 So, today we move on to application design and development. So, we are going to start off with basic and explore the architecture of application programs and their user interfaces. Then we will spend a few minutes on web fundamentals. I would guess that most of you are already familiar with this part, but still for the sake of those who are not, we will spend a few minutes on this. Then servlets, JSP, application architectures and maybe a bit of time on application security, not just maybe, definitely a lot of time on application security and time permitting application performance and a few other topics. So, any application is split into multiple layers and there is a front end to the application. Then there is a middle layer which does a lot of work, but then there is a back end which stores the data. I am focusing here on data backed applications which are actually a large part of the applications which we use today. Anything which you use, Facebook, you know Google mail, you go to a website, maybe even news website, it may be customized to you. You go to any web page, the ads that you see are customized to you. So, all of these are generated by applications which actually pretty much follow this breakup front end, middle layer and back end. There are many possible front ends and today the web based front end is the dominant, although others are also in use in specific tools. So, if you look at applications, there are essentially three eras. The original era of application goes back to main frames in the 1960s and the quintessential application was airline reservations. So, back then you had airlines flying all over the world. How do you make bookings for a flight? So, that was actually a non-trivial task and putting all of the information on a main frame computer and providing terminals to agents across the world was probably the first time that we had a network that reached across the world. Of course, this network was not a general purpose network. Its sole goal was to allow people to connect to this main frame computer. It was closed. Only those who had been given terminals as part of the application could access it, but you know this was actually it was actually a network. The only difference is that the whole network was geared towards feeding data to the main frame and getting data back from terminal. So, now this era had a huge growth for many applications beyond even just airline and railway bookings to many other things. In the 80s though, there was a new revolution where main frame computers were considered very expensive, but PCs had become extremely cheap and everybody had a PC on their desktop. So, people said look these PCs are very powerful. Why do you want to spend a huge amount of money buying a main frame computer again to do your work? Why do not you just buy a basic system to store the data and maybe run a database functionality over there and then the rest of the application resides on your desktop and simply runs queries on this database. So, this was a very popular architecture called the client server architecture in the 80s. There were many low end databases Fox pro and among others which followed this architecture. Now, when the web grew people realized that this architecture had many flaws. One of the flaws in this architecture is that the whole application had to run on your machine and people did not want to download stuff and install it and run it and then if you wanted to make a change everybody has to coordinate and make the change it was a big hassle. The other thing that drove it is that these applications could run only on specific operating system. Once you had the web browser as a front end it was not operating system or specific. So, it was general. So, now people moved to web interfaces and browsers with the primary mode of access with plain HTML as the way to build interfaces. Our discussion today is going to focus on that architecture, but there is actually a new era within this which is often referred to as web 2.0 and here is a lot more interactivity. We will talk a little bit about this later on, but our focus is on the simpler mode which is less interactive. So, that was the architecture of across the ages. Ages in the sense of may be 40 or 50 years of time. I have already told you about the benefits of browser. So, I will skip this. All of you know about the worldwide web. All of you have heard of HTML. What is HTML contain? There is text which you see. In addition, there is markup, point specifications, bold, color and so forth, formatting instructions. You can have images also. You can have hypertext links to other documents which can be very useful in information system. And then the part which is relevant for web apps, you can have forms where you can fill in data which can go back to the web server which can take action of the form. This is the main stay of all our applications. Now, before we get into the details some terminology, URLs, uniform resource locators are what we use to identify things on the web. So, a website like this wwwacm org slash sigmod is identified by a URL. HTTP in front means that we are accessing it using the HTTP protocol. That is one of many possible protocols. It is the most widely used one. There is a variant of it called HTTP S which is basically the same protocol, but encapsulated in a layer which provides security for the transport meaning when you type something and it is being sent to this website, people in between cannot see what is going on between you and the website. So, that is HTTP S. That is again something which I am sure all of you have seen. So, if you look at this URL, there is a part which identifies the website wwwacm.org and then there is a part here after the slash which identifies the resource within the website. Again this is something which all of you I am sure are familiar with. Now, this second part which is to identify a resource was initially targeted at identifying files within the system, but after a while people not even a while, it is very early. People realize that instead of a file, it could be a program which can be executed. So, initially it was actually a program sitting on the file system and the web browser would execute that program and return whatever the program output would be sent back to the browser. Now, the next need was to pass parameters from the web browser to the program. So, the values which you filled in in forms could be passed to the program. So, how do you convey that to the program? And the first solution to this was to do something like this to have some special characters treated specially in the URL. So, if the URL was like this google.com search question mark q equal to silver