How servlet containers work (4)

Application 2

There is a noteworthy problem in the first application. In the process method of the servletprocessor1 class, upload the (upcast) ex02.pyrmont. Request instance to javax. servlet. servletrequest and pass it as the first parameter to the servlet service method. In addition, you can trace (upcast) ex02.pyrmont. Response instance to javax. servlet. servletresponse and pass it as the second parameter to the servlet service method.

Try {
Servlet = (servlet) myclass. newinstance ();
Servlet. Service (servletrequest) request, (servletresponse) response );
}

This will greatly compromise security. Programmers who know how servlet containers work can transform servletrequest and servletresponse instances down to request and response and call their public methods. The request instance can call its parse method; the request instance can call its sendstaticresource method.

You can set the parse and sendstaticresource methods to private, because they will be called from other classes in ex02.pyrmont. However, these two methods should be unavailable in the servlet. One solution is to give the request and response classes a default access modifier so that they cannot be used outside ex02.pyrmont. But there is a better solution: Use the facade class.

In the second application, add two facade classes: requestfacade and responsefacade. The requestfacade class implements the servletrequest interface and instantiate it by passing the request instance. The request instance will be referenced in the builder of the servletrequest object. The servletrequest object is private and cannot be accessed outside the class. Construct the requestfacade object and pass it to the service method, instead of going back to the (upcast) request object to servletrequest, and pass it to the service method. Servlet programmers can still transform servletrequest (downcast) to requestfacade. However, you only need to access the available methods of the servletrequest interface. Now, parseuri is secure.

Listing 2.5 shows some codes of the requestfacade class:

Listing 2.5. requestfacade class

Package ex02.pyrmont;
Public class requestfacade implements servletrequest {
Private servletrequest request = NULL;
Public requestfacade (request ){
This. Request = request;
}/* Implementation of the servletrequest */
Public object getattribute (string attribute ){
Return request. getattribute (attribute );
}
Public enumeration getattributenames (){
Return request. getattributenames ();
}
...
}

Pay attention to the requestfacade constructor. It accepts a request object and immediately assigns it to a private servletrequest object reference. Note that each method in requestfacade calls the corresponding method in the servletrequest object.

The same is true for the responsefacade class.

The following are the classes contained in Application 2:

Httpserver2
Request
Response
Staticresourceprocessor
Servletprocessor2
Constants httpserver2 class is similar to httpserver1,
It only uses servletprocessor2 rather than servletprocessor1 in the await method.
If (request. geturi (). startswith ("/servlet /")){
Servletprocessor2 processor = new servletprocessor2 ();
Processor. Process (request, response );
} Else {
...
}
The servletprocessor2 class is also similar to servletprocessor1,
The Code in the following process method is a bit different:
Servlet servlet = NULL;
Requestfacade = new requestfacade (request );
Responsefacade = new responsefacade (response );
Try {
Servlet = (servlet) myclass. newinstance ();
Servlet. Service (servletrequest) requestfacade, (servletresponse) responsefacade );
}

Compile and run the application

To compile the application, enter the following command in the working directory:

Javac-D.-classpath./lib/servlet. Jar src/ex02/pyrmont/*. Java

If you want to run the application in windows, type the following command in the working directory:

Java-classpath./lib/servlet. jar;./ex02.pyrmont. httpserver2

In Linux, use semicolons to separate class libraries:

Java-classpath./lib/servlet. jar:./ex02.pyrmont. httpserver2

You can use the same URL as application 1 to receive the same result.

Summary

This article discusses simple servlet containers that can be used to serve static resources and process servlets that are as simple as primitiveservlet. It also provides background information about javax. servlet. servlet.