University of Portsmouth

School of Computing Postgraduate Programme

Lecturer:	Jim Briggs
Unit Code:	WEB1P
Unit Title:	Web Programming 1
Date of Test:	Mock questions
Time of Test:	--
Duration of Test:	2 hours
Requirements:	None
Office Code
Student Groups

Rubric:	Number of Questions	Answer 4 out of 8 questions (25 marks per question).
	Mode and Restrictions	CLOSED book - no books or notes to be allowed
	Pass mark as a percentage	40%
	Weighting as percentage of Unit	60%

1. This question is about the HTTP protocol.

a) Explain what is meant when the HTTP protocol is described as a request/response protocol. (5 marks[JSB1] )

b) Describe some of the features of the HTTP protocol that contribute towards the implementation of:

i) error reporting (5 marks[JSB2] )

ii) moving resources from one server to another or to another location on the same server (5 marks[JSB3] )

iii) user authentication (5 marks[JSB4] )

c) Describe the major differences between versions 1.0 and 1.1 of the HTTP protocol. (5 marks[JSB5] )

2. This question is about HTTP and CGI.

a) Describe the two ways by which parameters can be passed in an HTTP protocol request. What are the pros and cons of each? Under what circumstances is each normally used? (10 marks[JSB6] )

b) Explain briefly what is meant by the terms safe and idempotent in the context of HTTP requests. (5 marks[JSB7] )

c) Describe how parameters are passed from a web server to a Common Gateway Interface (CGI) program. Sketch out what a CGI program has to do in order to read those parameters. (10 marks[JSB8] )

3. Consider the following fragment of a Java servlet (extending class javax.servlet.http.HttpServlet).

1       
      public void doGet(HttpServletRequest
  request, 
2       
                 HttpServletResponse response) 
3       
          throws ServletException, IOException {
4       
   
5       
          String greeting = "Hello
  World!";
6       
          int majorType = TEXT_TYPE;
7       
          String type =
  request.getParameter("type");
8       
          if ("plain".equals(type)) {
9       
              response.setContentType("text/plain");
10   
          }
11   
          else if
  ("html".equals(type)) {
12   
              response.setContentType("text/html");
13   
              greeting =
  "<html><body><h1>" + greeting +
14   
                  "</h1></body></html>";
15   
          }
16   
          else if
  ("image".equals(type)) {
17   
              response.setContentType("image/gif");
18   
              majorType = IMAGE_TYPE;
19   
          }
20   
          else {
21   
              response.sendError(HttpServletResponse.SC_BAD_REQUEST,
  
22   
                        "Please specify a
  valid response type");
23   
              return;
24   
          }
25   
   
26   
          if (majorType == TEXT_TYPE) {
27   
              PrintWriter out =
  response.getWriter();
28   
              out.println(greeting);
29   
          }
30   
          else {
31   
              OutputStream os =
  response.getOutputStream();
32   
              ServletContext application = getServletContext();
33   
              InputStream is = 
34   
                  application.getResourceAsStream("/ora.gif");
35   
              copyStream(is, os);
36   
          }
37   
      }

a) Explain what lines 9, 12 and 17 do (collectively), and precisely how that is conveyed to the user's web browser. (6 marks[JSB9] )

b) What is the purpose of lines 21-22? Explain precisely how that is conveyed to the user's web browser. (6 marks[JSB10] )

c) Explain under what circumstances the function doGet is called. In a normal servlet, which function would call it? (5 marks[JSB11] )

d) Describe the purpose of the ServletContext object (obtained in this servlet in line 32). Describe in general terms (i.e. it doesn't matter if you can't remember the precise names of the relevant method(s)) at least 3 distinct functions that the ServletContext object might be used for (in addition to getResourceAsStream). (8 marks[JSB12] )

4. This question is about servlets and JSPs.

a) In Servlets/JSP, what is the difference between forwarding, including and redirecting? For each, give an example of a typical situation where it might be used. (9 marks[JSB13] )

b) Explain the difference between JSP expressions and expression language. Why is one now preferred over the other? (8 marks[JSB14] )

c) In a servlet’s source code you may find the following statement: "response.setContentType("text/html");". What is the purpose of this statement? (3 marks[JSB15] )

d) Outline briefly the purpose of JSP Tag libraries. (5 marks[JSB16] )

5. This question is about structuring a web application.

a) Describe the respective roles of the presentation, business and persistence layers in a web application. Why is it a good idea to keep them separate? (12 marks[JSB17] )

b) For each of the following components of an imaginary bank web application, state whether it should be part of the model, view or controller, and, if it is part of the model, whether it is part of the business layer or persistence layer.