shines. What exactly is this? This identifies the site, search identifies a program which should be executed and then the question mark after that says that what follows a parameters which should be passed to the program. And each parameter has a name and a value. So, these are name value pairs. So, q equal to silver shines says that the parameter value q has been given the value silver shines. So, what exactly does this URL do? It goes to the google site of course and the google site says search is a program. So, I am going to execute it and I am going to take whatever is there beyond the question mark which is q equal to silver shines. And tell the program you know you have been invoked and the parameters which are being passed to you the request parameters are q with value silver shines and then you can have more such parameters. So, that was the basic thing. Then there is another form of this where the parameters are not explicit. Here they are actually explicit in the URL. There is a drawback to this that anybody who is watching the traffic on the net can actually see this. So, the web logs in various places will include the full query details. This may not be good if you want privacy. So, there is another mode called post where the parameters are hidden here and there is an extra level of interaction between the web server and the browser to pass the parameters. So, this interaction is defined by the protocol HTTP hypertext transport protocol or transfer protocol I think. So, that protocol has it is a two way protocol. Your browser can request the website to provide information. On the same connection instead of giving the information back the website can tell you a browser oh I need something more from you tell me what are the parameter values or tell me the value of a cookie which I may have stored with you earlier. So, the website can request information for the browser and then the browser can send it and then the website can return things which are to be displayed to the browser. So, all that is part of the HTTP protocol. HTML is a markup language as we saw which helps to format the information nicely. It has a number of input features also. So, there is an output part tables, style sheets which control how particular things are displayed to users and then the. So, that is for the display, but HTML also provides features which allow users to input values which are sent back to the website. All of us are familiar with these. All of us have used pop up menus. All of us have used checklist, radio buttons, drop down menus of various forms. So, we are familiar with all of these. We have also entered text in text boxes. So, all of these I think we are familiar with and these are all inputs which are meant to be sent back to the web server. So, here is a small example of HTML code. So, any web page is supposed to be enclosed in a pair of tags HTML to the matching n tags slash HTML. So, HTML language has tags which are enclosed in angular brackets. So, this is the beginning of something and everything which follows it until the matching slash HTML is the body of that page. Now, the HTML page actually has two parts. There is a initial header section and then there is a body section. I have not shown the header section. I have just shown the body section within this which has from body to slash body here. Inside the body I have several things. The first one is a table with a border and the slash table ends that table. Within this what is here? This is T R which is table row and then T H to slash T H says that this is a header row ID. Another part of the header row is name. So, each of these is a column. T H to slash T H is a column header and the data is similarly over here. T D to slash T D is data for one cell that is in this row. This is one row T R to slash T R is a row and within that row one cell data is marked by T D to the corresponding slash T D. The next cell is this one Zang and the third cell is computer science. We will see the output of this in the next slide and then come back to the form. So, whatever we just saw is formatted thus this is a header. So, it is formatted with bold font by default. You can control that and these things are put as different columns of the table. So, you will note that although names are varying length it is a table. So, it is nicely formatted to all line up properly. Now, coming back to the form the form has an action. This action is really a program at the website which is to be executed when the form is submitted. The next attribute of the form. So, these are attributes of the form tag. So, form the first attribute is action that identifies the program to be executed. Then there is a method which says get. Now, technically all of these should be enclosed in double quotes. So, really this is a bug it should be enclosed in double quotes, but many web browsers are forgiving. If you do not put double quotes it is ok. We will try to figure out what you mean and do what is hopefully the right thing. There is a risk because different browsers may think that the right thing is different. One browser may accept something and do one thing while another browser may accept some other the same buggy HTML and do something else. So, it is risky to use nonstandard. In particular get should have been in double quotes. So, this is a form it specified what to execute and the method. What is a get method? We saw that here. If you look at the bottom of this slide the parameter was passed a part of the URL. So, when you say the method is get the parameter values are passed like this. When you say post the parameter values are passed using HTTP in a different way. Now, what is the body of that form? It is a search for and then there is a select to slash select. So, this is a select drop down menu and it has a name. This is the name of the parameter percent type and since this is a select it can have multiple options. The first option whose value is student and that option is also tagged as being selected meaning that is the default and what is displayed to the user is the text student. The second option whose value is instructor. So, when the web server is passed a value back. This is the value which will be passed back. On the other hand this is what is shown to the user. So, the user can be shown textual thing which is nicely formatted, but a simpler name is passed back to the web server and slash select ends there. So, we have two options. So, it is a drop down menu with two options d r is simply to go to new line. Then it says name colon and input type equal to text. So, this is a text box size equal to 20, 20 characters name equal to name. What is this mean? This is the parameter name. The name