

-Authentication
-Authorization
-Confidentiality
-Data integrity

The security should be declared in the deployment descriptor (it is possible to use annotations too).

<security-constraint>

  <web-resource-collection>
    <web-resource-name>EditPage</web-resource-name>
    <url-pattern>/DemoServlet/Edit/*</url-pattern>
    <http-method>POST</http-method>
  </web-resource-collection>

  <auth-constraint>
    <role-name>Admin</role-name>
    <role-name>User1</role-name>
  </auth-constraint>

</security-constraint>

When <role-name>*</role-name> or no auth constraint defined all roles have access to the resources described.

When <auth-constraint/> no roles have access.

12.2. Describe and implement four authentication models

• BASIC Data is encoded in base64(not encrypted).

• DIGEST Data is encrypted (not SSL) but no all JEE containers support it.

• CLIENT-CERT Using Public key certificates. Clients need to have a certificate to use it.

• FORM Creating a custom login form. Data are sent in http request with no encryption

The authentication type is declared in DD
<login-config>
  <auth-method>FORM</auth-method>

In the Form authentication type the loginPage should be defined (using these three fields: j_security_check, j_username, j_password

<form method="POST" action="j_security_check">
  <input type="text" name="j_username">
  <input type="password" name="j_password">
  <input type="submit" value="Enter">
</form>

12.3. Force the use of encryption between a web application and the client browser.

Annotation ServletSecurity.TransportGuarantee
-NONE
-CONFIDENTIAL: All user data must be encrypted by the transport (typically using SSL/TLS).

@ServletSecurity(@HttpConstraint(transportGuarantee =  TransportGuarantee.CONFIDENTIAL))

12.4. Understand the role of JAAS in pluggable/extensible authentication for web applications

JAAS can be used for two purposes:

• for authentication of users, 
• for authorization of users to ensure they have the access control rights required to do the actions performed.

More details about how to athenticate a subject (user or service):

http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASRefGuide.html#Authentication

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

OCEJWCD .- 11. Asynchronous web applications

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

11.1. Understand the interactions that are essential to asynchronous web pages

In asynchronous processing the web container can continue serving other requests without waiting for a response from a resource (the thread is not blocked).

11.2. Understand the role of AJAX-style client side programming

AJAX Asynchronous JavaScript and XML

Exchanges data with the server, and updates parts of a web page without reloading the whole page.

XMLHttpRequest
var xmlhttp = new XMLHttpRequest();

Send request to a server

- open(method, url, async) - -> the url can be txt xml, asp, php files in the server

- send(), send(string) -- > in post request

xmlhttp.open("GET", "hello.txt", true);
xmlhttp.send();

Get a response from a server

xmlhttp.responseText
xmlhttp.responseXML

onReadyStateChange Event

xmlhttp.onreadystatechange=function()
  {...

-xmlhttp.readyState, when is 4 is OK

-xmlhttp.status, when is 200 is OK

11.3. Implement asynchronous servlets using the facilities of Java EE6

Annotations:
asyncSupported can be used with @WebServlet or @WebFilter
Example:
  @WebServlet(url="/foo" asyncSupported=true)

AsyncContext

Is obtained by the ServletRequest methods
  startAsync(servletRequest, servletResponse) or startAsync()
Example:
AsyncContext aCtx = req.startAsync(req, res);

Methods to dispatch the request back to the container:

AsyncContext.dispatch(), AsyncContext.dispatch(path), or AsyncContext.dispatch(servletContext, path) 
Example:
ctx.dispatch("/render.jsp");

AsynchronousListener

AsyncListener interface defines a Listener that will be notified in the event that an asynchronous operation initiated on a servlet request.
http://docs.oracle.com/javaee/6/api/javax/servlet/AsyncListener.html

Methods:

• onComplete(event)
• onError(event)
• onStartAsync(event)
• onTimeOut(event)

Example:

req.addAsyncListener(new AsyncListener() {...

