martedì 28 giugno 2011
JSTL or Scriptlets?
Looking back at my code I disovered that I used both JSTL tags and scriptlet code, often mixing the two in a single page. I'm aware that this is not a good practice, however writing some sections of the code I was more comfortable using JSTL tags, while in other sections I just preferred writing scriptlet code. However the overall readability of the code is not so much affected. Maybe before the final deliver I will translate everything in JSTL (which seems the best solution), but as a friend told me: "Who cares? It works!
sabato 18 giugno 2011
Securing the Application
Back from holiday!!! Looking forward to finish the project. Time for a security section.
I decided to implement the basic form authentication, which appears to be the best solution in order to achieve authentication using the login form. Moreover it allows me to decide the appearance of the login form, in order to better suit the application which it belongs to.
The diagram that explains the authentication mechanism is visible in the next figure:
The main point here is the keyword j_security_check which represents the destination in the servlet container that handles authorization and authentication. The action attribute of the HTML tag form must have this value.
More information about the form-based authentication is visible at the Java EE 6 tutorial: http://download.oracle.com/javaee/6/tutorial/doc/gkbaa.html#bncbq
Moreover I have to choose if I want to implement the security following a declarative paradigm or a programmatic paradigm.
I decided to implement the basic form authentication, which appears to be the best solution in order to achieve authentication using the login form. Moreover it allows me to decide the appearance of the login form, in order to better suit the application which it belongs to.
The diagram that explains the authentication mechanism is visible in the next figure:
 |
| Form-based authentication diagram |
More information about the form-based authentication is visible at the Java EE 6 tutorial: http://download.oracle.com/javaee/6/tutorial/doc/gkbaa.html#bncbq
Moreover I have to choose if I want to implement the security following a declarative paradigm or a programmatic paradigm.
- With declarative security, all the security settings of the application (authentication requirements, roles, security controls...) are specified using annotations and/or deployment descriptors.Thus the security relies on the container for its management.
- With programmatic security, the security is managed directly by entities, classes, servlets and page views. In other words, it is integrated inside the application.
Intuitively I will follow the first approach.
sabato 11 giugno 2011
Building the Shopping Cart
I finally arrived at a crossroad! The requirements for this project also include the use of Stateful Session Beans. Googoling around I discovered that Stateful Beans are often used for maintaining Shopping Carts, due to their ability to track the whole user session. I also found some tutorials on how implement them. Intuitively the implementation of a shopping cart can be made by using simply the HttpSession, however Stateful Beans have considerable advantages, as this link points out: http://www.java-tips.org/java-ee-tips/enterprise-java-beans/choosing-between-httpsession-and-stateful-session.html
So I created a Stateful bean called ShoppingCart implementing the Remote interface ShoppingCartInterface. However I was not sure on how reference it in the servlets. I tried using the annotation @EJB to inject the bean, but it didn't work. Finally, digging out some stackoverflow questions, I found what I was looking for: http://stackoverflow.com/questions/2811312/stateful-ejbs-in-web-application and http://stackoverflow.com/questions/2833457/how-do-i-obtain-a-new-stateful-session-bean-in-a-servlet-thread
I had to create an object ShoppingCart and save it in the HttpSession, in order to be used across requests. I decided to create an instance of ShoppingCart when the customer goes in the Management section of the application. So using these few lines of code:
ShoppingCart cart = (ShoppingCart) session.getAttribute("cart");
if (cart == null) {
try {
Context ctx = new InitialContext();
cart = (ShoppingCart) ctx.lookup("java:comp/env/cart");
session.setAttribute("cart", cart);
}
}
everything was magically working.
So I created a Stateful bean called ShoppingCart implementing the Remote interface ShoppingCartInterface. However I was not sure on how reference it in the servlets. I tried using the annotation @EJB to inject the bean, but it didn't work. Finally, digging out some stackoverflow questions, I found what I was looking for: http://stackoverflow.com/questions/2811312/stateful-ejbs-in-web-application and http://stackoverflow.com/questions/2833457/how-do-i-obtain-a-new-stateful-session-bean-in-a-servlet-thread
I had to create an object ShoppingCart and save it in the HttpSession, in order to be used across requests. I decided to create an instance of ShoppingCart when the customer goes in the Management section of the application. So using these few lines of code:
ShoppingCart cart = (ShoppingCart) session.getAttribute("cart");
if (cart == null) {
try {
Context ctx = new InitialContext();
cart = (ShoppingCart) ctx.lookup("java:comp/env/cart");
session.setAttribute("cart", cart);
}
}
everything was magically working.
venerdì 3 giugno 2011
Session Timeout
The application design is proceeding very well. I managed to finish it in a couple of weeks. Now I'm focusing on some little details, like the session timeout. This parameter can be configured in the web.xml deployment descriptor, as follows:
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The value is expressed in minutes. It's clear that a low value (say 2-5 minutes) could affect the usability of the site and have a negative impact on the customer. On the other hand, a high value means a large number of sessions managed by the application server, that could possibly lead to high memory usage. Thus perfect value, in my opinion, is 10 minutes.
However here it comes another question: how can I handle situations in which a request is received for a session that has timed out or cannot be identified? The answer is simple: using a filter that intercepts all requests and checks if a session exists, and if not, it forwards the request to the index page. What is a filter? Here the answer: http://javaboutique.internet.com/tutorials/Servlet_Filters/
<session-config>
<session-timeout>30</session-timeout>
</session-config>
The value is expressed in minutes. It's clear that a low value (say 2-5 minutes) could affect the usability of the site and have a negative impact on the customer. On the other hand, a high value means a large number of sessions managed by the application server, that could possibly lead to high memory usage. Thus perfect value, in my opinion, is 10 minutes.
However here it comes another question: how can I handle situations in which a request is received for a session that has timed out or cannot be identified? The answer is simple: using a filter that intercepts all requests and checks if a session exists, and if not, it forwards the request to the index page. What is a filter? Here the answer: http://javaboutique.internet.com/tutorials/Servlet_Filters/
Iscriviti a:
Post (Atom)