here gives the parameter just like we said select name is percent type. Here this thing name in double quotes is the name of the parameter. And finally, when you want to submit a form you have to click on a submit button. So, we have input type equal to submit value equal to submit. So, the value equal to submit means it will show up as text labeled as submit and type is submit means when that is clicked this form is submitted. So, how does that look here? Search for this is student that is a selected value, but if this were an actual form and I click on this it will show me the other options. What is the other option here? This instructor. So, I could choose either one that is the I can search for either students or instructor. Then I type in a name and I click submit. What happens? The request goes back to the website to execute this particular thing person query with the parameters which have just been entered by the user. So, what exactly does person query do? We will be seeing that shortly. So, what does a web server do? The request is going to the web server. As I already told you if it is a file name it can return the file or it may be an executed program which executes. So, whenever we want to extend the functionality of the web server we just create a new program which the web server can execute. So, the initial interfaces to web servers to execute programs is what is called a common gateway interface or CGI. And what happens with the CGI interfaces? When a request comes which is the name of a program the web server creates a new process which executes that program gets a result and gives it back. So, the initial web servers were all based on this model, but soon people realize that there is a problem with this and that problem is performed. Each time you start a process in an operating system there is a fairly significant overhead. It may not sound like much that overhead may be like you know millisecond or even less than a millisecond. But if you had a millisecond time to start a process how many requests can you field in a second? Maximum of 1000 and this is not counting all the time which you are spending on actually answering back. So, your website will performance will be quite severely bounded. On the other hand supposing the web server itself could interpret the request and send the result back. A typical web server can handle tens of thousands of requests per second in this mode. If the thing does not have to start a new process and do inter process communication performance is way, way higher and that is what is typically used today. So, in a model site a PHP was initially designed to run as a separate program which is invoked each time a request comes. But these days web servers have modules which let us them run PHP program as part of the web server itself without invoking a new program. So, let us look at this architect again. You have browser sending HTTP over the network goes to a web server which in turn talks to an application server which in turn talks to a database server. So, this was the original three layer architecture. The application server the idea was that instead of starting a new program every time this application server is already running. So, the web server simply sends the request to it and this server gives a response back to the web server. So, the overhead of starting a new process is avoided. So, the thing is much more efficient. But after a while people said that look why have a web server and an application server. If most of the work is being done by the app server the web server is simply doing nothing more than taking a request passing it on and taking a result passing it back that is stupid why not just merge the web server and the application server. So, today this is the preferred things not always used web servers are still used. But you can very well merge these two into one server and this is sometimes called a two layer web architecture as opposed to a three layer web architecture. Here there are three layers here there are two. So, this is quite common these days. In particular if you are using servlets and you start off system that handles the servlets such as Tomcat which you will be doing in tomorrow's lab. That itself can accept HTTP request and take you know parameters and then send results back and that is how you will be using it tomorrow. You will be using it directly without an intervening web server. Now, there is some basic principles which we have to understand before we figure out how these requests are handled at the application server. The first thing to note is that the HTTP hypertext transfer protocol is connectionless now what on earth does connectionless mean? Of course, you have to establish a socket connection at the network level in order to send a request and get data back. What is meant by connectionless here is that a user might be logged into a website and may keep making multiple requests to the website. In the connection oriented model what happens is that a new network connection TCP level connection is open initially and kept open for the entire duration of the user's login session. Now, this was considered very high overhead and something to be avoided at all costs because the number of connections that a typical operating system allows is limited. So, this was considered bad to keep a connection open even though the user is doing nothing but reading the page the connection is kept open and prevents other people from coming in and talking with the web server. So, HTTP was designed to be connectionless meaning you have to open a connection of course to get data but as soon as a response is given to your request the connection is closed and the next time you want to make a connection it is a fresh connection. So, what is this done? It means you can have tens of thousands of users the key thing to notice not all the users are active all the time. Typically a user will make one request and then take a 5 minutes to read the return page and then make the next request. I mean there are exceptions there are you know tellers of the bank who are making one request after another at high speed. By the way most of the banks in India now use system like this with a web browser at the banks site and central server sitting somewhere in India and then a replica somewhere else in India for safety in case something goes wrong with the first copy. So, if you look at the banks in India first they were not computerized banks in the US tended to have main frame computers. Indian banks never went through the main frame era for the most part they went straight into the client server era where every bank had its own computer system. Those of you who were old