the mock question goes something like this: "...a web application is required to be secure and stateful..."
The correct answer is: use HTTPS since it is secure and stateful because of SSL
While I understand the security aspect of it, I am not quit firm on the statefulness of it. How can I utilize statefulness of HTTPS from a Java perspective?
Will my Java code look different if I use HTTP or HTTPS? I don't think so. The whole point is that I enable HTTPS on my application server and therefore my application will use HTTPS but with no modification of my code.
Is the underlying implementation of the Servlet API recognizing that HTTPS is in use and utilizes its ability of statefulness...?
HTTPS doesn't make your application stateful. It can help you handle authentication and keep the data passed over the the wire from prying eyes (...unless their pretty smart, determined and have the right processing power at their disposal to break the encryption, or have compromised physical security in some way).
Making a web application stateful means that you need to persist information about the interaction you are having with a client over a series of request/response pairs. You do need to make adjustments in your code to account for that. The most common way to do that is by using the session object in the web tier. Persistence of the session may be handled in a number of way including URL rewriting etc. You can continue this notion of remembering parts of the conversation your application is having with a client into the business logic tier by using stateful session beans.
that's what I thought too. Therefore the answer to the mock question is pretty much useless, since HTTPS doesn't provide (a from a Java application point of view usable kind of) statefulness. What do you think...
Joined: Feb 21, 2002
I agree. The only state related stuff with SSL is the notion of being able to authenticate once and recognize future requests from the authenticated client so that additional challenges are not necessary. To that extent there is a certain amount of state, but you can have a stateful web based application without it too.
I wonder if what the question was actually arguing was the "old favorite": Is HTTP a connetion less or connection oriented protocol.