dynamic content
DESCRIPTION
Dynamic content. Basic architecture of the web. Dynamic web pages. Stages: Collect data from user in browser Usually using an HTML form Send data in HTTP request to server Server processes request (dynamically) Different models of how to do this Server sends HTTP response to browser - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/1.jpg)
Dynamic content
1WUCM1
![Page 2: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/2.jpg)
WUCM1 2
Basic architecture of the web
![Page 3: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/3.jpg)
Dynamic web pages
• Stages:– Collect data from user in browser
• Usually using an HTML form– Send data in HTTP request to server– Server processes request (dynamically)
• Different models of how to do this– Server sends HTTP response to browser– Browser displays response
3WUCM1
![Page 4: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/4.jpg)
HTML forms<FORM METHOD=GET ACTION="/cgi-bin/mycgi.bat"> <p> Which lecture are you missing? (Give the lecture number not
title) <INPUT NAME="WUCMI_unit" TYPE=int> <p> When will you come to collect them? <ol> <li>Next lecture <INPUT NAME="collect_type" TYPE=checkbox
VALUE="NextLecture"> <li>Next tutorial <INPUT NAME="collect_type" TYPE=checkbox
VALUE="NextTutorial"> <li>At 5:00pm on Friday this week <INPUT NAME="collect_type" TYPE=checkbox VALUE="Friday"> </ol> <p> Your CAM number? <INPUT NAME="cam_num" id="cam_num" SIZE=20> <hr> <p> <INPUT TYPE=submit> <INPUT TYPE=reset></FORM>
4WUCM1
![Page 5: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/5.jpg)
WUCM1 5
Passing data to the server
• HTTP methods– GET for data retrieval– POST for data update– (and others we can ignore)
![Page 6: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/6.jpg)
Passing data to the server
• Using GETGET /cgi-bin/mycgi.bat?WUCMI_unit=78&collect_type=NextTutorial&dis_num=67 HTTP/1.0<headers...>
• Using POSTPOST /cgi-bin/mycgi.bat HTTP/1.0<headers...>
WUCMI_unit=78&collect_type=NextTutorial&dis_num=67
WUCM1 6
![Page 7: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/7.jpg)
WUCM1 7
HTTP encoding
• Queries– ? separates path from query
• Parameters– & separates name/value pairs– = separates name and value
• Encoding– + for space– %xx for special characters (e.g. %7E for ~)
![Page 8: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/8.jpg)
WUCM1 8
Dynamic web pages
• Four models:– Server-side includes (SSI)– CGI– Server modules– Auxiliary servers
![Page 9: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/9.jpg)
WUCM1 9
CGI architecture
![Page 10: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/10.jpg)
WUCM1 10
CGI characteristics
• Web server creates a new process for each request that maps onto a program
• Data passed according to CGI • Server reads output of program from program • CGI spec: http://hoohoo.ncsa.uiuc.edu/cgi/• Can use pretty much any programming
language – best known Perl, Python, C/C++
![Page 11: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/11.jpg)
Pros and cons of CGI
• Pros:– Independent of server - if
program crashes it cannot affect the server
– The web server takes up less memory if it does not load any server modules
– Any memory (or other resources) used by the CGI program is released when the CGI program terminates
• Cons:– The time to create a new
process to handle the CGI request is relatively long
– For programs that access databases, each new process must establish a new database connection
11WUCM1
![Page 12: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/12.jpg)
WUCM1 12
Server module
![Page 13: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/13.jpg)
Server module characteristics
• Web server invokes interpreter via API for each request that maps onto a program
• Data passed via API • Server gets output via API • Popular for:
– PHP– ASP.NET– Perl (as an alternative to CGI)
13WUCM1
![Page 14: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/14.jpg)
