Servlets and JSP: An Overview

1. What are Java Servlets?
Servlets are Java technology's answer to CGI programming. They are programs that run on a Web server and build Web pages. Building Web pages on the fly is useful (and commonly done) for a number of reasons:

The Web page is based on data submitted by the user: For example the results pages from search engines are generated this way, and programs that process orders for e-commerce sites do this as well.

The data changes frequently- For example, a weather-report or news headlines page might build the page dynamically, perhaps returning a previously built page if it is still up to date.

The Web page uses information from corporate databases or other such sources- For example, you would use this for making a Web page at an on-line store that lists current prices and number of items in stock.

2. What are the Advantage of Servlets Over "Traditional" CGI?
Java servlets are more efficient, easier to use, more powerful, more portable, and cheaper than traditional CGI and than many alternative CGI-like technologies. (More importantly, servlet developers get paid more than Perl programmers :-).

Efficient.-With traditional CGI, a new process is started for each HTTP request. If the CGI program does a relatively fast operation, the overhead of starting the process can dominate the execution time. With servlets, the Java Virtual Machine stays up, and each request is handled by a lightweight Java thread, not a heavyweight operating system process.

Similarly, in traditional CGI, if there are N simultaneous request to the same CGI program, then the code for the CGI program is loaded into memory N times.

With servlets, however, there are N threads but only a single copy of the servlet class. Servlets also have more alternatives than do regular CGI programs for optimizations such as caching previous computations, keeping database connections open, and the like.

Convenient- Hey, you already know Java. Why learn Perl too? Besides the convenience of being able to use a familiar language, servlets have an extensive infrastructure for automatically parsing and decoding HTML form data, reading and setting HTTP headers, handling cookies, tracking sessions, and many other such utilities.

Powerful-Java servlets let you easily do several things that are difficult or impossible with regular CGI. For one thing, servlets can talk directly to the Web server (regular CGI programs can't). This simplifies operations that need to look up images and other data stored in standard places. Servlets can also share data among each other, making useful things like database connection pools easy to implement. They can also maintain information from request to request, simplifying things like session tracking and caching of previous computations.

Portable- Servlets are written in Java and follow a well-standardized API. Consequently, servlets written for, say I-Planet Enterprise Server can run virtually unchanged on Apache, Microsoft IIS, or WebStar. Servlets are supported directly or via a plugin on almost every major Web server.

Inexpensive- There are a number of free or very inexpensive Web servers available that are good for "personal" use or low-volume Web sites. However, with the major exception of Apache, which is free, most commercial-quality Web servers are relatively expensive.

Nevertheless, once you have a Web server, no matter the cost of that server, adding servlet support to it (if it doesn't come preconfigured to support servlets) is generally free or cheap.

3. What is JSP?
Java Server Pages (JSP) is a technology that lets you mix regular, static HTML with dynamically-generated HTML. Many Web pages that are built by CGI programs are mostly static, with the dynamic part limited to a few small locations. But most CGI variations, including servlets, make you generate the entire page via your program, even though most of it is always the same. JSP lets you create the two parts separately. Here's an example:

Welcome to Our Store
Welcome,
To access your account settings, click here.

Regular HTML for all the rest of the on-line store's Web page.

4. What are the Advantages of JSP?
vs. Active Server Pages (ASP)- ASP is a similar technology from Microsoft. The advantages of JSP are twofold. First, the dynamic part is written in Java, not Visual Basic or other MS-specific language, so it is more powerful and easier to use. Second, it is portable to other operating systems and non-Microsoft Web servers.

vs. Pure Servlets- JSP doesn't give you anything that you couldn't in principle do with a servlet. But it is more convenient to write (and to modify!) regular HTML than to have a zillion println statements that generate the HTML. Plus, by separating the look from the content you can put different people on different tasks: your Web page design experts can build the HTML, leaving places for your servlet programmers to insert the dynamic content.

vs. Server-Side Includes (SSI)-SSI is a widely-supported technology for including externally-defined pieces into a static Web page. JSP is better because it lets you use servlets instead of a separate program to generate that dynamic part. Besides, SSI is really only intended for simple inclusions, not for "real" programs that use form data, make database connections, and the like.

vs. JavaScript- JavaScript can generate HTML dynamically on the client. This is a useful capability, but only handles situations where the dynamic information is based on the client's environment. With the exception of cookies, HTTP and form submission data is not available to JavaScript. And, since it runs on the client, JavaScript can't access server-side resources like databases, catalogs, pricing information, and the like.

vs. Static HTML-Regular HTML, of course, cannot contain dynamic information. JSP is so easy and convenient that it is quite feasible to augment HTML pages that only benefit marginally by the insertion of small amounts of dynamic data. Previously, the cost of using dynamic data would preclude its use in all but the most valuable instances.

