1. Basic concepts and knowledge points
1. web server: a tcp server that implements the http protocol
2, application server: a server that implements program logic
3. web container: a container that provides basic support
4, proxy: proxy, the intermediary between the client and the target
5. https: http over Transport Layer Security (TLS)
6. The program logic of servlet processing resource requests, programmers handle multi-users by themselves, resulting in multi-threading problems
7. ServletContext: an environment shared by multiple servlets
8. servlet container: runtime that supports servlet execution
9, forward: the internal process of the server jumps to another page
10. Redirect: Force the client to request a second time, which can be reflected in the client's address bar
11. Session: From the time when the client opens the browser to connect to the server, to when the client closes the browser and leaves the server, it is called a session. When a client accesses the server, it may repeatedly connect to several pages on the server, refresh a page repeatedly, or submit information to a page continuously. object.
12. cookie: The data that the client will bring with each http interaction, which can be used to mark the uid, and the data exists in the client.
13、tomcat的server service connector engine servlet
server: expose service to the outside world, theoretically it can be more than just http service
service: connector+container, http service
connector: handles external request connections, such as socket and transport related
Container: The specific processing logic environment, which is divided into engine, host, context
engine: servlet container (supports multiple virtual hosts)
host: virtual host (different from the host on the hardware), corresponding to a website (public network ip)
context: the context of an app (a host can have multiple apps)
14. The logic of filter for each request
15. The code automatically executed when the listener event occurs, divided into ServletContext, HttpSession and ServletRequest
16. csrf: (Cross-site request forgery) Cross-site request forgery, using the session information after login to disguise the browser to send http requests. Defensive measures: try not to use get in api, because get is a single url, which is easy to be embedded; add a token domain to each post to ensure that the request is initiated from a fixed page; or directly add an account verification or verification code; judge referer; in Custom attributes in HTTP headers and validation
17. XSS: Cross-site scripting, adding automatically executed js code (can be <script> or hidden html event trigger) in the user's input, to prevent the escape of user input
18. DDoS: Distributed Denial of Service destroys the availability in information security "confidentiality", "integrity" and "availability", and uses a large number of broilers to imitate real requests, resulting in server resource exhaustion. Including ARP, ICMP, IP, UDP, TCP and application layer attacks and other layers.
19. The scope of variables includes page, request, session, application, etc.
Second, java and python (take django as an example) support for web development
1. The level of infrastructure
python: wsgi server, wsgi standard, web framework, app
java:app server、servlet容器、servlet、request+request、session
2. Standard wsgi vs javaee
3、signal VS listener
4、middleware VS Filter
5、django middleware tips:
process_request: After receiving the request, parse the url, before determining the view
process_view: before entering the view callback
view_callback: specific callback
process_template_response: After the view is executed, before the template is rendered (the template can be changed)
process_response: After generating the response
3. The actual development process
1、springmvc + mybatis
Directory Structure
pojo / entry / model
dao
service
controller
filter
Implement database schema, model, dao, service, controller in turn
packaged into war
deploy to tomcat and other servers
2、django
Write model, configure url, write view, set template, write configuration file
Pack and go online
No need for pojo, dao, service and other parts
4. Summary
1. Java is a statically typed language, but web development requires flexibility, so java has made many specifications to provide support for web development, such as the encapsulation of javaee system, servlet, request, header, cookie, session, filter, listener, etc. , jdbc, orm mapping, etc.
2. Python is a dynamically typed language that supports closures and decorators. The expressiveness of the language is much greater than that of Java. Therefore, Python does not design very detailed specifications for web development, but only defines wsgi to decouple the app server from the web framework. . Inside the web framework, because it is a scripting language, there is no need to abstract data structures such as request, header, and cookie (just use dict directly), and the mapping of orm is also very light.
3. Python does not need dependency injection and reflection (built-in directly supports import of strings), aop (language supports higher-order functions), webmvc (supports url direct mapping callback), and does not need to design a pluggable architecture (you can use configuration directly file), no need to deal with all type-related issues