Section 8.1. The Server Side

8.1. The Server Side

Our GWT application connects to a PHP file running on the Apache web server. This PHP file provides the information from the server, which ends up displayed in the text fields. Here's the source code for the PHP:

 <?php //set the content-type HTTP header header("Content-Type: text/plain; charset=UTF-8"); //Indicate that the browser should not cache the received value header("Cache-Control: no-cache"); $info_array = array( "server" => $_SERVER["SERVER_SOFTWARE"], "date" => date("l, F j, Y H:i:s",$_SERVER["REQUEST_TIME"]), "browser" => $_SERVER["HTTP_USER_AGENT"]); echo json_encode($info_array); ?> 

This code sets a couple of HTTP response headers that specify the return value's content type (text/plain; charset=UTF-8), and that the browser, or any other caching mechanism along the request-response chain, should not cache the received value. Then the code creates an array of data to send about the server software, the request's date, and the user-agent header value.

The program uses the $_SERVER global variable to obtain its information. For example, you can access the user agent string with the code: $_SERVER["HTTP_USER_AGENT"].

Finally, the PHP uses a method named json_encode() to encode the array in JSON format, and the echo statement to print the HTTP response.

If you look at Figure 7 and the alert window, you will see exactly what the format of the returned information looks like. JSON is an easy-to-use format to exchange between the client and server tiers of an Ajax application.

NOTE

An Ajax application that handles JSON return values typically converts these values to JavaScript objects using, among other techniques, JavaScript's built-in eval() method. This design strategy, however, can potentially open up an application to security vulnerabilities such as cross-site scripting (XSS) attacks. See http://en.wikipedia.org/wiki/Cross_site_scripting.

For example, since the JSON response is interpreted as JavaScript, a hacker could intercept an HTTP response and inject annoying (pop-up windows with bizarre messages) or malicious program code into the application. Developers are encouraged to keep this security implication in mind when using JSON as a data format. One defensive strategy is to use regular expressions or some other mechanism to filter the response text before the application converts the JSON-formatted string to a JavaScript object. This is admittedly an imperfect solution, as it couples the server component to the client by specifying in the client a certain format for an HTTP response.

Of course, substituting XML for JSON is not a completely bulletproof strategy either, as the HTTP response could be well-formed XML containing distorted or malicious element content. For this reason, both server-side and client-side developers have to give security the highest priority when designing Ajax applications.

An alternative to PHP is the following Java servlet. The advantage of a servlet is that it can easily be integrated with GWT's embedded instance of the Tomcat servlet container, when you are using GWT in host mode.

 package com.parkerriver; import java.io.IOException; import java.io.PrintWriter; import java.util.*; import org.json.JSONObject; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletRequest; public class AjaxEbookServlet extends HttpServlet { protected void doGet(HttpServletRequest httpServletRequest,                      HttpServletResponse httpServletResponse) throws ServletException, IOException {   //set Content-Type and Caching headers   httpServletResponse.setHeader("Content-Type",       "text/plain; charset=UTF-8");   httpServletResponse.setHeader("Cache-Control",       "no-cache");   //for backward compatibility with HTTP/1.0...   httpServletResponse.setHeader("Pragma",       "no-cache");   Map infoMap = new HashMap();   infoMap.put("server",       httpServletRequest.getServerName());   infoMap.put("date",new java.util.Date().toString());   infoMap.put("browser",httpServletRequest.     getHeader("user-agent"));   //The object that writes to the response stream   PrintWriter writer = httpServletResponse.getWriter();   //See: http://www.json.org/java/index.html   JSONObject jObj = new JSONObject(infoMap);   writer.print(jObj.toString());   writer.close(); } protected void doPost(HttpServletRequest httpServletRequest,  HttpServletResponse httpServletResponse) throws ServletException, IOException {   doGet(httpServletRequest, httpServletResponse);  } } 

Now we will examine the guts of it all: the HTML file, GwtAjax.html and the Java file that forms the application's logic, GwtAjax.java.