MCS 220 EM 2021-22

• Facebook-https://www.facebook.com/dalal.
tech
• Telegram - https://t.me/DalalTechnologies
• YouTube-https://www.youtube.com/channel/UCilEr1rW-SIrJlJ5_ioKQfw
• Website-Https://DalalTechnologies.in
Course Code : MCS-220

Course Title : Web Technologies
Assignment Number : MCA_NEW(II)/220/Assign/2021-22
Maximum Marks : 100
Weightage : 30%
Last date of Submission : 15th November, 2021(for July, 2021 session)
31st May, 2022 (for January, 2022 session)
Q1. What is Design Pattern? Explain Singleton Design Pattern and Factory Design Pattern with the help of suitable
diagrams.
Ans:-Singleton:-
A design pattern is like a template for your project. It uses certain conventions and you can expect a specific
kind of behavior from it. These patterns were made up of many developers' experiences so they are really like
different sets of best practices.
Singleton Pattern says that just"define a class that has only one instance and provides a global point of access
to it".
In other words, a class must ensure that only single instance should be created and single object can be used by all
other classes.
There are two forms of singleton design pattern
o Early Instantiation: creation of instance at load time.

o Lazy Instantiation: creation of instance when required.
Early Instantiation:-
In such case, we create the instance of the class at the time of declaring the static data member, so instance of the
class is created at the time of classloading.
Let's see the example of singleton design pattern using early instantiation.
1. class A{
2. private static A obj=new A();//Early, instance will be created at load time
3. private A(){}
4.
5. public static A getA(){
6. return obj;
7. }
8.
9. public void doSomething(){
10. //write your code
11. }
12. }
Lazy Instantiation:
Let's see the simple example of singleton design pattern using lazy instantiation.
1. class A{
2. private static A obj;
3. private A(){}
Disclaimer/Note
These are just the sample of the answers/solution to some of the questions given in the assignments. Student should read and refer the official study material provided by
the university.
• Facebook-https://www.facebook.com/dalal.tech
4.
5. public static A getA(){
6. if (obj == null){
7. synchronized(Singleton.class){
8. if (obj == null){
9. obj = new Singleton();//instance will be created at request time
10. }
11. }
12. }
13. return obj;
14. }
15.
16. public void doSomething(){
17. //write your code
18. }
19. }
Q2. Explain Servlet Architecture. Also explain Servlet Life Cycle.

Ans:-
A servlet life cycle can be defined as the entire process from its creation till the destruction. The following are the
paths followed by a servlet.
• The servlet is initialized by calling the init() method.
• The servlet calls service() method to process a client's request.
• The servlet is terminated by calling the destroy() method.
• Finally, servlet is garbage collected by the garbage collector of the JVM.
Now let us discuss the life cycle methods in detail.
The init() Method
The init method is called only once. It is called only when the servlet is created, and not called for any user requests
afterwards. So, it is used for one-time initializations, just as with the init method of applets.
The servlet is normally created when a user first invokes a URL corresponding to the servlet, but you can also specify
that the servlet be loaded when the server is first started.
When a user invokes a servlet, a single instance of each servlet gets created, with each user request resulting in a new
thread that is handed off to doGet or doPost as appropriate. The init() method simply creates or loads some data that
will be used throughout the life of the servlet.
The init method definition looks like this −
public void init() throws ServletException {
// Initialization code...
}
Disclaimer/Note
the university.
The service() Method

The service() method is the main method to perform the actual task. The servlet container (i.e. web server) calls the
service() method to handle requests coming from the client( browsers) and to write the formatted response back to
the client.
Each time the server receives a request for a servlet, the server spawns a new thread and calls service. The service()
method checks the HTTP request type (GET, POST, PUT, DELETE, etc.) and calls doGet, doPost, doPut, doDelete, etc.
methods as appropriate.
Here is the signature of this method −
public void service(ServletRequest request, ServletResponse response)
throws ServletException, IOException {
}
The service () method is called by the container and service method invokes doGet, doPost, doPut, doDelete, etc.
methods as appropriate. So you have nothing to do with service() method but you override either doGet() or doPost()
depending on what type of request you receive from the client.
The doGet() and doPost() are most frequently used methods with in each service request. Here is the signature of
these two methods.
The doGet() Method
A GET request results from a normal request for a URL or from an HTML form that has no METHOD specified and it
should be handled by doGet() method.
public void doGet(HttpServletRequest request, HttpServletResponse response)
// Servlet code
}
The doPost() Method

A POST request results from an HTML form that specifically lists POST as the METHOD and it should be handled by
doPost() method.
public void doPost(HttpServletRequest request, HttpServletResponse response)
// Servlet code
}
The destroy() Method