Pros and cons of server modules• Pros:
– No need to create a separate process, therefore faster
– For programs that access databases, the server can maintain a persistent connection to a database, saving reconnection time
• Cons:– Server and program
inextricably linked - a crash within the server module may crash the server
– The web server will occupy more memory because of the size of the server module(s) it loads
– If any server module needs a lot of memory, that memory will not be released (at least not until the server dies)
14WUCM1
![Page 15: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/15.jpg)
WUCM1 15
Auxiliary server
![Page 16: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/16.jpg)
Auxiliary server characteristics
• Auxiliary server runs on a different TCP/IP port (and potentially on a different machine)
• Relevant requests forwarded by web server to auxiliary server
• Server passes response back• Common for:
– Java– PL/SQL (Oracle)
16WUCM1
![Page 17: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/17.jpg)
Pros and cons of auxiliary servers
• Pros:– No need to create a new
process for each request – Can maintain state (if
desired) including database connections
– Separate from the main web server
• Cons:– Overhead of resending
HTTP requests and responses
17WUCM1
![Page 18: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/18.jpg)
Big benefits of auxiliary servers
• Enterprise scalability– add new web servers– add new auxiliary servers– cross-connect between them– fits in with database scalability
• Resilience and reliability
18WUCM1
![Page 19: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/19.jpg)
Web programming languages• Programmatic
– Output HTML in print statements
– Use normal programming language constructs
• Examples:– Perl– Java (servlets)– C/C++
• Better when the complexity is in the data capture and processing
• Output-based– HTML page with programming
statements embedded– Can require contrived
programming language constructs
• Examples:– PHP– ASP– Java (Java Server Pages)
• Better when the complexity is in the output format
19WUCM1
![Page 20: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/20.jpg)
Examples (both Java)protected void processRequest (HttpServletRequest
request, HttpServletResponse response) throws ServletException, IOException { response.setContentType ("text/html"); PrintWriter out = response.getWriter ();
out.println("<html>"); out.println("<head>"); out.println("<title>Hello world servlet</title>"); out.println("</head>"); out.println("<body>"); String name = request.getParameter ("name"); out.println("<P>Hello " + name); out.println("</body>"); out.println("</html>");
out.close (); }
<%@page contentType="text/html"%><html><head><title>Hello JSP Page</title></head><body>
<P>Hello <%= request.getParameter("name") %>
</body></html>
20WUCM1
![Page 21: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/21.jpg)
CGI
21WUCM1
![Page 22: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/22.jpg)
Script interaction – CGI
• A CGI script is a program run on the server: – How can it get its input?– What should it do with its output?
• CGI scripts are loaded and executed at the request of the web server
• Server passes details about the request through environment variables
WUCM1 22
![Page 23: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/23.jpg)
CGI input
• Environment variables pass details on:– The URL the script was called from – Request parameters passed from web browser– The HTTP method used– General information about the request
• In addition, input can come via the standard input (STDIN) if the method was POST
WUCM1 23
![Page 24: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/24.jpg)
CGI Output
• The script passes information back via standard output (STDOUT)
• Server will ensure that data presented to STDOUT is routed to the browser
• Server will output the relevant data from the web browser so can be read from STDIN
• But HOW? - via forms, e.g.
