Web应用程序安全外文翻译参考文献

互联网Web服务中英文对照外文翻译文献(文档含英文原文和中文翻译)An internet-based logistics management system forenterprise chains.Developing the internet-based application toolWeb services offer new opportunities in business landscape, facilitating a global marketplace where business rapidly create innovative products and serve customers better. Whatever that business needs is, Web services have the flexibility to meet the demand and allow to accelerate outsourcing. In turn, the developer can focus on building core competencies to create customer and shareholder value. Application development is also more efficient because existing Web services, regardless of where they were developed, can easily be reused.Many of the technology requirements for Web services exist today, such as open standards for business to-business applications, mission-critical transaction platforms and secure integration and messaging products. However, to enable robust and dynamic integration of applications, the industry standards and tools that extend the capabilities of to days business-to-business interoperability are required. The key to taking full advantage of Web services is to understand what Web services are and how the market is likely to evolve. One needs to be able to invest inplatforms and applications today that will enable the developer to quickly and effectively realize these benefits as well as to be able to meet the specific needs and increase business productivity.Typically, there are two basic technologies to be implemented when dealing with internet-based applications; namely server-based and client-based. Both technologieshave their strong points regarding development of the code and the facilities they provide. Server-based applications involve the development of dynamically created web pages. These pages are transmitted to the web browser of the client and contain code in the form of HTML and JA V ASCRIPT language. The HTML part is the static part of the page that contains forms and controls for user needs and the JA V ASCRIPT part is the dynamic part of the page. Typically, the structure of the code can be completely changed through the intervention of web server mechanisms added on thetransmission part and implemented by server-based languages such as ASP, JSP, PHP, etc. This comes to the development of an integrated dynamic page application where user desire regarding problem peculiarities (calculating shortest paths, execute routing algorithms, transact with the database, etc.) is implemented by appropriately invoking different parts of the dynamic content of such pages. In server-based applications allcalculations are executed on the server. In client-based applications, JA V A applets prevail. Communication of the user is guaranteed by the well-known JA V A mechanism that acts as the medium between the user and code.Everything is executed on the client side. Data in this case have to be retrieved, once and this might be the time-consuming part of the transaction.In server-based applications, server resources are used for all calculations and this requires powerful server facilities with respect to hardware and software. Client-based applications are burdened with data transmission (chiefly related to road network data). There is a remedy to that; namely caching. Once loaded, they are left in the cache archives of the web browser to be instantly recalled when needed.In our case, a client-based application was developed. The main reason was the demand from the users point of view for personal data discretion regarding their clients. In fact, this information was kept secret in our system even from the server side involved.Data management plays major role in the good function of our system. This role becomes more substantial when the distribution takes place within a large and detailed road network like this of a major complex city. More specifically, in order to produce the proposed the routing plan, the system uses information about:●the locations of the depot and the customers within the road networkof the city (their co-ordinates attached in the map of the city),●the demand of the customers serviced,●the capacity of the vehicles used,●the spatial characteristics of road segments of the net work examined, ●the topography of the road network,●the speed of the vehicle, considering the spatial characteristics of theroad and the area within of which is moved,●the synthesis of the company fleet of vehicles.Consequently, the system combines, in real time, the available spatial characteristics with all other information mentioned above, and tools for modelling, spatial, non-spatial, and statistical analysis, image processing forming a scalable, extensible and interoperable application environment. The validation and verification of addresses of customers ensure the accurate estimation of travel times and distances travelled. In the case of boundary in the total route duration, underestimates of travel time may lead to failure of the programmed routing plan whereas overestimates can lower the utilization of drivers andvehicles, and create unproductive wait times as well (Assad, 1991). The data corresponding to the area of interest involved two different details. A more detailed network, appropriately for geocoding (approximately250,000 links) and a less detailed for routing (about 10,000 links). The two networks overlapped exactly. The tool that provides solutions to problems of effectively determining the shortest path, expressed in terms of travel time or distance travelled, within a specific road network, using the D ijkstra’s algorithm(Winston,1993). In particular, the Dijkstra’s algorithm is used in two cases during the process of developing the routing plan. In the first case, it calculates the travel times between all possible pairs of depot and customers so that the optimizer would generate the vehicle routes connecting them and in the second case it determines the shortest path between two involved nodes (depot or customer) in the routing plan, as this was determined by the algorithm previously. Due to the fact, that U-turn and left-,right-turn restrictions were taken into consideration for network junctions, an arc-based variant of the algorithm was taken into consideration (Jiang, Han, & Chen, 2002).The system uses the optimization algorithms mentioned in the following part in order to automatically generate the set of vehicle routes (which vehicles should deliver to which customers and in which order) minimizing simultaneously the vehicle costs and the total distance travelled by the vehicles This process involves activities that tend to be more strategic and less structured than operational procedures. The system helpsplanners and managers to view information in new way and examine issues such as:●the average cost per vehicle, and route,●the vehicle and capacity utilization,●the service level and cost,●the modification of the existing routing scenario by adding orsubtracting customers.In order to support the above activities, the interface of the proposed system provides a variety of analyzed geographic and tabulated data capabilities. Moreover, the system can graphically represent each vehicle route separately, cutting it o? from the final routing plan and offering the user the capability for perceiving the road network and the locations of depot and customers with all details.物流管理系统发展基于互联网的应用工具Web服务提供的商业景观的新机会，促进全球市场在业务快速推出创新的产品和客户提供更好的服务。

