1 / 9

Putting it together

Putting it together. http://www.flickr.com/photos/maggiew/6145245962/. Let's put the pieces together. Creating a little mobile web app To show how to combine "normal" desktop web, mobile web, and cloud To illustrate some security-related issues Including input validation

maire
Download Presentation

Putting it together

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Putting it together http://www.flickr.com/photos/maggiew/6145245962/

  2. Let's put the pieces together • Creating a little mobile web app • To show how to combine "normal" desktop web, mobile web, and cloud • To illustrate some security-related issues • Including input validation • Including login and session • Including protecting users from JS injection • To introduce a few new APIs • Session • Hashing • File upload • Regular expressions • Generating JSON

  3. Key functionality of this example app • For a standard desktop browser… • A user can log in / create an account • The user can then upload a photo and a caption • For a mobile device… • A user can view all images and their captions

  4. Demo and walkthrough

  5. Tracking logins • Key concepts • Session contains information on the server for a particular user • Session can expire after a period of inactivity • Key code • session.setAttribute() and .getAttribute() • <sessions-enabled>true</sessions-enabled> in appengine-web.xml • In JS, assign URL to location object to redirect

  6. Hashing • Key concepts • Don't store passwords in the database: Why make it trivial for Google to see your users' passwords? • Hashing a password irreversibly "digests" it • Also hash it with a string unique to your app • Key code • md = MessageDigest.getInstance("SHA-256") • md.update() and md.digest() • There are various ways to map from bytes to chars

  7. Validating inputs, escaping outputs • Key concepts • If an input is obviously invalid, try to catch it on the client and on the server (preferably both) before insertion into the database • Never blindly copy special characters out of the datastore to your users' browsers • Key code • inputstring.matches(regex) • outputstring.replaceAll(regex, replacement) or send content to browser as JSON

  8. Uploading files • Key concepts • Uploading a file requires encoding & posting it (multipart encoding) • Receiving the file on the server requires decoding using a library (add to classpath & WEB-INF/lib) • Key code • <form method="post" enctype="multipart/form-data"> • ServletFileUpload, FileItemIterator, FileItemStream, Streams from the commons fileupload library

  9. Generating JSON • Key concepts • Browser contains only static HTML and JS • Server retrieves objects from datastore and converts JSON (add library to build path & libs) • Key code • new JSONArray().add() • new JSONObject().put(key, value) • .toString()

More Related