Asynchronous application example in:

https://blogs.oracle.com/enterprisetechtips/entry/asynchronous_support_in_servlet_3

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

OCEJWCD-10.More options for the Model

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

10.1. Understand the roles of JDBC and JPA

JDBC is Java DataBase connectivity, the traditional mechanism to access relational database from Java. 
-There are 4 categories of JDBC drivers.
-Provides an implementation of independent generic database access methods.
-Optimizing network resources using connection pooling and distributed transactions.

From JavaEE 5 JPA (Java Persistence Application) low level details are hidden when implementing persistence layer. 
There are several implementations of JPA : Hibernate(JBoss), OpenJPA. The standard implementation for Oracle is Toplink.

Persistence mechanism:

• POJO objects
• Metadata mapping : XML has connection details and table mappings. Also there is an option of using annotations.
• EntityManager connect metadata and database (request, synchronizing data).

10.2. Understand the many elements that make up the model

Handling remote objects:

• JNDI - Java Naming Directory Interface. Locate remote objects.
• RMI - Remote Method Invocation. Process to communicate objects across the network (low level network IO operations).

10.3. Understand fundamentals of connecting to a database using JDBC or JPA

The optimal solution is to use a connections pool, every time a request is received, it uses a connection from the pool. The pool is managed by the JavaEE server.

The configuration about pool connections is declared in deployment descriptor.
Assigning name in JNDI (java name directory interface), allows locate service by name.

Configuring datasource in deployment descriptor (web.xml) example:
<resource-ref>
  <res-ref-name>jdbc/New</res-ref-name>
  <res-type>javax.sql.DataSource</res-type>
  <res-auth>Container</res-auth>
  <res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>

Configuring datasource with annotations, example:
@Resource(name = "jdbc/New")

http://docs.oracle.com/javaee/6/api/javax/annotation/Resource.html

Annotations can be defined in a class, method or a field.
Other annotations:
@EJB
@PersistenceContext : to specify the container managed entity manager.

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification

OCEJWCD- 9.More controller facilities

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification
9.1. Understand the sevlet lifecycle

The lifecycle of a servlet is controlled by the container in with the servlet has been deployed.

1. Creation: If the servlet does not exist
    1.a. Container loads the servlet class.
    1.b. Create instance servlet class 
    1.c. Initialization (init method).
2. Service method invoke.
3. Destroy method - finalizes and remove.

9.2. Describe and use more advanced elements of the servlets APIs


Table from docs.oracle.com/javaee/6/tutorial/doc/javaeetutorial6.pdf

9.3. Create filter and use them in web applications

The objective of filters is to intercept request from user (or the response after servlet is completed). Defining URL patterns, the request that matches would be intercept before arriving to the resource (or before arriving the client in the case of intercepting response).

Filter is an interface with the following methods:

• public void init(FilterConfig filterConfig)
• public void destroy()
• public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain). This method should include: chain.doFilter(request,response) the method doFilter() of FilterChain invokes the next filter.

Filters in DD

<filter>

  <filter-name>NewFilter</filter-name>

  <filter-class>example.NewFilter</filter-class>

</filter>

<filter-mapping>

  <filter-name>NewFilter</filter-name>

  <url-pattern>/*</url-pattern>

</filter-mapping>

The mapping can be declared using:
-URLpattern
-Servlet name
Also can be applied for request dispatchers (REQUEST, INCLUDE, FORWARD, ERROR). If the tag <dispatcher> is not present, by default is REQUEST

Filters are invoked in the order they are defined in the deployment descriptor (first mathing by URL pattern and then matching servlet-name).

Example of a filter for authentication:

Annotations

@WebFilter:

@WebFilter(filterName = "NewFilter",

urlPatterns = {"/*"},

initParams = {

@WebInitParam(name = "user", value = "guest")})

Filter utilities:

-Authentication, authorization, 

-Request/response compression

-Launch triggers

-Logging

etc.

OCEJWCD (SCWCD) - 1Z0-899 - Web Component Developer Certification