1. Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and are licensed under the Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
Notas do Editor
Now we walk through the code… Main() creates a SimpleWebServer object and calls its run() method. The run() method is just an infinite loop that waits for a connection from a client, and then attempts to process the request.
Here is the SimpleWebServer object. First we initialize a variable that holds the port number the web server should listen to for connections from clients. Then we initialize a ServerSocket. Socket: The method of directing data to the appropriate application in a TCP/IP network. The combination of the IP address of the station and a port number make up a socket. Think of this like an electrical socket. A web server and a web client both have a “virtual” power strip with many sockets on it. A web client can talk to a server by selecting one of its sockets, and then selecting a server socket and plugging a virtual wire into each end. The run() method has an infinite loop waiting for a connection from a client. The call to ServerSocket accept() returns a socket object that corresponds to a unique socket on the server. This allows the server to communicate with the client. Once the communication is established, the client’s request is processed.
processRequest() takes the client socket as input. It uses this socket to create BufferedReader and OutputStreamWriter objects. Once these communication objects are created, the method attempts to read a line of input from the client using the BufferedReader. We expect this line of input to be an HTTP GET request (as discussed earlier).
The StringTokenizer object is used to break up the request into its constituent parts: GET, the pathname to the file the client would like to download. If the command is a “GET”, we call the serveFile() method, else we issue an error. Then we close the connection to the client.
The first “if” removes the initial slash at the beginning of the pathname, and the second “if” sets the file to be downloaded = index.html, if another file was not specified.
Now the method attempts to open the file and read it into the web server’s memory. If the FileReader object is unable to open the file and read a byte from it, it issues an error message.
If the file was successfully opened, send the HTTP/1.0 200 OK message and then the method enters a while loop that reads bytes from the file and appends them to a StringBuffer, until the end of the file is reached. Then this StringBuffer is sent to the client.
Trace the code, assuming a CR sent from the client. We read the line of input from the client. When we tokenize, the line: command = st.nextToken(); results in an exception. Control is returned to run() which does not handle the exception; then control is returned to main() which does not handle the exception either. Java terminates the application.
Close the connection to the client, rather than crash the server…
We also need to make sure the function fails in a secure manner.
This is also a good example of a fail-safe approach: even if one or more components of a system fail, there is still some level of security.