javaweb英文参考文献Below is an example of a reference list for JavaWeb related articles:1. Anderson, J., & Anderson, L. (2018). Building Java Web Services. McGraw-Hill Education.This book provides a comprehensive guide to building Java web services. It covers topics such as creating web services using SOAP and RESTful principles, handling data exchange formats like XML and JSON, and implementing security measures. The book also provides practical examples and code snippets to help readers understand the concepts better.2. Liang, Y. D. (2014). Introduction to Java Programming: Comprehensive Version. Pearson.Although this book is not specifically focused on JavaWeb, it serves as an essential reference for any Java programmer. It covers the basics of Java programming, including object-oriented concepts, control structures, and data types. Understanding these fundamentals is crucial when developing Java web applications.3. Liguori, R., & Liguori, P. (2019). Java Web Development with Servlets, JSP, and EJB. Packt Publishing.This book is a practical guide to Java web development. It introduces the Servlet and JavaServer Pages (JSP) technologies, which are key components in JavaWeb application development. It also covers Enterprise JavaBeans (EJB) and database integration,helping readers build robust and scalable web applications.4. Ambler, S. W. (2015). Agile Modeling: Effective Practices for Extreme Programming and the Unified Process. John Wiley & Sons.Agile modeling is crucial for efficient JavaWeb development. This book introduces various agile practices and principles, such as iterative development, user stories, and test-driven development. It can help developers understand how to adapt their Java web development processes to be more agile and responsive to changing requirements.5. Somekh, A., & Kogan, Y. (2017). Java Web Development: From Beginner to Professional. Apress.This book provides a step-by-step guide to Java web development, starting from the basics and gradually advancing to more complex topics. It covers important concepts such as servlets, JSPs, JavaBeans, and the MVC (Model-View-Controller) architecture, enabling readers to build professional Java web applications.6. Holmes, J., & Brown, J. (2016). Java Web Applications: Servlets, JSP, Frameworks. Prentice Hall.This book offers a comprehensive overview of Java web development, focusing on servlets, JSP, and popular frameworks such as Spring and Struts. It covers topics like session management, authentication and authorization, and integrating databases into Java web applications. The book also provides real-worldexamples and best practices for developing robust and scalable web applications.Remember to check the specific formatting guidelines required by your institution or journal for properly citing the references.。

WEB安全研究金丽君摘要：本文主要针对WEB安全问题越来越引起人们的重视这一现状，初步地介绍了国内外对WEB安全问题的研究现状，全面地介绍和分析了WEB服务和应用中存在的各种威胁，并探讨了WEB安全问题的防护对策，来提高计算机网络的安全性。

关键词：WEB安全、安全威胁、安全防护Abstract：This article will focus WEB security has drawn increasing attention to this situation, the initial introduction to security issues at home and abroad on the WEB Research, a comprehensive description and analysis of the WEB services and applications that exist in a variety of threats, and to explore the WEB security protection measures.一、引言1.1研究背景及目的随着网络时代的来临，人们在享受着网络带来的无尽的快乐的同时，也面临着越来越严重和复杂的网络安全威胁和难以规避的风险，网上信息的安全和保密是一个至关重要的问题。

网络的安全措施应是能全方位地针对各种不同的威胁和脆弱性，这样才能确保网络信息的保密性、完整性和可用性，计算机网络的安全以及防范措施已迫在眉睫。

网络安全评估技术是评价计算机网络安全的重要手段，现今在众多的安全技术中已经占据越来越重要的位置。

通过风险评估，对系统进行细致而系统的分析，在系统分析的基础上对系统进行综合评价，最后通过评价结果来了解系统中潜在的危险和薄弱环节，并最终确定系统的安全状况，为以后的安全管理提供重要依据。

随着Internet的普及，人们对其依赖也越来越强，但是由于Internet的开放性，及在设计时对于信息的保密和系统的安全考虑不完备，造成现在网络的攻击与破坏事件层出不穷，给人们的日常生活和经济活动造成了很大麻烦。