The destroy() method is called only once at the end of the life cycle of a servlet. This method gives your servlet a
chance to close database connections, halt background threads, write cookie lists or hit counts to disk, and perform
other such cleanup activities.
After the destroy() method is called, the servlet object is marked for garbage collection. The destroy method definition
looks like this −
public void destroy() {
Disclaimer/Note
the university.
// Finalization code...
}
Architecture Diagram
The following figure depicts a typical servlet life-cycle scenario.
• First the HTTP requests coming to the server are delegated to the servlet container.
• The servlet container loads the servlet before invoking the service() method.
• Then the servlet container handles multiple requests by spawning multiple threads, each thread executing the
service() method of a single instance of the servlet.
Servlets are Java classes which service HTTP requests and implement the javax.servlet.Servlet interface. Web
application developers typically write servlets that extend javax.servlet.http.HttpServlet, an abstract class that
implements the Servlet interface and is specially designed to handle HTTP requests.
Q3. What are implicit objects in JSP? Briefly explain all the JSP implicit objects.
Ans:- JSP stands for Java Server Pages, and it’s a server side technology. It’s used for creating web
applications and dynamic web content. The main property of JSP is that we can insert our java code
inside our HTML page using JSP tag. JSP provides you platform-independent pages.
Total 9 implicit objects which are as follows
1. request: This is the object of HttpServletRequest class associated with the request.
2. response: This is the object of HttpServletResponse class associated with the response to the client.
3. config: This is the object of ServletConfig class associated with the page.
4. application: This is the object of ServletContext class associated with the application context.
5. session: This is the object of HttpSession class associated with the request.
6. page context: This is the object of PageContext class that encapsulates the use of server-specific features.
This object can be used to find, get or remove an attribute.
7. page object: The manner we use the keyword this for current object, page object is used to refer to the
current translated servlet class.
8. exception: The exception object represents all errors and exceptions which is accessed by the respective
jsp. The exception implicit object is of type java.lang.Throwable.
9. out: This is the PrintWriter object where methods like print and println help for displaying the content
to the client.
Disclaimer/Note
the university.
The JSP request is an implicit object which is provided by HttpServletRequest. In the servlet, we have
to first import javax.servlet.http.HttpServletRequest then we have to create its object for taking input
from any HTML form as.
Syntax :
import javax.servlet.http.HttpServletRequest;
public class LoginServlet extends HttpServlet

{
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
HttpSession session = request.getSession()
}
}
In JSP, the request object is implicitly defined so that you don’t have to create an object. JSP request
object is created by the web container for each request of the client. It’s used for getting the
parameter value, server name, server port, etc.
In the below example we are using a request object to display the username.
response object
This is the HttpServletResponse object associated with the response to the client. The response object
also defines the interfaces that deal with creating new HTTP headers. Through this object the JSP
programmer can add new cookies or date stamps, HTTP status codes, etc.
In JSP the response object is implicitly defined, so you don’t have to create an object. JSP response
object is created by the web container for each request of the client. It basically is used for redirecting
to any other resource.
In the below example we use the response object to send the user on Geeksforgeeks homepage.
Q4. Explain Spring Boot and Spring MVC frameworks.
Ans:-
1. Spring MVC :
Spring is widely used for creating scalable applications. For web applications Spring provides Spring
MVC framework which is a widely used module of spring which is used to create scalable web
applications. Spring MVC framework enables the separation of modules namely Model View,
Controller, and seamlessly handles the application integration. This enables the developer to create
complex applications also using plain java classes. The model object can be passed between view
and controller using maps. In this article, we will see how to set up a Spring MVC application in the
Eclipse IDE and understand how to make applications.
Disclaimer/Note
the university.
The Spring MVC framework consists of the following components :

• Model –
A model can be an object or collection of objects which basically contains the data of the application.
• View –
A view is used for displaying the information to the user in a specific format. Spring supports various
technologies like freemarker, velocity, and thymeleaf.
• Controller –
It contains the logical part of the application.
@Controller annotation is used to mark that class as a controller.
• Front Controller –
It remains responsible for managing the flow of the web application. Dispatcher Servlet acts as a front
controller in Spring MVC.
2. Spring Boot :
Spring Boot is built on top of the conventional spring framework. So, it provides all the features of
spring and is yet easier to use than spring. Spring Boot is a microservice-based framework and
making a production-ready application in very less time. In Spring Boot everything is auto-
configured. We just need to use proper configuration for utilizing a particular functionality. Spring
Boot is very useful if we want to develop REST API. Spring Boot provides the facility to convert our
project into war or jar files. Also, the instance of Tomcat can be run on the cloud as well.
There are four main layers in Spring Boot :

• Presentation Layer –
As the name suggests, it consists of views (i.e. frontend part).
• Data Access Layer –
CRUD (create, retrieve, update, delete) operations on the database comes under this category.
• Service Layer –
This consists of service classes and uses services provided by data access layers.
• Integration Layer –
It consists of web different web services(any service available over the internet and
uses XML messaging system).
Q5. How a simple CRUD application can be developed using Hibernate? Explain briefly.
Ans:-
Step 1
First create the database schema and tables to perform the CRUD operations
Copy and run the below scripts in the MySQL command window or MySQL workbench(GUI Tool) –
> SQL Editor
I am using Command window to run these scripts

Go to MySql bin directory under MySql installation path E:\MySql_Install\bin
Issue the following command
mysql –u root –p
Enter the password

Disclaimer/Note
the university.
Now run these scripts
1. create database javainsimpleway;

1. use javainsimpleway;
1. CREATE TABLE users (
2. Id int(15) NOT NULL AUTO_INCREMENT,
3. FirstName varchar(50),
4. LastName varchar(50),
5. Dob date,
6. Email varchar(100),
7. PRIMARY KEY (Id)
8. );
Check the table created using below command
1. desc users;
Step 2
Create a Java Maven web project in eclipse and setup Hibernate
Please refer this article on how to do it.
Step 3
Create the hibernate configuration file
hibernate.cfg.xml
1. <?xml version="1.0" encoding="UTF-8"?>

