I have the following assignment I need to program using Jetty. I've done a bit of research into how Jetty works but I can't understand how I can have two applications running at once, as below it says I need to have two forms of URL: /student and /course.
I made a very simple web server before using com.sun.net.httpserver.HttpServer to host a page with multiple contexts (different pages based on different URLs) but I'm not sure how to emulate the same behavior in Jetty. Do I want to use multiple handlers, or a single handler with multiple contexts? How do I even implement multiple handlers or contexts? Every example I've seen seems to allow only the use of one context or one handler.
I'm not worried right now about the logic of the program. I just don't understand how to separate the logic into two accessible web apps. What type of object do I need to use to host multiple apps in one program?
Write a web application using the jetty framework that implements the following functionality. Alternative web frameworks can be used with the permission of the instructor (I will provide a signed permission note, if approved).
The application should allow for the creation and editing a student profile, the URL should start with /student. Additionaly the application should allow for the display of sections that a course is taught (similar to assignment 3). This URL for courses should start with courses. These two features are independent.
The student page should provide a form to register a student, a registered student must supply their name, student number, and contact information. Contact information should include their mailing address, and email address. The page must support creation and editing of the student's profile. Once the profile is created, the system must be able to edit all the fields. You should use fake data for testing.
The student's profile must be saved to the disk. You can serialize the Java class that contains the information and write it a file. This file should be consulted with the page is loaded by a browser.
The form data for the student page should be sent to the server using JSON. The contents of the form should be fetch from the server as a JSON message.
The student form application can be implemented using only one web page with javascript handling the form data which is sent and received using JSON. Thus your assignment must contain javascript code.
The URL for this application should start with /course. The courses page should provide a form with a course text field, a number text field, and a submit button. Once submitted the server should provide a list of all the sections for that course, or an error message if the course does not exist.
In Jetty (and nearly every other servlet engine), you deploy different web archives (.war files) into the web server.
With jetty you did this by creating your two applications and name them according to your URL, e.g. student.war and course.war
These .war files will be placed in the $JETTY_HOME/webapps directory.
Btw: If you just start with JEE and servlet engines, you should start with a very simple application to become familiar with it.
Related
Our java web application uses Alfresco as DMS. The application uses one single systemuser to connect to Alfresco. The application manages the access rights itself with some Business Logic.
Now what I'd like to accomplish, is to be able to use the MS Office URIs to do online editing of Word documents that live in Alfresco. So that's for example an URL that looks like ms-word:ofe|u|https://ourwebapp.com/documents/mydocument.docx
However if we open our documents like this, the user would end up being able to do stuff on Alfresco that we don't want them to do.
Because we want to keep our documents safe and secure, we don't want the users to be able to get the Alfresco documents "directly", but through our app. Opening Alfresco documents directly would mean that each individual user should get a unique Alfresco username/password and we don't have that and we don't want that because we already have lots and lots of documents living in Alfresco.
Surely there are other companies running into this problem? I.e. using their DMS with one single system user?
What I've already tried is to make REST endpoint. A Spring Filter ensures that an authorisation header with username/password is added and the request is forwarded to Alfresco. Then the response from Alfresco is passed back to the user. However this results in a document that's opened in read-only modus at best. Further more, it doesn't seem very secure to set up a connection with the user, using this system user credentials. For all I know, the user will be able to do stuff in Alfresco he isn't supposed to do. Like editing or even viewing other documents. A little bit like this:
There's very little documentation on how the ms-word protocol exactly works, maybe you can point me in the right direction? Or suggest some workarounds I might try out?
For this to work using sharepoint protocol (SPP) you woud have to reimplement the whole protocol server in front of your application since you control the access. There is no free or even available SPP implementation I know of you can (re)use for this.
The Alfresco protocol server may not be an option since you can't / want mirror access control from your app into alfresco. If you get access to a system like Alfresco or Sharepoint using file protocol you will get too much access rights as you already described. By following a concept of an application user you may be locked out from Alfresco concepts for end users if you can't mirror the access logic into alfresco.