Web信息系统毕业论文中英文资料外文翻译文献中英文资料翻译With the popularity of the Inter NET applications, a variety of Web Information System Has become a pressing issue. Establish the essence of Web information systems Development of a Web repository (database as the core of a variety of Web letter Information storage) as the core Web applications. Currently, the Web repositorydevelopment technologyOperation of a wide range of different characteristics. Various periods at all levels, a variety of purposes Technology co-exist, dizzying mirror chaos, it is difficult to choose. More popular Java of Ser vet Web repository development program a more practical Of choice.Servlet is running the applet on the Web server, can be completed Xu Multi-client Applet can not complete the work, which runs on the server and clients No end, do not download do not by the client security restrictions, the running speed Greatly increasedAnd Applet running in a browser and extend the browser's ability similar Like, Serv the let run in the Web server to enable Java Serv the let engine And expand the capacity of the server. Therefore, we can say Serv the let is run in Applet on a Web server, Serv the let Jav a Ser vlet API And Jav a program of classes and packages.1 Servlet access model2 Serv the let, there are three access models:(1) an access model1 browser to Web server to issue a retrieval request.2 the Web server after receipt of the request, the requestforwarded tothe Servle tengine.3 Serlet engine to perform the requested the Ser vlet and directly throughJDBC4Servlet throughJDBC toretrieve searchresults to generate the html page and Page back to the Web server.5 the Web server the page is sent back to the browser.(2)The second access model1 browser to Web server to issue a retrieval request.2 the Web server receives the request after the request forwardedto the of Ser v the letengine.3 Serv let engine to perform the request the the Ser vlet and retrieve sentJa, vabean access to the data.4data access the Ja vabean searchable database throughJDBC informationAnd from the search results stored in itself.5Servlet remove search results from the data access Javabean generate Html page and Ht ml of page back to the w eb server.6 the Web server the page is sent back to the browser.(3) The third access model1 A browser issue a retrieval request to the Web server.2 Web server receives the request after the request forwarded to the ofSer v the let engine.Of Ser vlet engine to perform the requested Servlet directlythroughJDBC inspection3 The cable database and search results are stored in the result isstored the Jav abean into.Javabean,4. Ser v the let from the results are stored to remove the search results and JSP files to format the output page.2 Servlet functionality and life cycle2.1Servlet functions(1) Create and return dynamic Web pages based on customer requests.(2) create can be embedded into existing HTML pages as part of HTML Page (HT fragment) of the ML.(3) and other server resources (including databases and applications based on the Jav a Program) to communicate.(4) to handle multiple client connections, receiving the input of more than one client, and The results broadcast to multiple clients. For example, Ser vlet is a multi-participant Game server.(5) of MIM E type filter information on the special handling, such as image Conversion and server-side include (SSI).(6) custom processing available to all servers in the standard routine.2.2Servlet lifecycleServlet life cycle begins with it into the Web server's memory And end in the termination or re-loaded Serv the let.(1) load.Load the servlet at the following times:1. If you have configured automatic load option, and then start the Webserver automatically loaded2.After the start of the Web server, the client Serv the let issued for the first time, pleaseDemand.3.Reload Serv the let.Loaded Servlet, Web servers to create a servlet instance, and Servlet's init () method is called. Servlet initialization parameters in the initialization phase, The number is passed to the Servlet configuration object.(2) terminateWhen the Web server no longer needs the servlet, or reload Servlet A new instance of the server calls Serv the let's destroy () method, remove it from the Memory deleted.3 How to call ServletMethod of Ser vlet is called Total five kinds: call in the URL in the formT ag call, call, in HT the ML page in the JSP files Call, call in an ASP file. The following itemized to be introduced.(1) call the servlet in the URL.Simply input format in the browser as http: ∥yo ur webser ver the same the ser vlet name name / servlet path / servlet the URL to The site canbe. Ofwhich:your webser ver name is to refer to the Servlet where theWeb server name, the servlet path is the path refers to the Servlet, the servletThe name refers to the Servlet real name or an alias.(2) call the Servlet tagsCall of Ser the let the the tag allows users to input data on the Web page, andinput data submitted to the vlet of Ser.Serv the let will be submitted to receive data in different ways.For example: {place the text input area tags, buttons and other logos} (3) in the HTML page to call the servlet.Use mark tags, no need to create a complete HTML page.Instead,the servlet output isonly part of the HTMLpage (HTML fragment) and dynamicallyembedded into the static text in the original HTML page.All this happened on the server andsent to the user only the resulting HTML page. tag contained in the original HTML page.Servlet will be invoked in these two markers and the Ser vlet response will cover these two markersbetween all things and mark itself, for example: 〈SERVLET NAME= “my serv let ”CODE= “my serv let .class”CODEBASE= “u r l”initpar am= “v alue”〉〈PARAM NAME= “parm1”VALU E= “v alue1”〉〈PARAM NAME= “parm2”VALU E= “v alue2”〉〈/SERVLET 〉(4) call the servlet in the JSP files.Call in the JSP file format used by the Servlet and HTML page to call exactly the same.Andthe principles are identical. Only reconcile its dynamic JSP file is not a static HTML page.(5) in an ASP file calls the servlet.If you Micr oso ft I nt ernet Informatio n-Ser ver (II S) on the legacy of the ASP file, and can not be ASP files transplanted into a JSP file, you can use the ASP file to of Ser vlet iscalled.But it must be through a special ActiveX control, an ASP file is only through it can callthe servlet.4 Servlet Howto use ConnectionManager toefficiently manage the database connection (1) the functionality of the Connection Manager.For non-Web applications, Web-based application access tothe database will lead tohigher and unpredictable overhead, which is due to more frequent Web users connect anddisconnect.Normally connected to the resourcesused and disconnect from the databasewill farexceed the resources used in the retrieval.Connection Manager function is to minimize the additional occupancy of the users of the database resources to achieve thebest performance of database access.Connection Manager sharing overhead through the establishmentof the connection poolwill connect users Servlet available to multipleusers request.In other words, each userrequest only the connect/ disconnect with a small portion of the overhead costs.Initialresources to establish the connection of the buffer pool, the rest of the connect/ disconnectoverhead is not big, because this isonly reuse the existing connection.Serv the let in the following manner using the connectionpool: When a user throughRequest Web Serv the let the let Serv use an existing connection from the buffer poolNext, this means that the user requests do not cause the connection to the databasesystem overhead. InAfter the termination of serv the let it connect to return to the pool forits Connection ManagerThe Ser vlet. Thus, the user request does not cause the database is disconnectedOf system overhead.Connection Manager also allows users to be able tocontrol the concurrency of thedatabase products evenThen the number. When the database license agreement limit the number ofusers, this feature isVery useful. Create a buffer pool for the database, and connection managementBuffering pool "maximum number of connections" parameter setto the database product license limitGiven maximum number of users. If you use otherprograms without Connection ManagerconnectionsDatabase, you can not guarantee that the method is effective.(2) the structure of the Connection Manager.(3) Connection Manager connection pool to maintain a connection to a specificdatabase is open. Step 1: When the first Serv the let trying to Connection Manager communications is loaded by the Java Application ServerConnection Manager. As long as the Java application server running the Connection Manager has been loaded. Step 2: The Java application server passes the request to a servlet. Step 3: Servlet Connection Managerrequests a connection from the pool. Step four: the buffer pool to Ser vlet allocated a pool of existing idle connection. Step 5: servlet to use toconnect a direct dialogue with the database, this process is the standard API for a particular database. Step 6: the database through Ser vlet the connection returns data. Step 7: When theServlet end to communicate with the database, servlet connections returned to the connection manager pool for other servlet uses. Step 8: Servlet Jav a application server to the user sends back response.Servlet requests a connection, if the buffer pool, there is no idle connection, then the connection manager directlycommunicate with the database. Connection Manager will: Step 9: to the database requests a new connection. Step 10: Add connections to thebuffer pool. If the buffer pool is connected to the prescribed ceiling, connect to the serverWill not be a new connection to join the buffer pool(3) the performance characteristics of the Connection Manager.Buffer pool to create a new connection is a high overhead tasks, newconnections will use the resources on the database. Therefore, theConnection Manager the best use of existing connections of the buffer pool to meet the request of the Servlet. Meanwhile, the connecting tubeThe processor must be as much as possible to minimize the buffer pool idle connections, because this is a great waste of systemresources. Connection Manager Serv the let with the implementation of these minimize and maximize task. Connection Manager to maintain each connection verification time stamp, and recently used tags and use the logo. When the a Ser vlet first the connection, connection verification time stamp, and most recent time stamp is set to the current time, theconnection is being used flag is set to true.Connection Manager can be removed from a Serv the let a long-unused connections, this length of time specified by the Connection Manager, the longest cycleparameters.Connection Manager can view recently used mark is beingused to connect. If the time between the most recently used time and time difference is greater than the longest cycle configuration parameters, the connection will be considered to be a residual connection, which indicates Serv the let take its discontinued or no response. Residual connection will be returned to the pool for other Ser vlet, it is being used flag is set to false, authentication and time stamp is set to the current time.If Ser vlet is ready within a longer period of time to use the connection with the database several timesCommunications, you must code to the Serv the let, so that each time you use to connectConfirm that it still occupies this connection.Connection Manager can be removed from the buffer pool idle connections, because theyWould be a waste of resources. In order to determine which connection is idle, Connection Manager will checkInvestigation connected the sign and time stamp, this operation isconnected by periodic access toBuffer pool information. Connection Manager checks have not been any Ser vlet makeWith the connections (these connections is to use the logo is false). If you have recently usedBetween time and the current time difference exceeds amaximum idle time configuration parameters, theThat the connection is idle. Idle connection will be removed from the buffer pool, down toMinimum number of connections configuration parameter specifies thelower limit value.翻译：随着Inter net 的普及应用, 各种Web 信息系统的建立已成为一个迫在眉睫的问题。