enough to be at banks in the 1990s would have surely seen this banks with machines at each bank. And now we have moved to this new era where banks have just terminals which run web browsers and that is it and the whole work is being done at a back end server. So, anyway coming back this HTTP protocol is connectionless, but you do not know that connections are being open and closed it is hidden from you. To you this whole thing seems like one session. So, question is if you initially opened the connection and then you closed it. Now to you the user none of this is obvious you interacted with gmail or yahoo mail or whatever and after a few minutes you click on a button which shows you the next email. A whole new connection is being set up and a whole new bunch of stuff happen you do not know anything about it, but the issue is the following. How does the web server know who you are? The first time you went in it asked you for a login and a password. So, at that point it knew who you are, but subsequently the connection was closed, but when you click on next email button the connection was closed the new connection is being opened. How on earth does the web server know who you are? It clearly knows it you have seen this, but how does this work? And the answer is that you have what are called cookies which are stored on your browser. And when you click on you know show me this email or compose or whatever else a request goes to the web browser. The web browser says this is a new request, but may be this person had already logged in. Maybe I already know who this person is, but how do I find out and the trick is the web server will ask the browser do you have a cookie called something what whatever name it chooses. Let us say a bad way of doing it would be for the web browser to set a cookie which has the name of the user and I will tell you why this is a bad idea, but let us start with this bad idea. The web browser can be told the first time what is the web server do it identifies you. And then it tells the web browser here is a piece of text and I will give it a name. Let me call that name as let us say user name and the value is the name of the user. This is a very insecure and stupid way of doing things, but let me just use it to illustrate first cut solution and tell you why it is bad. So, what happens is the web server gives back this text which is the user id. So, next time when this browser connects back to the web server the web server says do you have by any chance a cookie whose name is user name and the name also includes the URL of the web server itself. So, each web server may be setting its own cookies. So, a particular web server can only get back cookies which it set. So, it says let us say is Google gmail.com says do you have a cookie which I set called user name and the web browser looks up what happened in the earlier interaction and says yes you had told me to save this value and here is the value user name. And now the web server says good now I know who the user is and proceeds without asking you for login password again. Now, there is a big risk to this exact. So, this is a broad idea which let us just show a slide on this. So, cookie is a small piece of text containing identifying information. It sent by the server to the browser on the first interaction and on further interactions it is sent by the browser to the server and it is all part of the HCTP protocol. Now, the server actually saves information about what all cookies it issued and when it ask the browser for the cookie value it gets it back and it can check if that value had been set by it. All kinds of things can be stored as cookies. One is authentication information to know who the user is and then user preferences. So, that when you go back to the site it remembers the user wanted to see 100 results per search page not the default of 10. So, these are things you can set and on further interaction the web server will use whatever defaults you had set earlier. How does it remember it? It does not remember this it set a cookie the next time around your browser is sending that cookie value and it respects that. Now, cookies can be stored permanently or for a limited time. What do we mean by limited time? It can the browser can be told look this cookie should be kept as long as the browser is open. If you close the browser and go away you can forget about this cookie or the website may say keep this cookie permanently. If this person shuts down the computer and comes back after one week and I ask for a cookie go ahead and give me this cookie and why is this used? Many sites remember you across time. So, they would not ask you for login password every time you close your browser shut down go back tomorrow they will say welcome back so and so and start giving you information. How did they do this? Because they stored the cookie permanently it is not just for this browser session it is kept by the browser in a OS file somewhere. So, I will come back to what information is stored in the cookie and so let me first say that if you had the website store a cookie which is the actual user name what is the problem with this? The problem is that people can hack this information. This cookie which is stored can be modified it is actually possible for you to open a browser look at a cookie and actually change the value of a cookie. Now, what is the risk in this? So, I can save a cookie from gmail.com you know I have a particular gmail address may be gmail search the cookie. I can edit the cookie and change the user name to something else because that is available locally it is on my machine on my browser I can edit it. Now, the next time I connect supposing gmail says give me the value of the cookie which was the user name. What does my browser do? It sends back the value which I have hacked locally the browser does not know anything about what I did I just modified the value and the browser sends the modified value. So, now gmail thinks that I am somebody else I can pretend to be anybody I want this is obviously a huge security risk this would be a crazy way of doing things. So, what do we do instead? It looks like cookies are insecure I can pretend to be anybody that I want to be the solution is that the cookie value is not the actual user name the cookie value is actually a randomly generated string. And the number of such possible strings which can be generated is huge what this means is if I take a string and generate a string randomly and give this back as a cookie value the web server will look at it and say you know have I issued this particular cookie earlier to anybody. So, in its database it can track what all cookies it issued. So, now, it looks at