i) based on the URL in the HTTP request, determines which business functionality should be invoked (1 mark[JSB18] )

ii) checks that the information entered by a user into a web form is syntactically valid (1 mark[JSB19] )

iii) checks whether the account number entered by a user represents an account that the user may access (1 mark[JSB20] )

iv) the SQL statement that updates the amount in a bank account (1 mark[JSB21] )

v) displays an amount of money in the right format for its currency (1 mark[JSB22] )

vi) catches an exception raised because the connection to the database was lost (1 mark[JSB23] )

c) Describe in general terms how Enterprise JavaBeans (EJBs) can be used to enforce the separation between the presentation layer and the model in a large-scale web application. What are the pros and cons of such an approach? (7 marks[JSB24] )

6. This question is about JavaScript.

a) Consider the following HTML page

1       
  <HTML>
2       
  <HEAD>
3       
     <TITLE>A Simple
  Rollover</TITLE>
4       
  </HEAD>
5       
  <BODY BGCOLOR="WHITE">
6       
     <A HREF="next.html" 
7       
  onMouseover="document.arrow.src='images/redArrow.gif'"
  >
8       
  <IMG SRC="images/blueArrow.gif"
  WIDTH="147" HEIGHT="82" BORDER="0" 
9       
  NAME="arrow"
  ALT="arrow"></A>
10   
  </BODY>
11   
  </HTML>

i) Describe what this JavaScript program does. (4 marks[JSB25] )

ii) There is something missing from the above program – something that the user might expect but which is not implemented. What is that, and what additional code is necessary to implement it? (6 marks[JSB26] )

b) Consider the following fragment of JavaScript:

1       
  <SCRIPT LANGUAGE="JAVASCRIPT"
  TYPE="TEXT/JAVASCRIPT">
2       
     function submitIt(carForm) {
3       
           doorOption = -1
4       
           for (i=0; i<carForm.DoorCt.length;
  i++) {
5       
                 if (carForm.DoorCt[i].checked)
  {
6       
                       doorOption = i
7       
                 }
8       
           }
9       
           if (doorOption == -1) {
10   
                 alert("You must choose 2
  or 4 door")
11   
                 return false
12   
           }
13   
           return true
14   
     }
15   
  </SCRIPT>      

i) Describe what this function does. (4 marks[JSB27] )

ii) In the above example, what type of object is carForm? (3 marks[JSB28] )

iii) In the above example, what does DoorCt represent? (3 marks[JSB29] )

iv) Give an appropriate example to show how you would expect the above function to be called. (5 marks[JSB30] )

7. This question is about linking web applications to databases.

a) Why are databases used as the persistent storage for web applications in preference to files? (5 marks[JSB31] )

b) Why is connection pooling typically used by web applications when connecting to databases? (5 marks[JSB32] )

c) Why is it preferable to use a JDBC DataSource rather than the DeviceManager class when creating a database connection? (5 marks[JSB33] )

d) What are the pros and cons regarding accessing a database using the JSTL SQL tags versus using bespoke classes to do so? (5 marks[JSB34] )

e) Why is Hibernate a popular means of mediating the interaction between a web application and a database? (5 marks[JSB35] )

8. Describe the major security threats to a dynamic website and discuss the potential ways of defending against them and mitigating their effects. (25 marks[JSB36])

[JSB1]Everything starts with a client sending a request to a server and finishes with the server sending a response to the client. In the absence of network problems, there is a response to each request.

[JSB2]HTTP error status codes; the 400 series for where the client has erred; the 500 series for problems on the server. Messages accompanying error codes. Body of message may give user more detail.

[JSB3]A series of status codes in the 300s allow servers to inform clients of temporary or permanent redirections.

[JSB4]Error code 401 (unauthorised) supported by RFC2617 give a range of methods for clients to use to authenticate to the server.

[JSB5]Version 1.1 introduced support for virtual hosts and formalised persistent connections.

Page: 4
[JSB6]In the query string or in the message body. Query string shown in browser window and may be length-limited. GET must send parameters in query string; POST normally uses message body (but in principle can do both). Clicking on links generates a GET. Submitting a form may be a GET or a POST.

Page: 4
[JSB7]Section 9.1 of the HTTP specification (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1) says that there is a convention that GET (and HEAD) should only be used for information retrieval. Thus POST should be used for actions that may have unexpected significance or be "unsafe". GET also has the property of "idempotence", in that (aside from error or expiration issues) the side-effects of multiple identical requests is the same as for a single request. Thus POST should be used for actions that might have incremental effects (e.g. an online order, where if made twice you get two items not one).

Page: 4
[JSB8]The full process is as follows:

Look at the environment variable REQUEST_METHOD to see whether the request made was GET or POST.