2. <!DOCTYPE hibernate-configuration PUBLIC
Disclaimer/Note
the university.
3. "-//Hibernate/Hibernate Configuration DTD 3.0//EN"

4. "http://www.hibernate.org/dtd/hibernate-configuration-3.0.dtd">
5.
6. <hibernate-configuration>
7.
8. <session-factory>
9.
10. 
11. <property name="connection.driver_class">com.mysql.jdbc.Driver</property>
12. <property name="connection.url">jdbc:mysql://localhost/javainsimpleway</property>
13. <property name="connection.username">root</property>
14. <property name="connection.password">root</property>
15.
16. 
17. <property name="connection.pool_size">1</property>
18.
19. 
20. <property name="dialect">org.hibernate.dialect.MySQLDialect</property>
21.
22. 
23. <property name="cache.provider_class">org.hibernate.cache.internal.NoCacheProvider</property>
24.
25. 
26. <property name="show_sql">true</property>
27.
28. 
29. <property name="format_sql">true</property>
30.
31. 
32. <property name="hbm2ddl.auto">update</property>
Disclaimer/Note
the university.
33.
34. <mapping resource="com/kb/mapping/user.hbm.xml"/>
35.
36. </session-factory>
37.
38. </hibernate-configuration>
We have added database settings and mapping resource in the above configuration file.
Step 4
Create a User model class under src/main/java/com/kb/model package
1. package com.kb.model;
2.
3. import java.util.Date;
4.
5. public class User {
6. private int id;
7. private String firstName;
8. private String lastName;
9. private Date dob;
10. private String email;
11. public int getId() {
12. return id;
13. }
14. public void setId(int id) {
15. this.id = id;
16. }
17. public String getFirstName() {
18. return firstName;
19. }
20. public void setFirstName(String firstName) {
21. this.firstName = firstName;
Disclaimer/Note
the university.
22. }
23. public String getLastName() {
24. return lastName;
25. }
26. public void setLastName(String lastName) {
27. this.lastName = lastName;
28. }
29. public Date getDob() {
30. return dob;
31. }
32. public void setDob(Date dob) {
33. this.dob = dob;
34. }
35. public String getEmail() {
36. return email;
37. }
38. public void setEmail(String email) {
39. this.email = email;
40. }
41. }
Step 5
Create the mapping file for User Model under src/main/resources/com/kb/mapping folder(create
this folder if not exist)
user.hbm.xml
1. <?xml version="1.0" encoding="UTF-8"?>

2. <!DOCTYPE hibernate-mapping PUBLIC
3. "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
4. "http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
5.
6. <hibernate-mapping>
7. <class name="com.kb.model.User" table="users">
Disclaimer/Note
the university.
8. <id name="id" type="int" column="Id">

9. <generator class="increment" />
10. </id>
11. <property name="firstName">
12. <column name="FirstName" />
13. </property>
14. <property name="lastName">
15. <column name="LastName" />
16. </property>
17. <property name="dob">
18. <column name="Dob" />
19. </property>
20. <property name="email">
21. <column name="Email" />
22. </property>
23. </class>
24. </hibernate-mapping>
In the above mapping file, we have mapped UserModel to users table and each property of UserModel class
to columns in the database
Step 6
Create a new Utility class called HibernateUtil.java under src/main/java/com/kb/util package
1. package com.kb.util;
2.
3. import org.hibernate.SessionFactory;
4. import org.hibernate.cfg.Configuration;
5.
6. public class HibernateUtil {
7. private static final SessionFactory sessionFactory = buildSessionFactory();
8.
9. private static SessionFactory buildSessionFactory() {
10. try {
Disclaimer/Note
the university.
11. // Create the SessionFactory from hibernate.cfg.xml

12. return new Configuration().configure().buildSessionFactory();
13. } catch (Throwable ex) {
14. // Make sure you log the exception to track it
15. System.err.println("SessionFactory creation failed." + ex);
16. throw new ExceptionInInitializerError(ex);
17. }
18. }
19.
20. public static SessionFactory getSessionFactory() {
21. return sessionFactory;
22. }
23.
24. public static void shutdown() {
25. // Optional but can be used to Close caches and connection pools
26. getSessionFactory().close();
27. }
28.
29. }
In this class, we are loading the hibernate configuration file and building the SessionFactory and this code can
be reused whenever we need to get the SessionFactory object.
Step 7
Create DAO class to interact with Database under src/main/java/com/kb/dao package
UserDao.java
1. package com.kb.dao;
2.
3. import java.util.ArrayList;
4. import java.util.List;
5.
6. import org.hibernate.Session;
7. import org.hibernate.Transaction;
Disclaimer/Note
the university.
8. import org.hibernate.query.Query;
9.
10. import com.kb.model.User;
11. import com.kb.util.HibernateUtil;
12.
13. public class UserDao {
14.
15. //Create of CRUD
16. public void addUser(User user) {
17. Transaction trns = null;
18. Session session = HibernateUtil.getSessionFactory().openSession();
19. try {
20. trns = session.beginTransaction();
21. session.save(user);
22. session.getTransaction().commit();
23. } catch (RuntimeException e) {
24. if (trns != null) {
25. trns.rollback();
26. }
27. e.printStackTrace();
28. } finally {
29. session.flush();
30. session.close();
31. }
32. }
33.
34. //Read of CRUD
35. @SuppressWarnings("unchecked")
36. public List<User> getAllUsers() {
37. List<User> users = new ArrayList<User>();
Disclaimer/Note
the university.

