1 / 17

Web-tier Design Issues & Refactorings

Web-tier Design Issues & Refactorings. Web-tier Design Considerations. Session Management Client Access Control Duplicate Form Submission Validation. Session Management. Session State on Client Easy to implement Avoids state replication across servers HTTP Cookies, and HTML Hidden Fields

saniya
Download Presentation

Web-tier Design Issues & Refactorings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web-tier Design Issues & Refactorings

  2. Web-tier Design Considerations • Session Management • Client Access Control • Duplicate Form Submission • Validation

  3. Session Management • Session State on Client • Easy to implement • Avoids state replication across servers • HTTP Cookies, and HTML Hidden Fields • Security Concerns • Session State on Server • Servlet Session Object • Server Farm? • Server Affinity or Use Business Tier Solution

  4. Client Access Control • Role Based Access • Front Controller • Centralizes access control • Embedded Access Control • Good for portions of pages • Runtime system configuration

  5. Embedded Access Control <%@ taglib uri=“…../qos.tld” prefix=“qos” %> <qos:authorizePage role=“admin” /> <html> … </html Or <%@ taglib uri=“…../qos.tld” prefix=“qos” %> <html> Some unprotected stuff <qos:authorizePortion role=“admin”> Some protected stuff </qos:authorizePortion> Some unprotected stuff </html>

  6. Duplicate Form Submission • Protect against hitting back button and resubmitting form information • Synchronizer (or Déjà vu) Token • Set token in user’s session and include with each form submission • Update token in user’s session when submission takes place • Can also use a synchronizer token to direct flow through site. • When a page is accessed, update/check synchronizer token

  7. Validation • Client validation vs Server validation • Client • Simple validation using Javascript • Don’t rely on because client side languages can be disabled • Server • Validate as you extract information from the form • Error Handling • Error Vector Bean • As errors happen, put them in vector • Forward right back to current page • Page always displays errors • Errors are best noted near the field where the error occurred.

  8. Validation validate • Consider validation based on abstract types • Separate the validation of the model data from the controller logic • Validation is more generic or controller Model

  9. Web-tier Bad Practices • Duplicate Control Code in Multiple Views • Exposing Presentation-tier data structures to business tier • HttpServletRequest etc. • Allowing duplicate form submission • Exposing sensitive resources to direct client access • Creating Fat Controllers

  10. Refactorings

  11. JSPView 1 Client Front Controller JSPView 2 JSPView 3 JSPView 4 Helper class Helper class Java Bean Introduce a Front Controller • Problem: Control logic is scattered throughout the application • Communicate with views using a session bean on the server

  12. Servlet forwarding public void doGet(…)… { String op = request.getParameter(“operation”); if (operation == null) gotoPage(“URL1”, request, response); else if (operation.equals(“op1”)) gotoPage(“URL2”,request, response); } private void gotoPage(Sting URL, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { RequestDispatcher dispatcher = getServletContext().getRequestDispatcher(URL); dispatcher.forward(request, response); }

  13. JSPView 1 Client Front Controller JSPView 2 JSPView 3 JSPView 4 Helper class Helper class Java Bean Introduce a Synchronizer Token • Problem: Clients make duplicate Requests or out-of-order requests • Solution: Shared token stored in the session token

  14. Synchronizer Token • Generate token upon sending form • Include in the form • Compare token when data is returned • Change token when data is submitted

  15. Hide Presentation Specific Detail from the Business Tier • Rather than passing presentation specific objects to business tier, place data in a more generic structure Web Business Web Business HttpServletRequest HttpServletRequest HttpServletRequest UserInfo

  16. Other Refactorings • Remove Conversions from view • Use helper classes • Hide Resources from clients • Use Front controller • Use container controls

  17. Handling Forgotten Passwords • User Information should contain a secure email address. • Email password to address • This assumes that if user has lost control of email, they have more serious problems than a forgotten password. • Java Mail API

More Related