If the request is a POST, read in a block of text from the standard input. The web server arranges to write the data sent by the form to this channel. The amount of data to be read is determined by the CONTENT_LENGTH environment variable.

If the request isn't a POST (i.e. it is probably a GET), the text is read from the QUERY_STRING environment variable.

Assuming there is input, an example of the input would look like this:

name=Jim&gender=male&likewpss=1&agegroup=31-40

Split that text up at the ampersand ("&") symbols, so that we have a list of distinct input name and value pairs.

For each pair:

a) Split the variable name from the value.

b) Decode any special characters that appear in the variable value or name.

[JSB9]They specify the MIME type of the returned document. (3) This is encoded by the servlet container (1) and sent to the web browser as an HTTP header (2)

[JSB10]Send an HTTP status code other than 200 (OK). (3) This is encoded by the servlet container (1) and sent to the web browser in the status line of the HTTP response (2).

[JSB11]When the servlet container receives a GET request that maps on to this servlet. (3) Normally called from the service method of this servlet (which is normally inherited from the HttpServlet class). (2)

[JSB12]The servlet context is the object shared by all servlets in this webapp (2).

Other uses include (2 marks for each of 3):

1. Storing application-wide attributes

2. Getting context-wide initialisation parameters

3. Getting server info

4. Logging

5. Getting request dispatchers for context resources

6. Getting other contexts from the container

7. Getting servlet API version numbers

Full list in Javadoc for the javax.servlet.ServletContext interface

· [JSB13]forwarding: the response is generated by the page forwarded to, and the current servlet is not further consulted.

· including: the response is generated by the included page is inserted into the response generated by the current servlet/JSP.

· redirecting: the client is told to load a different URL. This requires an extra round trip with the client, and also means that the new URL will be visible to the user, and can be bookmarked or reloaded.

[JSB14]Expressions are Java expressions included in the page (between <%= %> tags). They reference Java variables in scope (which normally means only entities declared in the page). Expression language allows the inclusion of arbitrary values in a JSP page. They can reference attributes stored in page, request, session or application scope. They provide very easy reference to the properties of an object, and support maps and lists flexibly and intuitively. EL is now preferred because expressions are of limited value in MVC-2.

[JSB15]The charset for the MIME body response can be specified with setContentType(java.lang.String) method [2 marks].

[JSB16]Tag libraries, or taglibs, are a feature of JSP that enables you to build libraries of reusable JSP tags. That means you can encapsulate common behaviour in your own JSP tag and use it across the JSP pages in your Web apps.

[JSB17]Presentation – user view and controller; business – business logic; persistence – database manipulation. (6 marks) Good idea to keep them separate to facilitate swapping layers and to allow different teams to work on them (6 marks)

[JSB18]controller

[JSB19]controller

[JSB20]model - business

[JSB21]model - persistence

[JSB22]view

[JSB23]model - persistence

[JSB24]EJBs permit the model to be running on a different server. The client calls stubs to access properties of the bean – these are mapped (using RMI) to the server. Allows flexibility in configuration but tends to result in lots of small network messages.

[JSB25]A blue arrow is displayed, but replaced by a red arrow when the user moves the mouse over it.

[JSB26]The arrow does not turn back blue when the user moves the mouse away. To implement that needs the additional attribute

onMouseout="document.arrow.src='images/blueArrow.gif'"

on the <A> tag.

[JSB27]It checks to see that a radio button has bee selected. If not, it pops up an error message box.

[JSB28]It is an HTML <FORM> tag

[JSB29]It represents the list of radio buttons called "DoorCt" on the form.

[JSB30]In the <FORM> tag you would expect to see the following attribute

1 onSubmit="return submitIt(this)"

[JSB31]Answers mentioning structure, transactions, integrity, concurrency (2 marks for 1 good reason; 3 for 2; 5 for 3 or more)

[JSB32]Latency (efficiency) – creating a connection is slow

[JSB33]More flexible; can be specified in several different ways; assists with connection pooling

[JSB34]Pro:

· the content of the web page consists virtually entirely of data from a query

Cons:

· the database needs to be updated (use a business data access object from a servlet instead)

· all (or nearly all) JSPs are called from servlets (e.g. when using Struts)

· access to the report is managed by application-level security

· you are trying hard to stick to the MVC pattern

· the web application is using Hibernate or any other package that involves data caching

[JSB35]Gives object-relational mapping; provides persistence for free; provides caching; reduces need to know SQL

[JSB36]Marked by generic essay criteria. Looking for definition and discussion of issues including:

· unauthorised access

· unauthorised modification of content

· e-commerce threats

· denial of service

· firewalls

· access control mechanisms

· logging and log reviewing

· multi-layered security mechanisms