WUCM1 24
![Page 25: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/25.jpg)
Forms for dynamic programming
• The significant part of the html is:<FORM METHOD=GET ACTION="/cgi-bin/mycgi.bat">
• Notice that:– the FORM method is GET– the FORM action is to run the mycgi.bat program
WUCM1 25
![Page 26: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/26.jpg)
GET as the form method• Any data is passed as a “query string”• Separator is ‘?’• Parameters concatenated with ‘&’ to form the “query
string”GET /cgi-bin/mycgi.bat?WUCMI_unit=78&collect_type=NextTutorial&dis_num=67 HTTP/1.0
• Complications: – If the user enters any characters not permitted in URLs, like
spaces or &, =, ? – The data is encoded using the ISO8859 rules, e.g. for a space,
this would give %20, its ASCII code• Decoding these is best left to library code – CGI.pm in the
case of Perl
WUCM1 26
![Page 27: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/27.jpg)
WUCM1 27
POST as the form method
• The data is sent in the request body• The web server will present this data to the
CGI script as input on STDIN• Browser indicates how much data is being
transferred, so that the CGI script knows how much to expect on STDIN
![Page 28: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/28.jpg)
When to use which method?• Use GET for actions
– that are safe – that are idempotent– where the total length of the
URI is less than 256 chars– where it's OK for the
parameters to be visible to the user
– where it's OK for the parameters to be preserved as part of a bookmark
• Data retrieval
• Use POST for– everything else
• Data update
WUCM1 28
![Page 29: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/29.jpg)
WUCM1 29
Common CGI environment variables
• REQUEST_METHOD – how the script was called, i.e. GET or POST
• PATH_INFO – the relative path of the requested resource
• PATH_TRANSLATED – the absolute path of the requested resource
• QUERY_STRING – additional supplied parameters, if any
• SCRIPT_NAME – the actual name of the script
![Page 30: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/30.jpg)
WUCM1 30
Simple Apache CGI configuration
• CGI scripts are handled by mod_cgi • Apache needs to be told:
– Which directory contains scripts– How to recognise them as executable programs rather
than files to be delivered• The choice is basically:
– Use ScriptAlias in the config file, setting up a safe directory – outside tree
– Use AddHandler or SetHandler to set a handler type of cgi-script for script files in a directory in the document tree
![Page 31: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/31.jpg)
WUCM1 31
Example - ScriptAlias
• Assume:– A cgi-bin directory parallel to the htdocs directory
in your web server's space– e.g. C:\Apache\Roger\cgi-bin
• Then the httpd.conf file could be
![Page 32: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/32.jpg)
Example httpd.conf file# permit access to cgi-bin directory # default deny from Prac04<Directory "C:/Apache/Roger/cgi-bin"> Options –Indexes +ExecCGI AllowOverride None Order allow,deny Allow from all</Directory>TransferLog "logs/access.log"ErrorLog "logs/error.log"LogLevel warn
# tell Apache where cgi scripta are.ScriptAlias /cgi-bin/ "C:/Apache/Roger/cgi-bin/"# tell Apache where to put the script errors.ScriptLog "logs/script.log"
WUCM1 32
![Page 33: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/33.jpg)
WUCM1 33
Marking scripts as executable
• This is OS specific• Under Windows:
– Usually determined by the extension, .cmd, .bat, .pl or .exe
• Under Unix:– chmod +x filename– #!/bin/perl first line
![Page 34: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/34.jpg)
WUCM1 34
Debugging scripts
• Since CGI scripts run through Apache they are more difficult to debug
• For a simple test, e.g. filling in the form and then clicking “submit” where do the error & debug messages go?
• Usual answer is the log files:– both ErrorLog– and ScriptLog– depending on what has gone wrong
If Apache config problem.
![Page 35: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/35.jpg)
WUCM1 35
Debugging scripts
• Some CGI libraries, e.g. Perl CGI::Carp, direct error messages to the browser for debugging purposes – not useful for production systems
• For debugging messages, send output to STDERR – they will be added to ScriptLog
• Problems with testing CGI scripts from the command line – no web server to generate input
![Page 36: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/36.jpg)
WUCM1 36
A few security points
• Apache's privileges (and hence those of any CGI scripts it runs)– Apache must start as root to bind to port 80
• In a well configured server, once this initial binding is done, Apache will drop back to a very low privilege user, (nobody, webuser etc)
• If due to a poor configuration file it does not, then any later executed CGI script will be running as root – potentially very dangerous
![Page 37: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/37.jpg)
WUCM1 37
A few security points
• Editors used to edit CGI scripts– Often produce backup files with standard
extensions, e.g. PFE uses .$$$– To protect deny from suspect extensions:
<Files *$$$> Order allow,deny Deny from all</Files>
![Page 38: Dynamic content](https://reader035.vdocuments.site/reader035/viewer/2022062323/56816380550346895dd46339/html5/thumbnails/38.jpg)
WUCM1 38
suEXEC and CGIWrap
• To increase the security when running CGI scripts, they are often “wrapped”
• The CGI wrappers can:– control the ownership of CGI scripts– subject the script to stringent security tests
• The two main alternatives are:– suEXEC –bundled with Apache – CGIWrap –produced by an independent group