MCS-220 – Web Technologies June 2024 – IGNOU MCA New PYQ Solution

Question 1 (a) Differentiate between web server and web container.

Web Server:

• A web server handles HTTP requests and serves static content like HTML, CSS, and JavaScript files.
• It processes incoming requests from clients and returns the appropriate static resources.
• Example: Apache HTTP Server, Nginx.

Web Container:

• A web container (also known as a servlet container) is a part of a web server or application server that provides the environment to run Java Servlets and JavaServer Pages (JSP).
• It manages the lifecycle of servlets, mapping URLs to specific servlets, and ensuring that the servlets respond to requests.
• Example: Apache Tomcat, Jetty.

Key Difference:

• While a web server serves static content, a web container handles dynamic content by executing Java servlets and JSPs.

Question 1 (b): What are “Creational Design Patterns”? Write their utility.

Definition: Creational design patterns deal with object creation mechanisms, trying to create objects in a manner suitable to the situation.

Types:

• Singleton: Ensures a class has only one instance and provides a global point of access.
• Factory Method: Defines an interface for creating objects, but allows subclasses to alter the type of objects that will be created.
• Abstract Factory: Provides an interface for creating families of related or dependent objects without specifying their concrete classes.
• Builder: Constructs complex objects by separating the construction process from the actual representation.
• Prototype: Creates new objects by copying an existing object, known as the prototype.

Utility:

• These patterns increase flexibility and reuse of existing code.
• They help in making a system independent of how its objects are created, composed, and represented.

Question 1 (c): How struts 2 differs from struts 1? List the various features of struts 1.

Struts 1:

• Uses ActionServlet as the front controller.
• Action classes are tightly coupled with the servlet API.
• Validation is done using validate() method in form beans.
• Uses JSP and JSTL for view rendering.

Struts 2:

• Uses FilterDispatcher as the front controller.
• Action classes are POJOs and are not dependent on the servlet API.
• Validation is done using annotations or XML configuration.
• Uses OGNL (Object-Graph Navigation Language) for dynamic value expressions.

Key Differences:

• Struts 2 provides a more flexible and extensible framework compared to Struts 1.
• It simplifies development by reducing boilerplate code and enhancing testability.

Question 1 (d): What is Hibernate framework in Java? What is the utility of Hibernate? Give advantages of Hibernate framework.

Definition:

• Hibernate is an open-source ORM (Object-Relational Mapping) framework for Java.
• It provides a framework for mapping an object-oriented domain model to a traditional relational database.

Utility:

• Simplifies database interactions by mapping Java objects to database tables.
• Provides data query and retrieval facilities.
• Manages database connections and transactions.

Advantages:

• Reduces boilerplate code for database operations.
• Supports inheritance, associations, and collections.
• Provides transparent persistence.
• Offers caching mechanisms for performance optimization.

Question 1 (e): Differentiate between load() and get() methods.

get() Method:

• Immediately fetches the object from the database.
• Returns null if the object is not found.
• Suitable when the object may or may not exist.

load() Method:

• Returns a proxy object and loads the actual object when it’s accessed (lazy loading).
• Throws ObjectNotFoundException if the object is not found.
• Suitable when the object is expected to exist.

Question 1 (f): Explain the term Aspect Oriented Programming with suitable example.

Definition:

• AOP is a programming paradigm that aims to increase modularity by allowing the separation of cross-cutting concerns.

Example:

• Aspect: Logging functionality.
• Join Point: Method execution.
• Advice: Code to be executed at the join point (e.g., logging before method execution).
• Pointcut: Expression that matches join points.

Implementation in Spring:

• Spring AOP allows aspect-oriented programming using annotations like @Aspect, @Before, @After, and @Around.

Question 1 (g): Compare spring boot and spring MVC.

Spring MVC:

• A part of the Spring Framework used to build web applications.
• Requires manual configuration of beans and components.
• Suitable for traditional web applications.

Spring Boot:

• A framework built on top of Spring that simplifies the setup and development of new Spring applications.
• Provides embedded servers and auto-configuration.
• Suitable for microservices and RESTful APIs.

Question 1 (h): What is message digest? Write the steps to send encrypted data with message digest and for the validation of encrypted data.

Definition:

• A message digest is a fixed-length string of characters produced by a cryptographic hash function from a variable-length input.