javaweb英文参考文献以下是关于JavaWeb的英文参考文献的相关参考内容：1. Deepak Vohra. Pro XML Development with Java Technology. Apress, 2006.This book provides a comprehensive guide to XML development with Java technology. It covers topics such as XML basics, XML parsing using Java, XML validation, DOM and SAX APIs, XSLT transformation, XML schema, and SOAP-based web services. The book also includes numerous code examples and case studies to illustrate the concepts.2. Robert J. Brunner. JavaServer Faces: Introduction by Example. Prentice Hall, 2004.This book introduces the JavaServer Faces (JSF) framework, which is a part of the Java EE platform for building web applications. It provides a step-by-step guide to building JSF applications using various components and features such as user interface components, data validation, navigation handling, and backing beans. The book also covers advanced topics such as internationalization and security.3. Brett McLaughlin. Head First Servlets and JSP: Passing the Sun Certified Web Component Developer Exam. O'Reilly Media, 2008. This book is a comprehensive guide to the development of Java web applications using Servlets and JavaServer Pages (JSP). It covers topics such as HTTP protocol, Servlet lifecycle, request andresponse handling, session management, JSP syntax and directives, JSTL and EL expressions, deployment descriptors, and web application security. The book also includes mock exam questions to help readers prepare for the Sun Certified Web Component Developer exam.4. Hans Bergsten. JavaServer Pages, 3rd Edition. O'Reilly Media, 2011.This book provides an in-depth guide to JavaServer Pages (JSP) technology, which is used for creating dynamic web content. It covers topics such as JSP syntax, scriptlets and expressions, JSP standard actions, JSP custom tag libraries, error handling, JSP with databases, JSP and XML, and internationalization. The book also includes examples and best practices for using JSP effectively.5. Marty Hall, Larry Brown. Core Servlets and JavaServer Pages, 2nd Edition. Prentice Hall, 2003.This book is a comprehensive guide to building Java web applications using Servlets and JavaServer Pages (JSP). It covers topics such as Servlet API, HTTP protocol, session management, request and response handling, JSP syntax and directives, JSP custom tag libraries, database connectivity, and security. The book also includes numerous code examples and case studies to demonstrate the concepts.6. Michael Ernest. Java Web Services in a Nutshell. O'Reilly Media, 2003.This book provides a comprehensive reference to Java-based web services technology. It covers topics such as SOAP, WSDL, UDDI, and XML-RPC protocols, as well as Java API for XML-based web services (JAX-WS) and Java API for RESTful web services (JAX-RS). The book also includes examples and best practices for developing and deploying web services using Java technology. Please note that the above references are just a selection of some of the available books on the topic of JavaWeb. There are numerous other resources available that can provide more detailed information on specific aspects of JavaWeb development.。

