【正文】 x, they might want to use Enterprise JavaBeans (EJB) to encapsulate their business logic. So, they might switch to BEA WebLogic or Oracle9i AS. Again, none of their servlets or JSP pages have to be rewritten. Finally, if their project bees even bigger, they might move it off of their Linux box and onto an IBM mainframe running IBM WebSphere. But once again, none of their servlets or JSP pages have to be rewritten. 6． Secure One of the main sources of vulnerabilities in traditional CGI stems from the fact that the programs are often executed by generalpurpose operating system shells. So, the CGI programmer must be careful to filter out characters such as backquotes and semicolons that are treated specially by the shell. Implementing this precaution is harder than one might think, and weaknesses stemming from this problem are constantly being uncovered in widely used CGI libraries. A second source of problems is the fact that some CGI programs are processed by languages that do not automatically check array or string bounds. For example, in C and C++ it is perfectly legal to allocate a 100element array and then write into the 999th element, which is really some random part of program memory. So, programmers who forget to perform this check open up their system to deliberate or accidental buffer overflow attacks. Servlets suffer from neither of these problems. Even if a servlet executes a system call (., with or JNI) to invoke a program on the local operating system, it does not use a shell to do so. And, of course, array bounds checking and other memory protection features are a central part of the Java programming language. 7． Mainstream There are a lot of good technologies out there. But if vendors don39。An Overview of Servlet and JSP Technology Gildas Avoine and Philippe Oechslin EPFL, Lausanne, Switzerland A Servlet39。re already convinced that Java technology makes for more reliable and reusable code than does Visual Basic, VBScript, or C++. Why go back to those languages for serverside programming? 3． Powerful Servlets support several capabilities that are difficult or impossible to acplish with regular CGI. Servlets can talk directly to the Web server, whereas regular CGI programs cannot, at least not without using a serverspecific API. Communicating with the Web server makes it easier to translate relative URLs into concrete path names, for instance. Multiple servlets can also share data, making it easy to implement database connection pooling and similar resourcesharing optimizations. Servlets can also maintain information from request to request, simplifying techniques like session tracking and caching of previous putations. 4． Portable Servlets are written in the Java programming language and follow a standard API. Servlets are supported directly or by a plugin on virtually every major Web server. Consequently, servlets written for, say, Macromedia JRun can run virtually uncha nged on Apache Tomcat, Microsoft Inter Information Server (with a separate plugin), IBM WebSphere, iPla Enterprise Server, Oracle9i AS, or StarNine WebStar. They are part of the Java 2 Platform, Enterprise Edition (J2EE。 （ 2） 讀取由瀏覽器發(fā)送的隱式請求數(shù)據(jù)。即使它能夠做到這一點，為了安全上的考慮，我們也不希望讓它這么做。但是，實際發(fā)送的數(shù)據(jù)有兩種：文檔本身，以及后臺的 HTTP 信息。要記住，用戶提交兩種類型的數(shù)據(jù)：顯示（即 HTML 表單的數(shù)據(jù)）和隱式（即 HTTP 請求的報頭）。 頁面中使用了來自公司數(shù)據(jù)庫或其他數(shù)據(jù)庫斷數(shù)據(jù)源的信息。而且，用于會話啟動協(xié)議服務(wù)器的 servlet API 最近已經(jīng)被標(biāo)準(zhǔn)化（參見 servelt 的這種用法尚不流行，在此，我們只論述 HTTP Servlet。最后，當(dāng) CGI 程序結(jié)束對請求的處理之后 ，程序結(jié)束。多個 servelt 還可以共享數(shù)據(jù)，從而易于實現(xiàn)數(shù)據(jù)庫連接共享和類似的資源共享優(yōu)化。 Oracle9i AS 或者 StrNine WebStar 上運行。Marty 曾在馬尼拉講授過 jsp 和 servlet 培訓(xùn)課程，那兒對 servelt 和 jsp 技術(shù)抱很大的興趣。如果他們的項目變得更龐大，他們或許希望轉(zhuǎn)移到分布式環(huán)境。 安全 傳統(tǒng) CGI 程序中主要的漏洞來源之一就是， CGI 程序常常由通過的操作系統(tǒng)外殼來執(zhí)行。當(dāng)然，數(shù)組邊界的檢查以及其他內(nèi)存包含特性是 java 編程語言的核心部分