Years ago we implemented a dynamic low level access voter to up- or downgrade access inside Alfresco's node service to allow specific permissions based on types and metadata. The same way someone could implement an interface to another system to delegate permission checks based on external data but this would slow down all the systems involved dramatically.
We have a similar requirement since we access documents and data from several enterprise sources including Alfresco from our own business process product having a rule and process based access concept based on cases, processes the documents are involved in- not on folders or document's static ACLs. We use a local service installed on the client partnering with the browser app for downloading, opening and saving back documents after closing the file from a local temporay (checked out) path. Our local client has no idea from Alfresco and is authenticated only against our services using JSON Web Tokens.
So my answer is more a concept not a ready to go solution in the hope to be helpful.
We have a requirement in which we have a page to show to the end user. On click of submit button on the page,an OSGI service is getting called which further calls an API.
The issue we are facing is that we are not allowed to store the API password anywhere and can only be entered by the permitted person. The challenge is:
We do not have any user interface to enable such thing.
What we could think of is getting the password entered in console during AEM startup but not aware how this is possible and everytime
any of the multiple instances is restarted, we will need to call the
permitted person to enter the password.
Can anybody provide his/her inputs on achieving this.
I would strongly suggest to question the requirement:
AEM works best with staticky rendered pages delivered from the dispatcher
personalised content requires therefore extra effort
But it can be achieved nonetheless:
you could deliver a static page and render the personalised information about the user via JavaScript and retrieve it via servlet call.
In case you need to store the password, you could create an OSGi bundle which is deployed and started when an instance is started. Usually you can achieve this by packaging it via content package and put it into an install folder: https://helpx.adobe.com/experience-manager/kb/HowToInstallPackagesUsingRepositoryInstall.html
The dispatcher must be configured to not cache this page though.
If I understand clearly then you are not permitted to store the api password in the AEM console. Can you store it in the server away from the AEM instance? If yes then you can create a file like a properties file and store it in the server and read the same file from you service before making the api call.
So, I'm in the middle of building an application where I want the user to be able to send a link to another user and work on the same data. There is little need to persist the data for more than 15 minutes and I want the application to not have to rely on a database.
I have a few variables which I am currently storing in a HttpSession.
Ideally I'd like to be able to set a parameter "sid" in the URL, and use that to set the session ID on the second client's browser - the one that's received a link with the SID.
Unfortunately, there seems to be no way to change the SID of a current session once it's been set up.
The only solution I've come up with so far is referring to the doGet() with a HttpPost.setHeader("Cookie", "JSESSIONID="+ getSessionId()) method, and getting the data with a specific session that way, but this seems pretty clunky.
Any suggestions?
EDIT
This has seemingly turned into a discussion about the wisdom of setting two users up to have the same session so session vars may be kept the same. Note that a non-db, ie light weight solution was what I was looking for. PHP allows you to arbitrarily set a session ID to do this, but I'm deploying to Tomcat in this instance. Something which allows lightweight sharing of a few parameters, that's it...
What I've done, then, is to set context vars using context.setAttribute(). Ugly as sin, but all I can come up with, unless anyone has any better ideas.
This approach has some security issues because you are simulating [session hijacking] with it 1:
In computer science, session hijacking, sometimes also known as cookie
hijacking is the exploitation of a valid computer session—sometimes
also called a session key—to gain unauthorized access to information
or services in a computer system. In particular, it is used to refer
to the theft of a magic cookie used to authenticate a user to a remote
server. It has particular relevance to web developers, as the HTTP
cookies used to maintain a session on many web sites can be easily
stolen by an attacker using an intermediary computer or with access to
the saved cookies on the victim's computer (see HTTP cookie theft).
Better approach is to set your data in a way that both users can approach it from their sessions. If you are using single server you can do that with some global data within a server. In clustered or cloud environments you'll need some common storage for that (ie. database, global cache, etc.)
EDIT
You are on a right track to share data among two users with different sessions.
There is one context per "web application" per Java Virtual Machine
where an attribute allows a servlet container to give the servlet
additional information.
Attributes are meant to be used to share data inside container among servlets of the same web application.