39. try {
40. users = session.createQuery("from User").getResultList();
43. } finally {
46. }
47. return users;
48. }
49.
50. //Read of CRUD
51. public User getUserById(int userid) {
52. User user = null;
54. try {
55. String hqlQuery = "from User where id = :id";
56. @SuppressWarnings("rawtypes")
57. Query query = session.createQuery(hqlQuery);
58. query.setParameter("id", userid);
59. user = (User) query.getSingleResult();
62. } finally {
65. }
66. return user;
67. }
Disclaimer/Note
the university.
68.
69. //Update of CRUD
70. public void updateUser(User user) {
73. try {
75. session.update(user);
80. }
82. } finally {
85. }
86. }
87.
88. //Delete of CRUD
89. public void deleteUser(int userid) {
92. try {
94. User user = (User) session.load(User.class, new Integer(userid));
95. session.delete(user);
Disclaimer/Note
the university.

100. }
102. } finally {
105. }
106. }
107.
108. }
In the above class,we have created method for each CRUD operation and performing appropriate
operation in it.
Step 8
Create Service class to interact with DAO layer under src/main/java/com/kb/service package
UserService.java
1. package com.kb.service;
2.
3. import java.util.List;
4.
5. import com.kb.dao.UserDao;
7.
8. public class UserService {
9.
10. private UserDao userDao;
11.
12. //Create of CRUD
13. public void addUser(User user) {
14. userDao.addUser(user);
Disclaimer/Note
the university.
15. }
16.
17. //Read of CRUD
18. public List<User> getAllUsers() {
19. return userDao.getAllUsers();
20. }
21.
22. //Read of CRUD
23. public User getUserById(int userid) {
24. return userDao.getUserById(userid);
25. }
26.
27. //Update of CRUD
28. public void updateUser(User user) {
29. userDao.updateUser(user);
30. }
31.
32. //Delete of CRUD
33. public void deleteUser(int userid) {
34. userDao.deleteUser(userid);
35. }
36.
37. public UserDao getUserDao() {
38. return userDao;
39. }
40.
41. public void setUserDao(UserDao userDao) {
42. this.userDao = userDao;
43. }
44. }
Disclaimer/Note
the university.
Step 9
Create Main client class to perform CRUD operations under src/main/java/com/kb/client package
UserClient.java
1. package com.kb.client;
2.
3. import java.text.ParseException;
4. import java.text.SimpleDateFormat;
5. import java.util.Date;
6.
7. import com.kb.dao.UserDao;
9. import com.kb.service.UserService;
10.
11. public class UserClient {
12. public static void main(String[] args) {
13. UserService userService = new UserService();
14. UserDao userDao = new UserDao();
15. userService.setUserDao(userDao);
16.
17. // Add new user - Create of CRUD
18. User user1 = new User();
19. user1.setFirstName("John");
20. user1.setLastName("JC");
21. try {
22. Date dob = new SimpleDateFormat("yyyy-MM-dd").parse("1995-01-01");
23. user1.setDob(dob);
24. } catch (ParseException e) {
26. }
27. user1.setEmail("john@sample.com");
Disclaimer/Note
the university.
28. User user2 = new User();

29. user2.setFirstName("Robin");
30. user2.setLastName("RC");
31. try {
32. Date dob = new SimpleDateFormat("yyyy-MM-dd").parse("1975-01-01");
33. user2.setDob(dob);
34. } catch (ParseException e) {
36. }
37. user2.setEmail("robin@sample.com");
38.
39. userService.addUser(user1);
40. userService.addUser(user2);
41.
42. // Get all users - Read of CRUD
43. for (User retrivedUser : userService.getAllUsers()) {
44. System.out.println(retrivedUser.getFirstName());
45. System.out.println(retrivedUser.getLastName());
46. System.out.println(retrivedUser.getEmail());
47. System.out.println(retrivedUser.getDob());
48. }
49.
50. // Get user by id - Read of CRUD
51. User retrivedUser = userService.getUserById(1);
52. System.out.println(retrivedUser.getFirstName());
53. System.out.println(retrivedUser.getLastName());
54. System.out.println(retrivedUser.getEmail());
55. System.out.println(retrivedUser.getDob());
56.
57. // Update user - Update of CRUD
Disclaimer/Note
the university.
58. user1.setEmail("johnUpdated@sample.com");
59. user1.setId(1);
60. userService.updateUser(user1);
61.
62. // Delete user - Delete of CRUD
63. userService.deleteUser(1);
64.
65. }
66. }
output
We can see only one Record with Id “2” in the table as other record with id ”1” got inserted and deleted.
Q6. Explain Hibernate (ORM) configuration with Annotation in brief.