互联网金融安全中英文对照外文翻译文献中英文对照外文翻译文献(文档含英文原文和中文翻译)Database Security in a Web Environment IntroductionDatabases have been common in government departments and commercial enterprises for many years. Today, databases in any organization are increasingly opened up to a multiplicity of suppliers, customers, partners and employees - an idea that would have been unheard of a few years ago. Numerous applications and their associated data are now accessed by a variety of users requiring different levels of access via manifold devices and channels – often simultaneously. For example:• Online banks allow customers to perform a variety of banking operations - via the Internet and over the telephone – whilst maintaining the privacy of account data.• E-Commerce merchants and their Service Providers must store customer, order and payment data on their merchant server - and keep it secure.• HR departments allow employees to update their personal information –whilst protecting certain management information from unauthorized access.• The medical profession must protect the confidentiality of patient data –whilst allowing essential access for treatment.• Online brokerages need to be able to provide large numbers of simultaneous users with up-to-date and accurate financial information.This complex landscape leads to many new demands upon system security. The global growth of complex web-based infrastructures is driving a need for security solutions that provide mechanisms to segregate environments; perform integrity checking and maintenance; enable strong authentication andnon-repudiation; and provide for confidentiality. In turn, this necessitates comprehensive business and technical risk assessment to identify the threats,vulnerabilities and impacts, and from this define a security policy. This leads to security definitions throughout the infrastructure - operating system, database management system, middleware and network.Financial, personal and medical information systems and some areas of government have strict requirements for security and privacy. Inappropriate disclosure of sensitive information to the wrong parties can have severe social, legal and regulatory consequences. Failure to address the basics can result in substantial direct and consequential financial losses - witness the fraud losses through the compromise of several million credit card numbers in merchants’ databases [Occf], plus associated damage to brand-image and loss of consumer confidence.This article discusses some of the main issues in database and web server security, and also considers important architecture and design issues.A Simple ModelAt the simplest level, a web server system consists of front-end software and back-end databases with interface software linking the two. Normally, the front-end software will consist of server software and the network server operating system, and the back-end database will be a relational orobject-oriented database fulfilling a variety of functions, including recording transactions, maintaining accounts and inventory. The interface software typically consists of Common Gateway Interface (CGI) scripts used to receive information from forms on web sites to perform online searches and to update the database.Depending on the infrastructure, middleware may be present; in addition, security management subsystems (with session and user databases) that address the web server’s and related applications’ requirements for authentication, accesscontrol and authorization may be present. Communications between this subsystem and either the web server, middleware or database are via application program interfaces (APIs)..This simple model is depicted in Figure 1.Security can be provided by the following components:• Web server.• Middleware.• Operating system.. Figure 1: A Simple Model.• Database and Database Management System.• Security management subsystem.The security of such a system addressesAspects of authenticity, integrity and confidentiality and is dependent on the security of the individual components and their interactions. Some of the most common vulnerabilities arise from poor configuration, inadequate change control procedures and poor administration. However, even if these areas are properlyaddressed, vulnerabilities still arise. The appropriate combination of people, technology and processes holds the key to providing the required physical and logical security. Attention should additionally be paid to the security aspects of planning, architecture, design and implementation.In the following sections, we consider some of the main security issues associated with databases, database management systems, operating systems and web servers, as well as important architecture and design issues. Our treatment seeks only to outline the main issues and the interested reader should refer to the references for a more detailed description.Database SecurityDatabase management systems normally run on top of an operating system and provide the security associated with a database. Typical operating system security features include memory and file protection, resource access control and user authentication. Memory protection prevents the memory of one program interfering with that of another and limits access and use of the objects employing techniques such as memory segmentation. The operating system also protects access to other objects (such as instructions, input and output devices, files and passwords) by checking access with reference to access control lists. Security mechanisms in common operating systems vary tremendously and, for those that are lacking, there exists special-purpose security software that can be integrated with the existing environment. However, this can be an expensive, time-consuming task and integration difficulties may also adversely impact application behaviors.Most database management systems consist of a number of modules - including database querying and database and file management - along with authorization, concurrent access and database description tables. Thesemanagement systems also use a variety of languages: a data definition language supports the logical definition of the database; developers use a data manipulation language; and a query language is used by non-specialist end-users.Database management systems have many of the same security requirements as operating systems, but there are significant differences since the former are particularly susceptible to the threat of improper disclosure, modification of information and also denial of service. Some of the most important security requirements for database management systems are: • Multi-Level Access Control.• Confidentiality.• Reliability.• Integrity.• Recovery.These requirements, along with security models, are considered in the following sections.Multi-Level Access ControlIn a multi-application and multi-user environment, administrators, auditors, developers, managers and users – collectively called subjects - need access to database objects, such as tables, fields or records. Access control restricts the operations available to a subject with respect to particular objects and is enforced by the database management system. Mandatory access controls require that each controlled object in the database must be labeled with a security level, whereas discretionary access controls may be applied at the choice of a subject.Access control in database management systems is more complicated than in operating systems since, in the latter, all objects are unrelated whereas in a database the converse is true. Databases are also required to make accessdecisions based on a finer degree of subject and object granularity. In multi-level systems, access control can be enforced by the use of views - filtered subsets of the database - containing the precise information that a subject is authorized to see.A general principle of access control is that a subject with high level security should not be able to write to a lower level object, and this poses a problem for database management systems that must read all database objects and write new objects. One solution to this problem is to use a trusted database management system.ConfidentialitySome databases will inevitably contain what is considered confidential data. For example, it could be inherently sensitive or its source may be sensitive, or it may belong to a sensitive table, thus making it difficult to determine what is actually