this big string and says did I issue this string as the cookie value to any user. And if I cooked up the string value most probably it is not in the database and the server will say no I do not know who this is I will ask them for login password now. Now, there is of course a very small chance that I managed to guess particular random string which was already in the web server database then the web server may happily say welcome so and so and I have broken in as and I can now pretend to be so and so. But the probability of that happening is very very very small because the number of strings is enormous if I generate a random string the probability must be like one in few hundred billion that this is something the web server actually issued to somebody else extremely low probability not something which we lose sleep over. So, that is how the cookie safety is provided not actual user name some random string and the mapping from that random string to the user name is not in your browser that random string is there in the web servers database so let me just use the whiteboard to illustrate this. So, the cookie which is issued could be let us say we will call it user info and it is a random string let us say x y a 3 p q r and so on it is a fairly long string it needs to be to so that the chance of guessing something valid will be very very small. And this is sent and stored in the browser so the browser has saved this now the web server has also saved this string in its database. So, in its database it has this mapping x y a 3 p q r so on this string is mapped to so that. So, the web server has remembered this so if I pass the cookie value if I have actually logged in and next time the web server ask me can you give me the cookie user info it is not just user info say supposing this was gmail I am sorry about the small font. So, this says gmail.com colon user info so this first part of that is the website. So, if gmail ask for you know IITB dot act dot in cookies the browser will say sorry I would not give it to you, but if gmail itself ask for a cookie which was set by gmail the browser will return that information back. So, it gives back this user info and the gmail web server can look it up in its database and say I know that this is reduction. So, that is how cookies are used. Now let us look at a specific technology for executing programs at the back end and this is called servlets. So, the idea was you know like I said initially the web server would spawn a new process which executed a program and that was very very high overhead you did not want to do that. So, the action moved to java and the java application server the idea is that instead of starting a new process to serve your request it is going to start a new thread and execute some code. So, you need an interface to that code an API interface. So, you the application developer you write that code using a particular API but who calls your code you are not directly executing your code the web server is invoking your code. So, how does it work you write code following the servlet API and your code as part of the library is loaded on to the web server and when a request comes the web server will execute your code in a separate thread. Why a separate thread because there are many many requests coming to the web server if the web server blocks on each request the users will see a huge delay. So, instead each request which comes starts a new thread. Now, a thread is part of an OS process and overheads to launching a thread are very very small. A thread can launch in a fraction of a microsecond as opposed to milliseconds for a part of a millisecond for a whole process. So, threads are much more efficient and that is what servlets use. So, the servlet API has several functions one of which is methods to get parameter values of a web form and then a method to put html text which the web application server will return back to the client. So, this is called request and response parameters and we will see that. So, here is the sample servlet code. Now, the first part imports a number of libraries one of which is java x dot servlet dot star this is the servlet API java x dot servlet dot http dot star. So, these things import a number of library functions or the first part is servlets can work with http https and so forth. The second part is sub part of that library specifically for http. I think https also gets folded in the hidden from this layer and now look at this particular servlet public class person query servlet extends http servlet. For those of you who are not familiar with java let me explain this syntax first of all we are defining a class called person query servlet that is just a name. Now, this class extends http servlet what does this mean in object oriented terms this means that extends means that this class is a sub class of this other class http servlet. Now, who defines this class it is here java x dot servlet dot http that library has defined this class called http servlet. Now, that http servlet class has a number of methods. One of the methods that it defines is the do get method there is a also do post and several other methods many other methods which it defines. In this particular case what we have done in this program is to create a fresh do get method. If you are familiar with object oriented terminology this do get method overrides the default do get which the http servlet provides. If I do not specified there is a default if I do specified the one which I gave is used. So, here I have overridden do get public void meaning it does not return any value public means the usual thing. And the do get method takes two parameters http servlet request and http servlet response. I have given these parameters names request and response for simplicity. Now, these types this is a class http servlet request http servlet response. This class in turn has methods which let me interact with the request object. So, this is an object request object and response object. I can get information for request object I can put information into the response object. Now, the first thing I am doing here is response dot set content type text slash httml. What is this doing? Now, the response to http request could be httml, but it could also be an image and then you could say the type is image and jpeg or jiff or whatever else or you could say that the type is video in a particular format and so forth. The type could be a pdf file the type could be dot doc document or a doc od dot odt document open office document and so forth. So, I can set the type here and then the content will follow that. So, what does this do? It tells the browser that here is a type and you process it