Data Holder

The data holder is the container for the knowledge base. The knowledge base is loaded once and shared across servlet requests. To hold the knowledge base we use a class variable. This works fine since each web context has its own class loader and therefore its own class data. The needed business logic for accessing the holder can be read off from the execution flow. It basically follows the cached value pattern:

    /**
     * <p>If necessary do set up of the knowledge base.</p>
     */
    public synchronized static void initKnowledgebase() {
if (know != null)
return;
try {
know = new Knowledgebase(ToolkitLibrary.DEFAULT, Data.class);
/* setup the Prolog runtime */
Interpreter inter = know.iterable();
Knowledgebase.initKnowledgebase(inter);
/* load the Prolog code */
Object consultGoal = inter.parseTerm(
"consult(library(example01/table))");
inter.iterator(consultGoal).next().close();
} catch (InterpreterMessage x) {
throw new RuntimeException(x);
} catch (InterpreterException x) {
throw new RuntimeException(x);
}
    }

The servlet application will allow concurrent requests. When the cached value pattern is concurrently executed by multiple threads either incompletely loaded knowledge bases could be returned or knowledge bases could be loaded twice. Our solution here is very simple. We protected the method by the synchronized keyword. The Java compiler will then create code so that the method body is synchronized to the data holder class. As a result only one thread at a time will be able to execute the method body.

It is well known that web servers are vulnerable to a couple of threads. All the 5 top vulnerabilities listed by Symantec are based on poor application design and/or web server settings. Half of the top vulnerabilities are based non-sanitized strings. Each component of a web server might have its own string coding conventions and neglecting necessary conversions can have drastic consequences. In our example we will deal with the coding of text inside URL requests and with the coding of plain text inside XML.

The URL encoding and decoding of form data is practically done for us by the browser and the web server. For the coding of plain text inside XML there is no standard helper available. Before we went into the lengths of using a commons library we have coded our own XML codeing library. Prolog access is provided via the module library(system/xml). The XML encod-ing can also be directly accessed from within Java by using the Java class matu-la.util.system.ForeignXml and its static methods.

Kommentare