confidential. Disclosure is also difficult to define, as it can be direct, indirect, involve the disclosure of bounds or even mere existence.An inference problem exists in database management systems whereby users can infer sensitive information from relatively insensitive queries. A trivial example is a request for information about the average salary of an employee and the number of employees turns out to be just one, thus revealing the employee’s salary. However, much more sophisticated statistical inference attacks can also be mounted. This highlights the fact that, although the data itself may be properly controlled, confidential information may still leak out.Controls can take several forms: not divulging sensitive information to unauthorized parties (which depends on the respective subject and object security levels), logging what each user knows or masking response data. The first control can be implemented fairly easily, the second quickly becomesunmanageable for a large number of users and the third leads to imprecise responses, and also exemplifies the trade-off between precision and security. Polyinstantiation refers to multiple instances of a data object existing in the database and it can provide a partial solution to the inference problem whereby different data values are supplied, depending on the security level, in response to the same query. However, this makes consistency management more difficult.Another issue that arises is when the security level of an aggregate amount is different to that of its elements (a problem commonly referred to as aggregation). This can be addressed by defining appropriate access control using views.Reliability, Integrity and RecoveryArguably, the most important requirements for databases are to ensure that the database presents consistent information to queries and can recover from any failures. An important aspect of consistency is that transactions execute atomically; that is, they either execute completely or not at all.Concurrency control addresses the problem of allowing simultaneous programs access to a shared database, while avoiding incorrect behavior or interference. It is normally addressed by a scheduler that uses locking techniques to ensure that the transactions are serial sable and independent. A common technique used in commercial products is two-phase locking (or variations thereof) in which the database management system controls when transactions obtain and release their locks according to whether or not transaction processing has been completed. In a first phase, the database management system collects the necessary data for the update: in a second phase, it updates the database. This means that the database can recover from incomplete transactions by repeatingeither of the appropriate phases. This technique can also be used in a distributed database system using a distributed scheduler arrangement.System failures can arise from the operating system and may result in corrupted storage. The main copy of the database is used for recovery from failures and communicates with a cached version that is used as the working version. In association with the logs, this allows the database to recover to a very specific point in the event of a system failure, either by removing the effects of incomplete transactions or applying the effects of completed transactions. Instead of having to recover the entire database after a failure, recovery can be made more efficient by the use of check pointing. It is used during normal operations to write additional updated information - such as logs, before-images of incomplete transactions, after-images of completed transactions - to the main database which reduces the amount of work needed for recovery. Recovery from failures in distributed systems is more complicated, since a single logical action is executed at different physical sites and the prospect of partial failure arises.Logical integrity, at field level and for the entire database, is addressed by the use of monitors to check important items such as input ranges, states and transitions. Error-correcting and error-detecting codes are also used.Security ModelsVarious security models exist that address different aspects of security in operating systems and database management systems. For example, theBell-LaPadula model defines security in terms of mandatory access control and addresses confidentiality only. The Bell LaPadula models, and other models including the Biba model for integrity, are described more fully in [Cast95] and [Pfle89]. These models are implementation-independent and provide a powerfulinsight into the properties of secure systems, lead to design policies and principles, and some form the basis for security evaluation criteria.Web Server SecurityWeb servers are now one of the most common interfaces between users and back-end databases, and as such, their security becomes increasingly important. Exploitation of vulnerabilities in the web server can lead to unforeseen attacks on middleware and backend databases, bypassing any controls that may be in place. In this section, we focus on common web server vulnerabilities and how the authentication requirements of web servers and databases are met.In general, a web server platform should not be shared with other applications and should be the only machine allowed to access the database. Using a firewall can provide additional security - either between the web server and users or between the web server and back-end database - and often the web server is placed on a de-militarized zone (DMZ) of a firewall. While firewalls can be used to block certain incoming connections, they must allow HTTP (and HTTPS) connections through to the web server, and so attacks can still be launched via the ports associated with these connections.VulnerabilitiesVulnerabilities appear on a weekly basis and, here, we prefer to focus on some general issues rather than specific attacks. Common web server vulnerabilities include:• No policy exists.• The default configuration is on.• Reusable passwords appear in clear.• Unnecessary ports available for network services are not disabled.• New security holes are not tracked. Even if they are, well-known vulnerabilities are not always fixed as the source code patches are not applied by system administrator and old programs are not re-compiled or removed.• Security tools are not used to scan the network for weaknesses and changes or to detect intrusions.• Faulty and buggy software - for example, buffer overflow and stack smashingAttacks• Automatic directory listings - this is of particular concern for the interface software directories.• Server root files are generally visible or accessible.• Lack of logs and bac kups.• File access is often not explicitly configured by the system administrator according to the security policy. This applies to configuration, client, administration and log files, administration programs, and CGI program sources and executables. CGI scripts allow dynamic web pages and make program development (in, for example, Perl) easy and rapid. However, their successful exploitation may allow execution of malicious programs, launching ofdenial-of-service attacks and, ultimately, privilege escalation on a server.Web Server and Database AuthenticationWhile user, browser and web server authentication are relatively well understood [Garf97], [Ghos98] and [Tree98], the introduction of additional components, such as databases and middleware, raise a number of authentication issues. There are a variety of options for authentication in a simple model (Figure 1). Firstly, both the web server and database management system can individually authenticate a user. This option requires the user to authenticatetwice which may be unacceptable in certain applications, although a singlesign-on device (which aims to manage authentication in a user-transparent way) may help. Secondly, a common approach is for the database to automatically grant user access based on web server authentication. However, this option should only be used for accessing publicly available information. Finally, the database may grant user access employing the web server authentication credentials as a basis for its own user authentication, using security management subsystems (Figure 1). We consider this last option in more detail.Web-based communications use the stateless HTTP protocol with the implication that state, and hence authentication, is