appropriately depending on the type. So, with httml the browser is going to show it in its browser page. If it is let us say power point the browser may say shall I launch it as a separate app application in your browser ask you that. If it is a movie it may start playing it as a movie if it is a image it shows the image. By the way there is a one more line here I forgot. So, it do get throws servlet exception IO exception. So, these are exceptions which the Java language supports we can ignore it for the purpose of today's session. So, response we have set the type then we say print writer out equal to response dot get writer. What does this mean? This is a Java way of saying get me object which then let me write stuff to that object and that stuff will automatically become part of the response object. That is what this response dot get writer. Now, one write this is now a standard file on which I can do print line and other such things. So, it is a stream actually not a file it is a text stream I guess. So, now if I say out dot print line I am printing the actual httml code here head title query results slash title slash head and then out dot print line body then the actual work is done here. So, I have started printing the httml this part of the code because the slide is limited in size I am showing on the next slide. At the end what should I do after putting in the actual data it should close the httml body started here slash body and then out dot close which closes the print writer and then this returns. So, at this point all the data which was output here is going to be sent back to the client. So, this is the front end and if you are the client your browser will show all of this. So, what is the actual work of the servlet done here? This is the content. So, all of this is actually part of that function directly. So, what all is this particular function doing? It is a string percent type equal to request dot get parameter percent type. Now remember request is an object which has all the information which was sent from the browser. One of if you go back to the form let me go back to the, this is the form which we are processing. There are two pieces of input this one is what is the type is it student or is it employee? The second part is the name itself. So, if you look at the text here the first one is the select name equal to percent type. So, the parameter percent type will have a value which could be student or instructor. Then next parameter is this one whose name is name itself and its type is text up to 20 characters. So, if you see here the first one gets the percent type it is a string parameters are all strings. So, that is stored in percent type. The name there is a bug in this slide this should have been name. So, this string name equal to request dot get parameter name. So, we will get the name which the person typed in and the percent type which the person had which the user had selected. So, these two are now available locally in this program and then the program says if percent type dot equals student then do something else in this case the person type should be instructor then do something else. Now, what is this something? We have not shown the whole code, but the first part would be code to. So, the goal of this servlet was to find either students of or instructors based on this choice with a given name. So, in this case what would it do? It would search in the student relation to find the name and it is got it back. So, how did it get it back? If you remember the JDBC API we executed a query typically a prepared query because the parameter name here has to be passed to the query. So, you should have a prepared query if you do string concatenation you are going to have problems with SQL injection I will come back to that. So, it is a prepared query which is used to get all students with the given name and the result of the SQL query is a result set. So, what is this do I have not shown the syntactic details here what I am saying is for each result set. So, I would say RS dot next while RS dot next and then RS dot get string ID RS dot get string name RS dot get string department name and so forth. So, I have not shown all those details, but I am assuming here that all those details have been retrieved into variables ID name and department name. So, I have the names of all students the details of all students who have a specified name and I need to output it I want to output it in a nice form. So, in this case what is the form it is a table. So, out dot print line table border calls equal to three column table and it has a row data here this could have been header actually th. So, ID name department now there is a loop each iteration of the loop prints out one row of the table in this case TR is to slash TR as I said before is one row inside that TD to slash TD is one column. So, it is just concatenating this HTML text with the ID which was retrieved the name which was retrieved and the department name which was retrieved and when I output everything I will say slash table to close the table. So, that ends that servlet code. So, you can actually once you fill in all of this you can execute it, but before that we also want to spend a little bit of time on servlet sessions. I already told you this issue of having a login ID and remembering who that login was through cookies. Now, I told you have to have a large randomly generated string and so on and so forth if everyone has to code this it is a big pain. So, the servlet API provides a nice way of handling this and which provides actually some more features and that is the servlet session. So, the request has a session object actually it is all kind of built in it is very easy to use. So, what you do is first when a new request comes in you have to see if this is part of an ongoing session. So, the very first check will be if request dot get session false equal to equals true. So, what is this thing here the false here is to tell get session if this session did not already exist do not create a new session. If you set this to true instead of false what it will do is if there was no session it starts a new session. What does it mean to start a new session? It creates a new cookie and saves the value and that cookie will have that randomly generated string which I told you about. Now, to get the actual user name and so forth that is stored at the web server end. Now, how is that stored? That is part of session dot get and set attribute. So, what you do is you have to set a new session. So, if request dot get session returns true that means the session is already there. Now, I can do session dot get attribute user ID. Now, presumably the user ID was set