For clusters:
In the case of a web application marked "distributed" in its
deployment descriptor, there will be one context instance for each
virtual machine. In this situation, the context cannot be used as a
location to share global information (because the information won't be
truly global). Use an external resource like a database instead.
I have a web PHP web application that has a link to a java web application. The php application has a login page, and a link to the the java application, but not every user has permission to access the java web application. What I was trying to do is send user credentials from the php application to the java application, and then the java application checks the credentials and if correct logs in the user. I was thinking of using http headers to do this.
So my question is what is how to send user credentials from a PHP application to a java application?
If it helps I am using a Java web framework called Vaadin.
Do a normal POST request from the PHP application to the java application. This can be done as simply as having a normal HTML form in the PHP application, set the form's method to "POST" and action to the java application's URL. If you want to catch HTTP parameters in a Vaadin application, you can do it by using request handlers (https://vaadin.com/book/vaadin7/-/page/advanced.requesthandler.html).
Then a few words of advice or something to at least consider. If your login page is in the PHP application and your "admin" application is the Vaadin application, then I discourage you from doing the credential checking in the Vaadin application. This is because when you enter the Vaadin application, a new application instance is created. This means that your UI will be initialized and whatever else you do in the UI's init method. What you probably want to do, is to hinder the user from entering the Vaadin application unless she is logged in - which means that you need to do the credential checking somewhere else - for example, have a separate servlet whose only responsibility is to log in the user. If login is granted, then give access to the Vaadin application, if access is denied, forward the user to the PHP login screen. The next question is, how do you hinder the user from accessing the Vaadin application until she is logged in? Typically, this is done using servlet filters.
I highly encourage you to use a 3rd party framework for doing the authentication and authorization. Take a look at http://shiro.apache.org/, it's easy to install and seems to work nicely together with Vaadin. All you need to do is to configure it and implement a login screen, the framework will take care of the rest.
If I understood your question, you want to be able to provide an "auto-login-link" to some specific users that are logged in to the PHP application. This link should automatically login the user to the java application, right?
Without knowing any details about this case, like are both apps running on the same domain or do they use the same database (same user credentials in both apps), etc., I would propose the following solution:
Create an action (link) on the java application, which receives the necessary parameters (as GET) needed for creating the session (probably userId is sufficient), timestamp and a signature of all parameters. For example:
http://javaapp.example.com/autologin?userId=123&timeStamp=123456789&sign=hj23kh4j234jk324h
Where the signature is calculated with some strong encryption algorithm. Then you verify that the signature is correct at the receiving end (java app). If it is correct, you create the session. Signature calculation could be something like:
$signature = sha1($userId . $timeStamp . 'some salt' . $sharedSecretBetweenBothApps);
With the timeStamp you are able to check that an old link is not used. For example not allow older than 15 min old links and store used links in the java app to make sure they are never re-used. You do not have to keep history of links older than the expiration time.
Another idea, as discussed in the comments, is creating an API on the java side, which is able to provide a one-time link.
The sha1 algorithm is probably not strong enough, but shows the idea and is simple to implement.
Does this answer your question?
The first part of the requirement is to be able to embed our website (say www.mysite.com) into our partners' websites (say www.partner1.com).
Second part is the customer visiting our pages from the partners' website should be able to bookmark our pages (Bookmarked link www.partner1.com/page/sample.jsp should take the user to www.mysite.com/page/sample.jsp internally). Customer should see www.partner1.com/page/sample.jsp in the address bar and should not know that the page is being served by www.mysite.com.
Hence iFrame is out of question. Is there any better way of doing so? Is there a product that supports this kind of embedding?
We eventually want to embed our site with multiple partners and provide the same bookmarking feature.
What you're looking for is a reverse proxy. This is a web server component running on your partner's site, that fetches pages from your server and delivers them to the end customer. Apache defines a reverse proxy as:
A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.
This in turn is more of a system administration question than a programming question. I don't know what web server your partner is using, but the relevant Apache documentation is here. If you want secrecy, check the web server headers carefully to ensure information doesn't leak out.