Digital Signatures in Java

In public key cryptography, there are two keys. One is used by the sender and is usually private. One is used by the receiver and is usually public.

The sender uses the private key to encode a message or data, and the receiver uses the public key to decode the message.

Digital signatures work just like public key cryptography. The signer encodes data with his own private key, and then anyone with his public key can decode it. This allows any receiver to verify the source or signer of data as accurate and guarantee its integrity and authenticity.

To set up a digital signature in Java, you first need to set up a private key, usually by using keytool or the security API methods. Programmers often use the Java Certificate feature to securely verify public key authenticity.

After you have a public key, you generate a digital signature using the jarsigner tool or the API methods. Use the Signature class to sign the data by creating the signature object, initialize it for signing, processing the data, and then sign it. After it's signed, you export the objects into files for shipping to the receiver.

Once the data is signed, you send the receiver the data and signature. You must supply the receiver with the public key corresponding to the private key you used to generate the signature. The receiver imports the public key then uses the key to verify integrity. The receiver can verify by grabbing the object, initializing it for verification, processing the data, and then comparing the signature.

You need two applications to use Java's digital signature feature. One application generates the digital signature (the sender). The other application verifies authenticity (the receiver).

The Sender Code
The methods for the sending code are part of the java.security package and are usually placed between try and catch blocks. The first step is to produce the public and private keys.

In order to create a digital signature, you need a private key. The program needs to generate a key pair by using the KeyPairGenerator class. First, you need to create the key pair generator, by calling the getInstance method on the KeyPairGenerator class. You can use a number of different signature algorithms for the generator (Sun Microsystems actually provides a Digital Signature Algorithm, or DSA).

After creating the key pair generator you must initialize it. The KeyPairGenerator class has an initialize method that takes two types of arguments, one for keysize and one for randomness. The keysize is the key length (in bits). The source of randomness must be an instance of the SecureRandom class. Finally, you generate the pair of keys and store them in Privatekey and Publickey objects.

/* create a key pair generator */

KeyPairGenerator instance = KeyPairGenerator.getInstance("signaturealgorithm");

/* Initialize the keypair generator */

SecureRandom random = SecureRandom.getInstance("algorithm", "provider");Instance.initialize(sizeinbits, randomsource);

/* store the pair of keys */

KeyPair pair = instance.generateKeyPair();PrivateKey private = pair.getPrivate();PublicKey public = pair.getPublic();

Signing the data is the second step. A digital signature is created and verified using an instance of the Signature class. First you create a Signature object using the signature algorithm you chose (for example Sun Microsystem's DSA). You must then use a private key to initialize the signature object. You then supply the data to be signed to the Signature object by calling the update method.

Once all of the data has been given to the Signature object, you generate the signature of the data. Then you save the Signature bytes in one file and the public key bytes in another so you can send them. You will have three pieces to send; the data, the signature, and the public key. The signature is placed in a byte array. The public key is placed in a PublicKey object. You can get the encoded key bytes by calling the getEncoded method and store the bytes in a file.

/* create signature object */

Signature signaturealgorythm = Signature.getInstance("algorithm", "provider")

/* initialize signature object */

signaturealgorythm.initializeSignature(private);

/* call for update methods belong here*/

/* generate signature */

Byte[] realSignature = signaturealgorythm.signature();

/* save the signature and public key in files */

The Receiver
To verify the signature and file, a receiver needs the data, the signature, and the public key. The methods for verifying data are part of the java.security package, and are usually placed between try and catch blocks.

The code needs to import the encoded public key bytes and convert them to PublicKey. PublicKey is necessary because that is what the Signature initVerify method requires to initialize the Signature object for verification. Once you hold the encoded public key bytes, you can then use the KeyFactory class to instantiate a public key from it's encoding. You need a key specification, a KeyFactory object to do the conversion, and then you use the KeyFactory object to generate a PublicKey from the key specification.

The signature is verified using an instance of the Signature class. You need to create a Signature object that uses the same algorithm that was used to generate the signature. Then you need to initialize the signature object and give the Signature object the data that needs to be verified by again calling the update method.

Once the Signature object has all of the data, you can verify the signature. The signature was read into a byte array, and a Boolean verifies value can be set to true if the alleged signature is the actual signature of the specified data file generated by the private key corresponding to the public key.