earlier. So, how was it set? I will show you in just a moment. But if this was false that means not part of an ongoing session then you have to redirect to an authentication page which takes a login and password. So, that authentication page has to verify the login and password and when it has verified the login and password against the database of login names with passwords it will do the following. It will say request dot get session true. What this means is even if there was a no session already it creates a new session. So, that is where a new session is created and it has to remember the user ID. The session creating a new session means the cookie is stored at the browser. But the other part is to remember who was the user ID and that is saved in as part of the session by saying session dot set attribute user ID to this user ID which was just authenticated. So, I have checked the password I know that this is this user and I will set the attribute whose name is user ID to this thing. So, the next time a request comes if the session is active which is checked here. So, this is an existing session in the then case I will do session dot get attribute user ID and this is looked up locally. This does not go back to the web browser. I already have the cookie which says what is the session and this user ID value which was stored with that session is simply looked up locally in the web browser and returned. I hope that is reasonably clear and there is a bunch of stuff after this. But this is the last slide which I want to take before the tea break and that is where does this server servlet suffer on. It has to run inside an application server and there are many such servers. Apache Tomcat is what we will be using in our lab session tomorrow. But there is also glass fish which comes packaged with net beans. So, that is also widely used. Then there is something called Jboss which not only supports servlets it supports a bunch of other features which are part of the extended Java standard. And then there are these are all open source. Then there are commercial servers BA WebLogic, IBM WebSphere, Oracle application server and so forth. BA I think was bought out it is now part of I think it is SAP. So, anyway there are a number of companies which provide commercial application servers. But the open source ones are actually excellent Tomcat, glass fish, Jboss they are all excellent. So, the application server itself supports deployment and monitoring of servlets. So, I have written servlet code I have compiled it. So, the IDE which I use for this lets all of these to be compiled into class files. And then the class files can be packaged into a jar file or something else called a web archive war file. And that can be loaded on to an application server. The application server finds what are all the classes inside it. There is also stuff to say that this URL person query. So, here if I go back I call this servlet person query. Now, if I go back to the form here it says action equal to person query. Now, how does the app server know that when the browser is asking for this person query thing to be executed what it actually should execute is this particular servlet, person query servlet. The name is different. How does it know this one is to be executed? So, that you can specify in a file it says when you get a request for person query execute the person query servlet. So, that has to be specified somewhere. Now, if you use you know standard the web development project in Eclipse this mapping is automatically created. And there the name had better be the same. I have called this servlet as person query. And then if the URL says person query it is mapped automatically to this particular servlet. But, you can always override it by specifying a mapping in a file. So, there are details available online. So, you can do this mapping from person query to person query servlet. This is what gets involved. So, with that we have essentially wrapped up all the basics you need to know about servlets. So, we have time for some questions. So, Bansal Institute Uttar Pradesh, please go ahead. My question is that as you were given in web development both are different. So, what is the application server and how the program which is requested by the client server, how the program is initiated and then in the application server. So, there was a lot of noise on the line. But, I think your question was what is the connection between the application server and the web server. And there were other parts to your question which I think were clear. So, what is the web server? The web server is simply a program that is running on some computer which is waiting for incoming connections. So, whenever from my browser I type a URL and hit enter to go or I click on a link which has a URL. In either case my browser is opening network connection to the computer which is hosting the web server. On that computer my browser is going to connect to a default port. There is a port 80 which is a default port for web servers. So, it is going to open a network connection to port 80 and who is listening on port 80 over there. The web server is the one who is listening for connections on port 80. So, when it gets a new connection request it will typically spawn off a process which handles that particular request. So, the web server may have a pool of processes which are sitting idle at any time. When a new request comes one of those processes is typically asked to service my specific request. Now, what does it mean to service my request? Network connection is open and then the HTTP request is sent over. The server can ask for extra information like cookies and so forth and finally send a response back. So, all of this is part of the protocol. Now, all of this would be done by the web server, but now we saw servlets. Servlets is something which would run as part of an application server. So, an application server has all this logic inside it. The initial web servers were designed simply to pick up files and return them or to execute a program. So, you have an executable program stored in your file system. So, all that the web server would do is return a file or execute a program. So, that is what initial web servers did, but then like I said for performance reasons this was considered bad and later servers could open a connection to applications and keep it open actually and pass a request which comes in. If it was for a servlet it would send it to the Tomcat server. So, you can have a Apache web server which is connected to a Tomcat application server and if the specific request was for something which is a servlet that mapping is stored somewhere and then the web server will forward the