Ans:- Hibernate is an open source Java persistence framework project. It performs powerful object-relational
mapping and query databases using HQL and SQL. Hibernate is a great tool for ORM mappings in Java. It can cut
down a lot of complexity and thus defects as well from your application, which may otherwise find a way to exist.
This is specially boon for developers with limited knowledge of SQL.
Initially started as an ORM framework, Hibernate has spun off into many projects, such as Hibernate
Search, Hibernate Validator, Hibernate OGM (for NoSQL databases), and so on.
Hibernate Architecture
The following diagram summarizes the main building blocks in hibernate architecture.
Disclaimer/Note
the university.
Hibernate Architecture
Let’s understand what each block represents.
1. Configuration : Generally written in hibernate.properties or hibernate.cfg.xml files. For Java

configuration, you may find class annotated with @Configuration. It is used by Session Factory to work
with Java Application and the Database. It represents an entire set of mappings of an application Java
Types to an SQL database.
2. Session Factory : Any user application requests Session Factory for a session object. Session Factory
uses configuration information from above listed files, to instantiates the session object appropriately.
3. Session : This represents the interaction between the application and the database at any point of time.
This is represented by the org.hibernate.Session class. The instance of a session can be retrieved from
the SessionFactory bean.
4. Query : It allows applications to query the database for one or more stored objects. Hibernate provides
different techniques to query database, including NamedQuery and Criteria API.
5. First-level cache : It represents the default cache used by Hibernate Session object while interacting
with the database. It is also called as session cache and caches objects within the current session. All
requests from the Session object to the database must pass through the first-level cache or session
cache. One must note that the first-level cache is available with the session object until the Session object
is live.
6. Transaction : enables you to achieve data consistency, and rollback incase something goes unexpected.
7. Persistent objects : These are plain old Java objects (POJOs), which get persisted as one of the rows in
the related table in the database by hibernate.They can be configured in configurations files
(hibernate.cfg.xml or hibernate.properties) or annotated with @Entity annotation.
8. Second-level cache : It is used to store objects across sessions. This needs to be explicitly enabled and
one would be required to provide the cache provider for a second-level cache. One of the common
second-level cache providers is EhCache.
Following is the mapping of Employee class with annotations to map objects

import javax.persistence.*;
Disclaimer/Note
the university.
@Entity
@Table(name = "EMPLOYEE")
public class Employee {
@Id @GeneratedValue
@Column(name = "id")
private int id;
@Column(name = "first_name")
private String firstName;
@Column(name = "last_name")
private String lastName;
@Column(name = "salary")
private int salary;
public Employee() {}
public int getId() {

return id;
}
public void setId( int id ) {

this.id = id;
}
public String getFirstName() {

return firstName;
}
public void setFirstName( String first_name ) {

this.firstName = first_name;
}
public String getLastName() {

return lastName;
}
public void setLastName( String last_name ) {

this.lastName = last_name;
}
public int getSalary() {

return salary;
}
public void setSalary( int salary ) {

this.salary = salary;
}
}
Disclaimer/Note
the university.
Q7. Explain how Java Socket Extension (JSSE) is used in Web Security.
Ans:-
The Internet is a dangerous place. It's simply too easy to snoop, spoof, and steal unprotected information as it
travels over the wires. Last month, I wrote the final article in a series on X.509 certificates and public key
infrastructure (PKI), the technologies that secure most e-commerce activity on the Internet. Near the end of the
article, I suggested looking at the SSL (Secure Socket Layer) protocol to learn how X.509 certificates are used in
practice. SSL is the X.509 killer app -- nearly every browser and most popular Web and application servers support
it.
This month, I will explore SSL as implemented by the JSSE (Java Secure Socket Extension), and show you how to
build secure network applications in Java using SSL and JSSE.
Let's begin with a simple demonstration. JSSE provides an SSL toolkit for Java applications. In addition to the
necessary classes and interfaces, JSSE provides a handy command-line debugging switch that you can use
to watch the SSL protocol in action. In addition to providing useful information for debugging a recalcitrant
application, playing with the toolkit is a great way to get your feet wet with SSL and JSSE.
To run the demonstration, you must first compile the following class:
0 seconds of 30 minutes, 46 secondsVolume 0%
public
class Test
{
public
static
void
main(String [] arstring)
{
try
{
new java.net.URL("https://" + arstring[0] + "/").getContent();
}
catch (Exception exception)
{
exception.printStackTrace();
}
}
Disclaimer/Note
the university.
Next, you need to turn on SSL debugging and run the above application. The application connects to the secure
Website that you specify on the command line using the SSL protocol via HTTPS. The first option loads the HTTPS
protocol handler. The second option, the debug option, causes the program to print out its behavior. Here's the
command (replace <host> with the name of a secure Web server):
java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl Test <host>
You need to install JSSE;

Now let's get down to business and talk about SSL and JSSE.
A brief look at SSL

The code in the introduction demonstrates the easiest way to add SSL to your applications -- via the java.net.URL
class. This approach is useful, but is not flexible enough to let you create a secure application that uses generic
sockets.
Before I show you how to add that flexibility, let's take a quick look at SSL's features.
As its name suggests, SSL aims to provide applications with a secure socketlike toolkit. Ideally, it should be easy to
convert an application that uses regular sockets into an application that uses SSL.
SSL addresses three important security issues:
It provides authentication, which helps ensure the legitimacy of the entities involved in a dialog.
It provides privacy. SSL helps warrant that a third party cannot decipher the dialog between two entities.
It maintains integrity. The use of a MAC (message authentication code), which is similar to a checksum, helps
guarantee that a dialog between two entities is not modified by a third party.
SSL relies heavily on both public-key and secret-key cryptography. It uses secret-key cryptography to bulk-encrypt
the data exchanged between two applications. SSL provides the ideal solution because secret-key algorithms are
both secure and fast. Public-key cryptography, which is slower than secret-key cryptography, is a better choice for
authentication and key exchange.
Sun's JSSE reference implementation comes with all the technology necessary to add SSL to your applications. It
includes RSA (Rivest-Shamir-Adleman) cryptography support -- the de facto standard for security on the Internet.
It includes an implementation of SSL 3.0 -- the current SSL standard -- and TLS (Transport Layer Security) 1.0, the
next generation of SSL. JSSE also provides a suite of APIs for creating and using secure sockets.
The JSSE API