Steps to Send Encrypted Data:

1. Generate a message digest of the data.
2. Encrypt the message digest with a private key to create a digital signature.
3. Send the original data along with the digital signature.

Validation:

• The receiver generates the message digest of the received data and compares it with the decrypted digest to ensure data integrity.

Question 2 (a): Explain the various components of J2EE architecture with suitable block diagram.

Components:

• Client Tier: User interface components like browsers or mobile applications.
• Web Tier: Handles HTTP requests and responses (e.g., servlets, JSPs).
• Business Tier: Contains business logic components (e.g., EJBs).
• Enterprise Information System (EIS) Tier: Interacts with databases and legacy systems.

Block Diagram:

• Client → Web Tier → Business Tier → EIS Tier

Question 2 (b): Explain the servlet life cycle. Also compare the generic servlet with HTTP servlet.

Life Cycle Phases:

1. Loading: Servlet class is loaded into memory.
2. Instantiation: Servlet instance is created.
3. Initialization: init() method is called.
4. Request Handling: service() method processes client requests.
5. Destruction: destroy() method is called before servlet is removed from memory.

Generic Servlet vs. HTTP Servlet:

• Generic Servlet: Protocol-independent, requires overriding service() method.
• HTTP Servlet: Protocol-dependent, provides doGet(), doPost(), etc., methods for handling HTTP requests.

Question 2 (c): Discuss the role of cookies in session management. How does persistent cookies differ from non-persistent cookies?

Role of Cookies:

• Cookies are small pieces of data stored on the client-side to maintain stateful information between server and client.

Persistent vs. Non-Persistent Cookies:

• Persistent Cookies: Stored on the client for a specified duration.
• Non-Persistent Cookies: Stored temporarily and deleted when the browser is closed.

Question 3 (a): Explain the cooking and flow of struts 2 with suitable block diagram.

Struts 2 is an open-source Java web application framework based on the Model-View-Controller (MVC) design pattern. It helps in building web applications by separating business logic, presentation, and navigation logic.

Working of Struts 2:

1. Client Request: The client sends an HTTP request to the web server.
2. FilterDispatcher: The request is intercepted by the FilterDispatcher (front controller), which processes all incoming requests.
3. Action Mapping: The ActionMapper identifies the corresponding action class for the request based on URL and configuration (struts.xml or annotations).
4. Interceptors: The request passes through a chain of interceptors that provide features such as validation, file upload, and authentication.
5. Action Execution: The mapped action class executes the business logic and returns a result string (e.g., SUCCESS, ERROR).
6. Result Processing: The framework maps the result string to a view (like a JSP page) and renders the response.
7. Response: The rendered view is sent back to the client’s browser.

Block Diagram of Struts 2 Flow:

Client Request
      ↓
FilterDispatcher (Front Controller)
      ↓
Action Mapping (Locate Action Class)
      ↓
Interceptors (Pre/Post Processing)
      ↓
Action Execution (Business Logic)
      ↓
Result Processing (Render View)
      ↓
Response to Client

Summary: Struts 2 provides a flexible, interceptor-based architecture where the FilterDispatcher manages the request lifecycle, making it easy to develop modular, maintainable web applications following the MVC pattern.

Question 3 (b): How does Built-in Java Annotation differ from Java Custom Annotation? Briefly discuss the various annotations classified under each.

Java Annotations are metadata that provide information about the program but do not affect the program’s execution directly. They help in configuring and managing code behavior in a clean way.

Difference Between Built-in and Custom Annotations:

Various Built-in Annotations:

1. @Override: Indicates that a method is overriding a method declared in a superclass. Helps catch errors if the method does not actually override anything.
2. @Deprecated: Marks a class, method, or field as deprecated, signaling that it should no longer be used and may be removed in the future.
3. @SuppressWarnings: Instructs the compiler to suppress specific warnings, like unchecked or deprecation warnings.
4. @SafeVarargs: Suppresses warnings related to unsafe operations on varargs parameters.
5. @FunctionalInterface: Indicates that an interface is intended to be a functional interface (with a single abstract method).

Various Custom Annotations:

• Definition: Custom annotations are defined by the programmer using the @interface keyword.
• Example: @Retention(RetentionPolicy.RUNTIME) @Target(ElementType.METHOD) public @interface LogExecutionTime { }
• Usage:
  Custom annotations can be used to provide metadata for frameworks or custom logic, such as marking methods to log execution time or managing transactions.
• Common Examples in Frameworks:
  • @Entity (JPA) – marks a class as a database entity.
  • @Autowired (Spring) – indicates automatic dependency injection.
  • @Controller (Spring MVC) – marks a class as a controller component.

