90 likes | 213 Views
Putting it together. http://www.flickr.com/photos/maggiew/6145245962/. Let's put the pieces together. Creating a little mobile web app To show how to combine "normal" desktop web, mobile web, and cloud To illustrate some security-related issues Including input validation
E N D
Putting it together http://www.flickr.com/photos/maggiew/6145245962/
Let's put the pieces together • Creating a little mobile web app • To show how to combine "normal" desktop web, mobile web, and cloud • To illustrate some security-related issues • Including input validation • Including login and session • Including protecting users from JS injection • To introduce a few new APIs • Session • Hashing • File upload • Regular expressions • Generating JSON
Key functionality of this example app • For a standard desktop browser… • A user can log in / create an account • The user can then upload a photo and a caption • For a mobile device… • A user can view all images and their captions
Tracking logins • Key concepts • Session contains information on the server for a particular user • Session can expire after a period of inactivity • Key code • session.setAttribute() and .getAttribute() • <sessions-enabled>true</sessions-enabled> in appengine-web.xml • In JS, assign URL to location object to redirect
Hashing • Key concepts • Don't store passwords in the database: Why make it trivial for Google to see your users' passwords? • Hashing a password irreversibly "digests" it • Also hash it with a string unique to your app • Key code • md = MessageDigest.getInstance("SHA-256") • md.update() and md.digest() • There are various ways to map from bytes to chars
Validating inputs, escaping outputs • Key concepts • If an input is obviously invalid, try to catch it on the client and on the server (preferably both) before insertion into the database • Never blindly copy special characters out of the datastore to your users' browsers • Key code • inputstring.matches(regex) • outputstring.replaceAll(regex, replacement) or send content to browser as JSON
Uploading files • Key concepts • Uploading a file requires encoding & posting it (multipart encoding) • Receiving the file on the server requires decoding using a library (add to classpath & WEB-INF/lib) • Key code • <form method="post" enctype="multipart/form-data"> • ServletFileUpload, FileItemIterator, FileItemStream, Streams from the commons fileupload library
Generating JSON • Key concepts • Browser contains only static HTML and JS • Server retrieves objects from datastore and converts JSON (add library to build path & libs) • Key code • new JSONArray().add() • new JSONObject().put(key, value) • .toString()