The Java security architecture uses the Factory design pattern heavily. For the uninitiated, the Factory design
pattern uses special factory objects to construct instances, rather than calling their constructors directly. (See
Resources for the pros and cons of the factory class.)
In JSSE, everything begins with the factory; there's a factory for SSL sockets and a factory for SSL server sockets.
Since generic sockets and server sockets are already quite fundamental to Java network programming, I'll assume
that you're familiar with the two and you understand their roles and differences. If you are not, I recommend
picking up a good book on Java network programming.
Disclaimer/Note
the university.
SSLSocketFactory
Methods in the javax.net.ssl.SSLSocketFactory class fall into three categories. The first consists of a single static
method that retrieves the default SSL socket factory: static SocketFactory getDefault().
The second category consists of four methods inherited from javax.net.SocketFactory that mirror the four key
constructors found on the java.net.Socket class, and one method that wraps an existing socket with an SSL socket.
They each return an SSL socket:
Socket createSocket(String host, int port)

Socket createSocket(String host, int port, InetAddress clientHost, int clientPort)
Socket createSocket(InetAddress host, int port)
Socket createSocket(InetAddress host, int port, InetAddress clientHost, int clientPort)
Socket createSocket(Socket socket, String host, int port, boolean autoClose)
The two methods in the third category return the list of SSL cipher suites that are enabled by default, and the
complete list of supported SSL cipher suites:
String [] getDefaultCipherSuites()
String [] getSupportedCipherSuites()
A cipher suite is a combination of cryptographic algorithms that define a particular level of security for an SSL
connection. A cipher suite defines whether the connection is encrypted, whether content integrity is verified, and
how authentication occurs.
SSLServerSocketFactory
Methods on the javax.net.ssl.SSLServerSocketFactory class fall into the same three categories as SSLSocketFactory.
First, there is the single static method that retrieves the default SSL server socket factory: static
ServerSocketFactory getDefault().
The methods that return SSL server sockets mirror the constructors found in the java.net.ServerSocket class:
ServerSocket createServerSocket(int port)

ServerSocket createServerSocket(int port, int backlog)
ServerSocket createServerSocket(int port, int backlog, InetAddress address)
Finally, the SSLServerSocketFactory features the two methods that return the list of ciphers enabled by default
and the list of supported ciphers, respectively:
String [] getDefaultCipherSuites()
So far, the API is pretty straightforward.
SSLSocket
Things get interesting in the javax.net.ssl.SSLSocket class. I assume you are already familiar with the methods
provided by its parent, the Socket class, so I will concentrate on the methods that provide SSL-related functionality.
Like the two SSL factory classes, the first two methods listed below retrieve the enabled and supported SSL cipher
suites, respectively. The third method sets the enabled cipher suites. An application can use the third operation to
upgrade or downgrade the range of acceptable security that the application will allow:
String [] getEnabledCipherSuites()
void setEnabledCipherSuites(String [] suites)
Disclaimer/Note
the university.
These two methods determine whether the socket can establish new SSL sessions, which maintain connection
details -- like the shared secret key -- between connections:
boolean getEnableSessionCreation()
void setEnableSessionCreation(boolean flag)
The next two methods determine whether the socket will require client authentication. The methods only make
sense when invoked on server mode sockets. Remember, according to the SSL specification, client authentication
is optional. For example, most Web applications don't require it:
boolean getNeedClientAuth()
void setNeedClientAuth(boolean need)
The methods below change the socket from client mode to server mode. This affects who initiates the SSL
handshake and who authenticates first:
boolean getUseClientMode()
void setUseClientMode(boolean mode)
Method void startHandshake() forces an SSL handshake. It's possible, but not common, to force a new handshake
operation in an existing connection.
Method SSLSession getSession() retrieves the SSL session. You will seldom need to access the SSL session directly.
The two methods listed below add and remove an SSL handshake listener object. The handshake listener object is
notified whenever an SSL handshake operation completes on the socket.
void addHandshakeCompletedListener(HandshakeCompletedListener listener)