Summary:

• Built-in annotations are predefined and provide instructions for the compiler or runtime environment.
• Custom annotations are created by developers to add meaningful metadata tailored to their application or framework needs.

Question 4 (a): What is spring boot? Explain the need of spring boot. Describe the working of spring boot with suitable block diagram.

Spring Boot is an open-source Java-based framework built on top of the Spring framework. It is designed to simplify the process of developing production-ready, stand-alone Spring applications by providing auto-configuration, starter dependencies, and embedded servers.

Need for Spring Boot:

• Simplified Setup: Traditional Spring applications require complex XML configurations or Java-based configuration. Spring Boot eliminates this by providing auto-configuration based on project dependencies.
• Embedded Servers: Unlike traditional Spring MVC applications that need external web servers, Spring Boot comes with embedded servers like Tomcat or Jetty, allowing applications to run independently.
• Rapid Development: It accelerates development with starter templates and reduces boilerplate code.
• Opinionated Defaults: Spring Boot offers sensible defaults, reducing guesswork for developers.
• Microservices Ready: Ideal for creating microservices and cloud-native applications with minimal setup.
• Production Features: Provides health checks, metrics, and externalized configuration for easier deployment and monitoring.

Working of Spring Boot:

1. Client Request: The client sends an HTTP request to the application.
2. Embedded Server: Spring Boot applications run on embedded servers such as Tomcat, which listen for incoming requests.
3. DispatcherServlet: Spring Boot’s embedded server forwards the request to DispatcherServlet, the front controller in Spring MVC.
4. Controller: The controller processes the request, invoking business logic or services as required.
5. Service Layer: Contains business logic; handles processing and calls repositories for data operations.
6. Repository Layer: Interacts with the database to fetch or store data.
7. Response: After processing, the response is returned to the client.

Block Diagram of Spring Boot Workflow:

Client Request
      ↓
Embedded Server (Tomcat/Jetty)
      ↓
DispatcherServlet (Front Controller)
      ↓
Controller Layer
      ↓
Service Layer
      ↓
Repository Layer (Database Interaction)
      ↓
Response to Client

Summary:

• Spring Boot simplifies Spring application development with auto-configuration and embedded servers.
• It reduces the need for manual configuration, enabling rapid and easy development.
• The embedded server architecture allows applications to run standalone.
• Spring Boot is highly suitable for building microservices and cloud-ready applications.

Question 4 (b): Explain any four of the following web application security vulnerabilities:
(i) Cross site scripting
(ii) Cross site request forgery
(iii) SQL injection
(iv) Denial of Service
(v) Insecure direct object reference

(i) Cross-Site Scripting (XSS)

Cross-Site Scripting is a security flaw that allows attackers to inject malicious scripts into web pages that other users view. These scripts run in the victim’s browser and can steal sensitive data like cookies, session tokens, or manipulate the webpage content.

• Types:
  • Stored XSS: Malicious code is stored on the server (e.g., in a database) and delivered to users.
  • Reflected XSS: Code is reflected off a web server, usually via URL parameters or form inputs.
  • DOM-based XSS: Exploits vulnerabilities in client-side scripts manipulating the DOM.
• Impact: Theft of sensitive information, session hijacking, or redirecting users to malicious sites.
• Prevention: Sanitize inputs, encode outputs, implement Content Security Policy (CSP), and use frameworks that automatically escape outputs.

(ii) Cross-Site Request Forgery (CSRF)

CSRF tricks a user’s browser into making unwanted requests to a web application where the user is authenticated, without their consent.

• How it Works:
  An attacker crafts a request (like form submission) that executes actions on behalf of the user, such as changing passwords or making transactions.
• Impact: Unauthorized actions performed on the victim’s behalf.
• Prevention: Use anti-CSRF tokens, validate the Referer header, implement same-site cookies, and require re-authentication for sensitive operations.

(iii) SQL Injection

SQL Injection occurs when an attacker inserts malicious SQL statements into input fields that are executed by the database, exploiting inadequate input validation.