request to the app server. This was the three layer architecture. In the two layer architecture there is no separate web server. Tomcat itself acts as a web server. Tomcat has all the features of a basic web server. So, Tomcat itself can be listening on port 80 or it could listen on its default port 8080 and in your request you say do not go to port 80 go to port 8080 and then you are directly going to Tomcat. So, depending on how the thing is set up Tomcat could be set up to listen on port 8080 and it takes a request and serves it. So, now there is no need for a separate application server. One of the questions is it possible to delete cookies after closing the browser. So, if the cookie is said to be persistent it is going to survive even after you close the browser. If you want to get rid of it every browser gives you a way to look at the cookies that are present. Select cookies from a particular website and then erase them. So, you can do it. It takes a little bit of extra work, but you can do it. So, cookies can outlive a browser session. Next part is do we have to write full file name URL and action attribute of a form. That is a good question. Let me go back to the document and here it said form action equal to person query. It did not have the full URL. This is an example of what is called a relative URL. Now, where did this page come from? This particular form itself came from the web server. So, if I do not specify any thing in front HTTP colon slash slash this text is assumed to be a file name or whatever else relative to the basic URL. So, if the website was let us say CAC IITB akin that prefix is taken automatically and this is appended to that prefix. In fact, that prefix can be defined based on where this particular page appeared. If this particular page appeared not just in CAC IITB akin it appeared in CAC IITB akin slash let us say DB workshop slash something. Then person query over here is something relative to that whole part. So, it is in not just in the root of CAC IITB akin it is in CAC IITB akin workshop slash whatever it is within that. So, it is relative it is at the same directory level as this where this page came from. So, you do not have to give the full URL. In fact, it is usually a bad idea to give the full URL because if you deploy the same application on some other URL then all your references will be to a full URL which will go to the wrong place. So, it highly recommended that you do not use full URLs use only relative URLs in form actions and so forth. So, today you are deploying it on one machine tomorrow you deploy it on another. Where do you want to do this? It is very common to first deploy all your servlets on a test machine they are not live they are used for testing and once you have tested them you deploy them on a live server. If you have to go and change all the URLs in your code every time you make this switch over it is terrible. So, you should use relative URLs only. One of the queries is can you explain the concept of servlet mapping using web dot XML. I mentioned this concept I did not mention the term web dot XML. So, let me show the document part here. I already told you that over here I said form action equal to person query. So, this is the URL which the application or the web server is going to get, but in the servlet which I defined I said the servlet name is person query servlet. So, how does the web server know that this is the thing which should be invoked when that request came. So, that mapping is stored in a file called web dot XML and if you use standard tools such as Eclipse and you create a web project these things are automatically generated by Eclipse or NetBeans. You do not have to munch around with web dot XML as long as you use the same name. If I call it person query here I should call it person query there. If I called it person query servlet here I should call it person query servlet there, but if you want to change the mapping you can edit web dot XML. Now, let us come to the live question. Mahatma Gandhi Uttar Pradesh, Noida please go ahead. The besides of cookies how many methods are used for session tracking? So, in early days many people thought that cookies are an innovation of privacy and there are many other methods which were initially used for session tracking and even today those methods are very much available, but they are used less simply because people have got used to cookies and they have given up on you know hiding on keeping their privacy. So, what are the other methods? I will just mention it briefly one or two of them. One method is when a page is returned to you, you have a hidden form parameter which can be used instead of the cookie. So, when you click on a link or you submit a form in all these cases there is an extra parameter which is basically that cookie value whatever would have been saved as a cookie on your browser is instead part of the HTML text itself and is sent back along with your request. When you click on a link or when you submit a form that cookie text equivalent of cookie is the text which goes back. So, that is one way. I think there are a couple of other ways also do not remember it off hand, but there are a few other tricks to do this. I do not see them being used very much these days because cookies are now fairly prevalent. Any other questions? So, is there any difference between web server and application server? Yeah, like I said web servers were designed basically to serve pages and maybe execute programs from the operating system. Application servers were used to run application programs in particular servlets. This is a standard API widely used, but there are also application servers for other languages. We have servers for PHP, Python, Ruby and so forth. So, they were designed to focus on certain things, but like I said you can merge the functionality and have these two combined into one. We have Dronacharya Haryana. Hello. Please go ahead. We can hear you, please go ahead. Sir, what is the practical implementation of a lossless join? What is the practical implication of a lossless join? It is lossless decomposition not lossless join or lossless join decomposition to use the full term. So, whenever you do a decomposition, if you do a lossy decomposition you are getting into trouble. You have lost information from what you intended to store, you cannot get it back. So, the practical implication is you are in trouble. So, when you do your relational database design and you do decomposition, you should not be using lossy decomposition. You should use only lossless join decomposition. Does that answer your question or is there something else? Yes, sir. Thank you. I think we are well past the T break time.