not preserved when browsing successive web pages. Cookies, or files placed on user’s machine by a web server, were developed as a means of addressing this issue and are often used to provide authentication. However, after initial authentication, there is typically no re authentication per page in the same realm, only the use of unencrypted cookies (sometimes in association with IP addresses). This approach provides limited security as both cookies and IP addresses can be tampered with or spoofed.A stronger authentication method, commonly used by commercial implementations, uses digitally signed cookies. This allows additional systems, such as databases, to use digitally signed cookie data, including a session ID, as a basis for authentication. When a user has been authenticated by a web server (using a password, for example), a session ID is assigned and is stored in a security management subsystem database. When a user subsequently requests information from a database, the database receives a copy of the session ID, the security management subsystem checks this session ID against its local copy and, if authentication is successful, user access is granted to the database.The session ID is typically transmitted in the clear between the web server and database, but may be protected by SSL or even by physical security measures. The communications between the browser and web servers, and the web servers and security management subsystem (and its databases), are normally protected by SSL and use a web server security API that is used to digitally sign and verify browser cookies. The communications between the back-end databases and security management subsystem (and its databases) are also normally protected by SSL and use a database security API that verifies session Ids originating from the database and provides additional user authorization credentials. The web server security API is generally proprietary while, for the database security API, many vendors have adopted standards such as the Generic Security Services API (GSS-API) or CORBA [RFC2078] and [Corba].Architecture and DesignSecurity requirements for designing, building and implementing databases are important so that the systems, as part of the overall infrastructure, meet their requirements in actual operation. The various security models provide an important insight into the design requirements for databases and their management systems.Secure Database Management System ArchitecturesIn multi-level database management systems, a variety of architectures are possible: trusted subject, integrity locked, kernels and replicated. Trusted subject is used by most of the leading database management system vendors and can be integrated in existing products. Basically, the trusted subject architecture allows users to access a database via an un trusted front-end, a trusted database management system and trusted operating system. The operating systemprovides physical access to the database and the database management system provides multilevel object protection.The other architectures - integrity locked, kernels and replicated - all vary in detail, but they use a trusted front-end and an un trusted database management system. For details of these architectures and research prototypes, the reader is referred to [Cast95]. Different architectures are suited to different environments: for example, the trusted subject architecture is less integrated with the underlying operating system and is best suited when a trusted path can be assured between applications and the database management system.Secure Database Management System DesignAs discussed above, there are several fundamental differences between operating system and database management system design, including object granularity, multiple data types, data correlations and multi-level transactions. Other differences include the fact that database management systems include both physical and logical objects and that the database lifecycle is normally longer.These differences must be reflected in the design requirements which include:• Access, flow and infer ence controls.• Access granularity and modes.• Dynamic authorization.• Multi-level protection.• Polyinstantiation.• Auditing.• Performance.These requirements should be considered alongside basic information integrity principles, such as:• Well-formed transactions - to ensure that transactions are correct and consistent.• Continuity of operation - to ensure that data can be properly recovered, depending on the extent of a disaster.• Authorization and role management – to ensure that distinct roles are defined and users are authorized.• Authenticated users - to ensure that users are authenticated.• Least privilege - to ensure that users have the minimal privilege necessary to perform their tasks.• Separation of duties - to ensure that no single individual has access to critical data.• Delegation of authority - to ensure that the database management system policies are flexible enough to meet the organization’s requirements.Of course, some of these requirements and principles are not met by the database management system, but by the operating system and also by organizational and procedural measures.Database Design MethodologyVarious approaches to design exist, but most contain the same main stages. The principle aim of a design methodology is to provide a robust, verifiable design process and also to separate policies from how policies are actually implemented. An important requirement during any design process is that different design aspects can be merged and this equally applies to security.A preliminary analysis should be conducted that addresses the system risks, environment, existing products and performance. Requirements should then beanalyzed with respect to the results of a risk assessment. Security policies should be developed that include specification of granularity, privileges and authority.These policies and requirements form the input to the conceptual design that concentrates on subjects, objects and access modes without considering implementation details. Its purpose is to express information and process flows in a complete and consistent way.The logical design takes into account the operating system and database management system that will be used and which of the security requirements can be provided by which mechanisms. The physical design considers the actual physical realization of the logical design and, indeed, may result in a revision of the conceptual and logical phases due to physical constraints.Security AssuranceOnce a product has been developed, its security assurance can be assessed by a number of methods including formal verification, validation, penetration testing and certification. For example, if a database is to be certified as TCSEC Class B1, then it must implement the Bell-LaPadula mandatory access control model in which each controlled object in the database must be labeled with a security level.Most of these methods can be costly and lengthy to perform and are typically specific to particular hardware and software configurations. However, the international Common Criteria certification scheme provides the added benefit of a mutual recognition arrangement, thus avoiding the prospect of multiple certifications in different countries.ConclusionThis article has considered some of the security principles that are associated with databases and how these apply in a web based environment. Ithas also focused on important architecture and design principles. These principles have focused mainly on the prevention, assurance and recovery aspects, but other aspects, such as detection, are equally important in formulating a total information protection strategy. For example, host-based intrusion detection systems as well as a robust and tested set of business recovery procedures should be considered.Any fit-for-purpose, secure e-business infrastructure should address all the above aspects: prevention, assurance, detection and recovery. Certain industries are now starting to specify their own set of global, secure e-business requirements. International card payment associations have recently started to require minimum information security standards from electronic commerce merchants handling credit card data, to help manage fraud losses and associated impacts such as brand-image damage and loss of consumer confidence.网络环境下的数据库安全简介数据库在政府部门和商业机构得到普遍应用已经很多年了。