• How it Works:
  Unsanitized inputs are concatenated into SQL queries, allowing attackers to manipulate database commands.
• Impact: Unauthorized data access, data corruption, deletion, or even gaining administrative control.
• Prevention: Use parameterized queries (prepared statements), stored procedures, input validation, and ORM frameworks.

(iv) Denial of Service (DoS)

Denial of Service attacks overwhelm a web server or application with excessive requests or resource-heavy operations, making it unavailable to legitimate users.

• How it Works:
  Attackers flood the system with traffic or exploit vulnerabilities causing resource exhaustion.
• Impact: Service downtime, loss of availability, financial and reputational damage.
• Prevention: Implement rate limiting, use firewalls, load balancers, and deploy intrusion detection systems.

(v) Insecure Direct Object Reference (IDOR)

IDOR happens when an application exposes internal implementation objects (like files, database keys) without proper access control, allowing attackers to access unauthorized data.

• How it Works:
  Attackers manipulate object identifiers in URLs or parameters to access data of other users.
• Impact: Unauthorized access to sensitive data or functions.
• Prevention: Implement proper access control checks, avoid exposing direct references, and use indirect references or mapping.

Summary

Web application vulnerabilities like XSS, CSRF, SQL Injection, DoS, and IDOR pose serious risks to security and data integrity. Developers must implement strong validation, authentication, and security best practices to protect applications from these threats.

Write short notes on the following:
(a) Java Secure Socket Extension (JSSE)
(b) Spring security modules
(c) Role Based Access Control (RBAC)
(d) Cross Site Request Forgery (CSRF)
(e) Hibernate Query Language (HQL) and Insert, Delete, Update, Select queries in HQL

(a) Java Secure Socket Extension (JSSE)

Java Secure Socket Extension (JSSE) is a Java API that provides secure communication capabilities using protocols such as SSL (Secure Sockets Layer) and TLS (Transport Layer Security). It enables developers to create secure network connections, ensuring data encryption, authentication, and integrity over insecure networks like the internet.

• Features:
  • Supports SSL and TLS protocols
  • Provides APIs for creating secure sockets (SSLSocket)
  • Manages certificates and keys for authentication
  • Enables encrypted communication between client and server

(b) Spring Security Module

Spring Security is a powerful and customizable framework for authentication and access control in Java applications. It provides comprehensive security services.

• Main Modules:
  • Core: Provides the basic security features such as authentication and access control.
  • Web: Secures web applications by providing filters and web-specific security features.
  • Config: Allows configuration using XML or Java annotations.
  • LDAP: Supports authentication via LDAP servers.
  • OAuth: Implements OAuth 2.0 for authentication and authorization.

Spring Security integrates well with other Spring projects and supports various authentication methods.

(c) Role Based Access Control (RBAC)

Role Based Access Control (RBAC) is a security mechanism where permissions are assigned to roles rather than individual users. Users are then assigned to roles based on their responsibilities, which simplifies management of access rights.

• Key Concepts:
  • Roles represent job functions or responsibilities.
  • Permissions are assigned to roles, controlling access to resources.
  • Users inherit permissions by being assigned to roles.
• Benefits:
  • Simplifies permission management.
  • Ensures consistent access control.
  • Improves security by enforcing the principle of least privilege.

(d) Cross Site Request Forgery (CSRF)

Cross Site Request Forgery (CSRF) is a web security vulnerability where an attacker tricks a logged-in user into submitting malicious requests to a web application without their consent.

• How it works:
  • The attacker crafts a request (like form submission) to perform actions on behalf of the user.
  • The user’s browser sends the request with authentication credentials, causing unauthorized actions.
• Prevention Techniques:
  • Use anti-CSRF tokens in forms and headers.
  • Validate the HTTP Referer header.
  • Implement same-site cookies and require re-authentication for sensitive actions.

(e) Hibernate Query Language (HQL) and Insert, Delete, Update, Select Queries in HQL

Hibernate Query Language (HQL) is an object-oriented query language similar to SQL but operates on persistent objects instead of database tables.

• Features:
  • Supports polymorphic queries.
  • Uses entity names and property names instead of table and column names.
  • Database independent.
• Basic Queries:
  • Select: from Employee where salary > 50000
  • Insert:
    HQL does not support direct insert; instead, objects are saved using the session’s save() method.
  • Update: update Employee set salary = salary + 5000 where department = 'Sales'
  • Delete: delete from Employee where id = 101