void removeHandshakeCompletedListener(HandshakeCompletedListener listener)
SSLServerSocket
The javax.net.ssl.SSLServerSocket class is similar to the javax.net.ssl.SSLSocket class; it doesn't require much
individual attention. In fact, the set of methods on javax.net.ssl.SSLServerSocket class is a subset of the methods
on the javax.net.ssl.SSLSocket class.
The first two methods listed below retrieve the enabled and supported SSL cipher suites. The third method sets
the enabled cipher suite:
String [] getEnabledCipherSuites()
void setEnabledCipherSuites(String [] suites)
These two methods control whether or not the server socket can establish new SSL sessions:
boolean getEnableSessionCreation()
void setEnableSessionCreation(boolean flag)
The following methods determine whether the accepted sockets will require client authentication:
boolean getNeedClientAuth()
void setNeedClientAuth(boolean flag)
The methods below change the accepted socket from client mode to server mode:
boolean getUseClientMode()
void setUseClientMode(boolean flag)
Disclaimer/Note
the university.
A simple example
To make this toolkit tutorial clearer, I've included the source code for a simple server and a compatible client
below. It's a secure variation on the typical echo application that many introductory networking texts provide.
The server, shown below, uses JSSE to create a secure server socket. It listens on the server socket for connections
from secure clients. When running the server, you must specify the keystore to use. The keystore contains the
server's certificate. I have created a simple keystore that contains a single certificate. (See Resources to download
the certificate.)
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.io.IOException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
public
class EchoServer
{
public
static
void
{
try
{
SSLServerSocketFactory sslserversocketfactory =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
SSLServerSocket sslserversocket =
(SSLServerSocket)sslserversocketfactory.createServerSocket(9999);
SSLSocket sslsocket = (SSLSocket)sslserversocket.accept();
InputStream inputstream = sslsocket.getInputStream();
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
String string = null;
while ((string = bufferedreader.readLine()) != null)
{
System.out.println(string);
System.out.flush();
}
}
{
}
}
}
Use the following command to start the server (foobar is both the name of the keystore file and its password):
java -Djavax.net.ssl.keyStore=foobar -Djavax.net.ssl.keyStorePassword=foobar EchoServer
Disclaimer/Note
the university.
The client, shown below, uses JSSE to securely connect to the server. When running the client, you must specify
the truststore to use, which contains the list of trusted certificates. I have created a simple truststore that contains
a single certificate. (See Resources to download the certificate.)
import java.io.InputStream;
import java.io.OutputStream;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
public
class EchoClient
{
public
static
void
{
try
{
SSLSocketFactory sslsocketfactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket)sslsocketfactory.createSocket("localhost", 9999);
InputStream inputstream = System.in;
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
OutputStream outputstream = sslsocket.getOutputStream();
OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream);
BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter);
String string = null;
while ((string = bufferedreader.readLine()) != null)
{
bufferedwriter.write(string + '\n');
bufferedwriter.flush();
}
}
{
}
}
}
Use the following command to start the client (foobar is both the name of the truststore file and its password):
java -Djavax.net.ssl.trustStore=foobar -Djavax.net.ssl.trustStorePassword=foobar EchoClient
Disclaimer/Note
the university.
Q8. What is Role Based Login? Explain how user’s access can be restricted using Role Based Login.
Ans:-
Role-based access control (RBAC) refers to the idea of assigning permissions to users based on their role within
an organization. It offers a simple, manageable approach to access management that is less prone to error than
assigning permissions to users individually.
When using RBAC, you analyze the needs of your users and group them into roles based on common
responsibilities. You then assign one or more roles to each user and one or more permissions to each role. The
user-role and role-permissions relationships make it simple to perform user assignments since users no longer
need to be managed individually, but instead have privileges that conform to the permissions assigned to their
role(s).
Role-based access control (RBAC), also known as role-based security, is a mechanism that restricts system access.
It involves setting permissions and privileges to enable access to authorized users. Most large organizations use
role-based access control to provide their employees with varying levels of access based on their roles and
responsibilities. This protects sensitive data and ensures employees can only access information and perform
actions they need to do their jobs.An organization assigns a role-based access control role to every employee; the
role determines which permissions the system grants to the user.
For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to
specific resources or tasks. An organization may let some individuals create or modify files while providing others
with viewing permission only.
One role-based access control example is a set of permissions that allow users to read, edit, or delete articles in a
writing application. There are two roles, a Writer and a Reader, and their respective permission levels are
presented in this truth table. Using this table, you can assign permissions to each user.
Permission/Role Writer Reader
Edit Yes No
Delete Yes No
Read Yes Yes
Types of Access Control: Complementary Control Mechanisms
Access control measures regulate who can view or use resources in a computing system, often relying on
authentication or authorization based on log-in credentials. They are essential to minimizing business risks.
Access control systems can be physical, limiting access to buildings, rooms, or servers, or they can be logical,
controlling digital access to data, files, or networks.
Disclaimer/Note
the university.
Role Corporate Email CRM Customer Unix Employees

