Hi List, I am interested in building a data driven web app with Tomcat 4.0 and JSP/Servlets, but am new to the field, and have lots of questions. Some are general, some are specific to Tomcat. Please be patient, as I am new. Here it goes:
System design: It seems that managing client state transitions is difficult. Unlike traditional GUIs, basically all forms are modal. How do you design around this? I have some ideas below that I would like some feedback on. Implementation: Looking at the servlet code that comes with Tomcat, it seems very ugly. All those out.println()'s give me the willies! JSP looks slightly better, since at least Java embedded in HTML is more readable than HTML embedded in Java! Even the latter can be minimized with taglibs, right? I have read some about FreeMarker and WebMacro. How exactly do these fit into the equation? Finally, regarding the design philosophy behind data-driven weblications: they are mostly parameterized finite state machines, right? There is a set of templates which, when requested, are filled with data, perhaps adjusted in some other, structural way, and served. Each user may have access to a different set of these templates (for example, limited by security). Each template may allow the user to transition to certain other templates. The process repeats during session lifetime. So it seems to me that a state diagram is in order, and each state corresponds to each HTML page the user sees. State transitions are basically hyperlinks. Because the number of states (pages) can grow large, it seems reasonable to expect them to be fairly uniform, and perhaps "inherit" in some way from a common parent template. Does this sound right? How can I achieve this? (this way of programming is much much different than the event driven concepts of, say, VB or Swing!) So a user logs in, gets a session identifier, and, unless all state transitions are allowed (the degenerate case), the server must also track client state, yes? Where can I find out more about how Tomcat assigns session identifiers and processes URLs to include them? If my understanding is correct, it seems that for most web apps 2 servlets would be adequate: one for login and client instantiation (assigning session and initial state) and one for all other state transitions (call it servlet 2). After all, servlet 2 can get the session and then look up the client state from that, and then determine valid state transitions, and compare it to what the client requested to make sure everything is kosher! Logout would be a state transition on servlet 2, although there might be a polling process checking login time and auto-change user state when a certain amount of time has elapsed. I have a question about this and Tomcat: will servlet 2 be reused for all client requests? EG does Tomcat instance a copy of that servlet for every request, in the same way ServerSocket generates new Sockets? Or is the servlet required to behave linearly (that is, service request 1, then request 2, etc...)? One security concern would be spoofing the session data, probably after eavesdropping on the tcp stream/http content. This would only be of concern for the duration of the session, so it might pay to keep the sessions short. However, I thought of another thing to help prevent this: log the client IP address and correlate it with the session key. This won't help in some circumstances, for example if the client is using NAT behind a firewall and the spoofer is behind there too (so they look like they have the same IP), or if the spoofer is relatively sophisticated and forges his packet headers. But still, I think this would be a useful security measure. That is, if my understanding of HTTP over TCP is correct, in that a client keeps a TCP connection to the HTTP server for a relatively long period of time (speaking of which, is there any way to adjust this time with Tomcat?) Another security concern is the login process itself. Are there any standards for moving the user name password data across the wire securely, especially ones that Tomcat supports? (HTTPS seems like overkill, but I don't know, I'm just a newbie.) Can this be IP logging idea be done with Tomcat? In other words, is there a way to determine the Requesters IP address, even though this info is not necessarily in the HTTP stream? If Tomcat does offer this information, where does it get it? The HTTP or the actual TCP stream? Kind regards, Josh Rehman -----Original Message----- From: Greg Munger [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 10, 2002 2:24 PM To: Tomcat Users List Subject: mod_webapp.so error "duplicate connection name" I just started following this list, but I have tried to look in the archives and in deja news for an explanation for the "duplicate connection name" error. This error occurs when I restart Apache. I am using a hosted server where I do not have root. Currently tomcat 4.0.1 and apache 1.3 are installed. The Tomcat standalone http server works fine at port 8080, and apache is running on port 80. This system is using the 2.1.3 glibc libraries, so I cannot use the precompiled versions mod_webapp (which seem to use 2.2). 1. I obtained the source from this url: http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.1/src/w ebapp-module-1.0.1-tc401-src.tar.gz 2. built the module: support/buildconfs.sh configure --with-apxs make 3. copied apache-1.3/mod_webapp.so to the apache libexec directory 4. added the following to httpd.conf LoadModule webapp_module libexec/mod_webapp.so ... AddModule mod_webapp.c ... WebAppConnection conn warp localhost:8008 WebAppDeploy xx conn /xx 5. the server.xml file contains the information that came with it: <!-- Define an Apache-Connector Service --> <Service name="Tomcat-Apache"> <Connector className="org.apache.catalina.connector.warp.WarpConnector" port="8008" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0"/> <!-- Replace "localhost" with what your Apache "ServerName" is set to --> <Engine className="org.apache.catalina.connector.warp.WarpEngine" name="Apache" debug="0" appBase="webapps"> <Logger className="org.apache.catalina.logger.FileLogger" prefix="apache_log." suffix=".txt" timestamp="true"/> <Realm className="org.apache.catalina.realm.MemoryRealm" /> </Engine> </Service> 6. When I restart apache I get the "duplicate connection name" error reported for the WebAppConnection statement. 7. I have the same setup running locally on a machine where I do have root access, and it is working fine. The only difference between the systems that I am aware of is that it is glibc 2.2. And I am not sure what the apache version of the hosted system is, but I am pretty sure it is 1.3.something. -- what causes the "duplicate connection name" errors? -- are there any other choices for accessing Tomcat through port 80? I am aware of using a ProxyPass directive in Apache, but using that approach static content will always be served by Tomcat. - what does the "replace localhost..." comment in the server.xml file mean? There is no "localhost" parameter in either 4.0.1 or 4.0.3. thanks, Greg Greg Munger - 219-926-7604 - Lake Point Interactive - www.lpiweb.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]> _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