Network DB info
User Yes Yes No No No No
IT System Yes Yes Yes Yes Yes Yes

Admin
Developer Yes Yes No No Yes No
Sales No Yes Yes Yes No No

Consultant
HR Yes Yes No No No Yes
Role-based access control can be complemented by other access control techniques. Examples of such types of
access control include:
Discretionary Access Control (DAC)
The owner of a protected system or resource sets policies defining who can access it. DAC can involve physical or
digital measures, and is less restrictive than other access control systems, as it offers individuals complete control
over the resources they own. However, it is also less secure, because associated programs inherit security settings
and allow malware to exploit them without the knowledge of the end-user. You can use RBAC to implement DAC.
Mandatory Access Control (MAC)
A central authority regulates access rights based on multiple levels of security. MAC involves assigning
classifications to system resources and the security kernel or operating system. Only users or devices with the
required information security clearance can access protected resources. Organizations with varying levels of data
classification, like government and military institutions, typically use MAC to classify all end users. You can use
role-based access control to implement MAC.
Types of Access Control: RBAC Alternatives
Other access control mechanisms could serve as alternatives to role-based access control.
Disclaimer/Note
the university.
Access Control List (ACL)
An access control list (ACL) is a table listing the permissions attached to computing resources. It tells the operating
system which users can access an object, and which actions they can carry out. There is an entry for each user,
which is linked to the security attributes of each object. ACL is commonly used for traditional DAC systems.
RBAC vs ACL
For most business applications, RBAC is superior to ACL in terms of security and administrative overhead. ACL is
better suited for implementing security at the individual user level and for low-level data, while RBAC better
serves a company-wide security system with an overseeing administrator. An ACL can, for example, grant write
access to a specific file, but it cannot determine how a user might change the file.
Attribute-Based Access Control (ABAC)
ABAC evaluates a set of rules and policies to manage access rights according to specific attributes, such as
environmental, system, object, or user information. It applies boolean logic to grant or deny access to users based
on a complex evaluation of atomic or set-valued attributes and the relationship between them.
In practical terms, this allows you to write rules in eXtensible Access Control Markup Language (XACML), using
key-value pairs like Role=Manager and Category=Financial.
RBAC vs ABAC
While RBAC relies on pre-defined roles, ABAC is more dynamic and uses relation-based access control. You can
use RBAC to determine access controls with broad strokes, while ABAC offers more granularity. For example, an
RBAC system grants access to all managers, but an ABAC policy will only grant access to managers that are in the
financial department. ABAC executes a more complex search, which requires more processing power and time, so
you should only resort to ABAC when RBAC is insufficient.
Implementing Role-Based Access Control
Role-based access control allows organizations to improve their security posture and comply with security
regulations. However, implementing role-based access control across an entire organization can be complex and
may result in pushback from stakeholders. To succeed in your move to RBAC, you should treat the implementation
process as a series of steps:
• Understanding your business needs—before you move to RBAC, you should run a comprehensive needs
analysis to examine job functions, supporting business processes and technologies. You should also consider
any regulatory or audit requirements and assess the current security posture of your organization. You may
also benefit from other types of access control.
• Planning the scope of implementation—identify the scope of your RBAC requirements and plan the
implementation to align with the organization’s needs. Narrow your scope to focus on systems or
applications that store sensitive data. This will also help your organization manage the transition.
• Defining roles—it will be easier to define your roles once you have performed the needs analysis and
understand how individuals perform their tasks. Watch out for common role design pitfalls like excessive or
insufficient granularity, role overlap, and granting too many exceptions for RBAC permissions.
• Implementation—the final phase involves rolling out the RBAC. Do this in stages, to avoid an overwhelming
workload and reduce disruption to the business. First, address a core group of users. Start with coarse-
Disclaimer/Note
the university.
grained access control before increasing granularity. Collect feedback from users and monitor your
environment to plan the next stages of implementation.
Disclaimer/Note
the university.

MCS 220 EM 2021-22

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MCS 220 EM 2021-22

Uploaded by

Copyright:

Available Formats

• Facebook-https://www.facebook.com/dalal.

Course Code : MCS-220

There are two forms of singleton design pattern

o Early Instantiation: creation of instance at load time.

Q2. Explain Servlet Architecture. Also explain Servlet Life Cycle.

The service() Method

The doPost() Method

The destroy() Method

public class LoginServlet extends HttpServlet

Q4. Explain Spring Boot and Spring MVC frameworks.

The Spring MVC framework consists of the following components :

There are four main layers in Spring Boot :

I am using Command window to run these scripts

Issue the following command

Enter the password

Now run these scripts

1. create database javainsimpleway;

Check the table created using below command

Please refer this article on how to do it.

1. <?xml version="1.0" encoding="UTF-8"?>

3. "-//Hibernate/Hibernate Configuration DTD 3.0//EN"

1. <?xml version="1.0" encoding="UTF-8"?>

8. <id name="id" type="int" column="Id">

11. // Create the SessionFactory from hibernate.cfg.xml

38. Session session = HibernateUtil.getSessionFactory().openSession();

98. if (trns != null) {

28. User user2 = new User();

Q6. Explain Hibernate (ORM) configuration with Annotation in brief.

1. Configuration : Generally written in hibernate.properties or hibernate.cfg.xml files. For Java

Following is the mapping of Employee class with annotations to map objects

public int getId() {

public void setId( int id ) {

public String getFirstName() {

public void setFirstName( String first_name ) {

public String getLastName() {

public void setLastName( String last_name ) {

public int getSalary() {

public void setSalary( int salary ) {

0 seconds of 30 minutes, 46 secondsVolume 0%

java -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl Test <host>

You need to install JSSE;

A brief look at SSL

SSL addresses three important security issues:

The JSSE API

Socket createSocket(String host, int port)

ServerSocket createServerSocket(int port)

void addHandshakeCompletedListener(HandshakeCompletedListener listener)

java -Djavax.net.ssl.keyStore=foobar -Djavax.net.ssl.keyStorePassword=foobar EchoServer

java -Djavax.net.ssl.trustStore=foobar -Djavax.net.ssl.trustStorePassword=foobar EchoClient

Permission/Role Writer Reader

Read Yes Yes

Types of Access Control: Complementary Control Mechanisms

Role Corporate Email CRM Customer Unix Employees

User Yes Yes No No No No

IT System Yes Yes Yes Yes Yes Yes

Developer Yes Yes No No Yes No

Sales No Yes Yes Yes No No

HR Yes Yes No No No Yes

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Types of Access Control: RBAC Alternatives

Access Control List (ACL)

Attribute-Based Access Control (ABAC)

Implementing Role-Based Access Control