计算机 JSP web 外文翻译外文文献12.1 nEffective web n design involves separating business objects。

n。

and object XXX。

Although one individual may handle both roles on a small-scale project。

it is XXX.12.2 JSP ArchitectureIn this chapter。

XXX using JavaServer Pages。

servlets。

XXX of different architectures。

each building upon the us one。

The diagram below outlines this process。

and we will explain each component in detail later in this article.Note: XXX.)When Java Server Pages were introduced by Sun。

some people XXX。

While JSP is a key component of the J2EE n and serves as the preferred request handler and response mechanism。

it is XXX.XXX JSP。

the XXX that JSP is built on top of the servlet API and uses servlet XXX interesting ns。

such as whether we should XXX in our Web-enabled systems。

and if there is a way to combine servlets and JSPs。

网络安全论文参考文献1. Kim, H., Park, S., Han, K., Park, K., & Kim, J. (2016). A survey of Internet of Things security technologies. Future Generation Computer Systems, 56, 684-700.2. Wang, Q., Zhang, M., Zhu, H., & Wan, W. (2017). A survey on security and privacy issues in big data. IEEE Access, 4, 2751-2765.3. Zhang, Y., Yu, C., & Zheng, F. (2017). A comprehensive survey on secure outsourcing of computation in cloud computing. Tsinghua Science and Technology, 22(5), 479-492.4. Li, Y., Yu, S., Zhang, H., & Li, H. (2020). Towards secure on-demand data retrieval in fog computing. Future Generation Computer Systems, 103, 492-501.5. Zhou, F., & Fang, X. (2017). Survey on security and privacy in online social networks. ACM Computing Surveys (CSUR), 49(3), 1-37.6. Yuan, X., & Yu, S. (2017). Enabling secure and efficient cloud data deduplication with dynamic ownership management. IEEE Transactions on Cloud Computing, 5(2), 229-241.7. Zhu, Y., & Guo, F. (2017). Security and privacy in cyber-physical systems: a survey. IEEE Internet of Things Journal, 4(5), 1250-1268.8. Chen, R., Liu, X., & Zhang, H. (2018). Privacy-preserving and secure IoT data outsourcing: A survey. IEEE Internet of Things Journal, 5(1), 101-115.9. Zhan, J., Song, D., Song, H., Yan, Z., & Yang, Y. (2018). A survey on security and trust of blockchain technology. Future Generation Computer Systems, 82, 134-149.10. Díaz-Verdejo, J., Ortega-Mier, M., López-Guil, J., & Blasco, J. (2019). A systematic review of machine learning techniques for malware detection. Computers & Security, 80, 597-611.。

javaweb英文参考文献下面是关于JavaWeb的参考文献的相关参考内容，字数超过了500字:1. Banic, Z., & Zrncic, M. (2013). Modern Java EE Design Patterns: Building Scalable Architecture for Sustainable Enterprise Development. Birmingham, UK: Packt Publishing Ltd. This book provides an in-depth exploration of Java EE design patterns for building scalable and sustainable enterprise applications using JavaWeb technologies.2. Sharma, S., & Sharma, R. K. (2017). Java Web Services: Up and Running. Sebastopol, CA: O'Reilly Media. This book provides a comprehensive guide to building Java Web services using industry-standard technologies like SOAP, REST, and XML-RPC.3. Liang, Y. D. (2017). Introduction to Java Programming: Brief Version, 11th Edition. Boston, MA: Pearson Education. This textbook introduces Java programming concepts and techniques, including JavaWeb development, in a concise and easy-to-understand manner. It covers topics such as servlets, JSP, and JavaServer Faces.4. Ambler, S. W. (2011). Agile Modeling: Effective Practices for Extreme Programming and the Unified Process. Hoboken, NJ: John Wiley & Sons. This book discusses agile modeling techniques for effective JavaWeb development, including iterative and incremental development, test-driven development, and refactoring.5. Bergeron, D. (2012). Java and XML For Dummies. Hoboken, NJ: John Wiley & Sons. This beginner-friendly book provides an introduction to using XML in JavaWeb development, covering topics such as XML parsing, JAXB, and XML Web services.6. Cadenhead, R. L., & Lemay, L. (2016). Sams Teach Yourself Java in 21 Days, 8th Edition. Indianapolis, IN: Sams Publishing. This book offers a step-by-step approach to learning Java, including JavaWeb development. It covers important topics such as servlets, JSP, and JavaServer Faces.7. Balderas, F., Johnson, S., & Wall, K. (2013). JavaServer Faces: Introduction by Example. San Francisco, CA: Apress. This book provides a practical introduction to JavaServer Faces (JSF), a web application framework for building JavaWeb user interfaces. It includes numerous examples and case studies.8. DeSanno, N., & Link, M. (2014). Beginning JavaWeb Development. New York, NY: Apress. This book serves as a comprehensive guide to JavaWeb development, covering topics such as servlets, JSP, JavaServer Faces, and JDBC.9. Murach, J. (2014). Murach's Java Servlets and JSP, 3rd Edition. Fresno, CA: Mike Murach & Associates. This book provides a deep dive into Java servlets and JSP, two core technologies for JavaWeb development. It includes practical examples and exercises.10. Horstmann, C. (2018). Core Java Volume II--AdvancedFeatures, 11th Edition. New York, NY: Prentice Hall. This book covers advanced topics in Java programming, including JavaWeb development using technologies such as servlets, JSP, JSTL, and JSF.These references cover a wide range of topics related to JavaWeb development, from introductory to advanced concepts. They provide valuable insights, examples, and practical guidance for developers interested in building web applications using Java technologies.。

论维护ＡＳＰ应用程序的安全性【摘要】正确配置安全设置，以保护您的ASP应用程序不被未授权的用户访问和篡改。

该文提供了多种维护ASP应用程序的方法。

【关键字】ASP 安全性 Web服务器ASP是位于服务器端的脚本运行环境，通过这种环境，用户可以创建和运行动态的交互式Web 服务器应用程序。

ASP使用的ActiveX技术基于开放设计环境，用户可以自己定义和制作组件加入其中，使自己的动态网页几乎具有无限的扩充能力。

ASP还可利用ADO方便快捷地访问数据库,从而使得开发基于WWW的应用系统成为可能。

但是，千万不要轻视正确配置安全设置的重要性。

如果不正确配置安全设置，不但会使您的ASP应用程序遭受不必要的篡改，而且会妨碍正当用户访问您的asp文件。

Web服务器提供了各种方法，保护您的ASP应用程序不被未授权的用户访问和篡改。

1 NTFS 权限您可以通过单独的文件和目录应用NTFS访问权限来保护ASP应用程序文件。

NTFS 权限是We b服务器安全性的基础，它定义了一个或一组用户访问文件和目录的不同级别。

当拥有Windo ws NT 有效帐号的用户试图访问一个有权限限制的文件时，计算机将检查文件的访问控制表。

该表定义了不同用户和用户组所被赋予的权限。

如果用户的帐号具有打开文件的权限，计算机则允许该用户访问文件。

2 维护Globalasa的安全为了充分保护 ASP 应用程序，一定要在应用程序的Globalasa文件上为适当的用户或用户组设置NTFS文件权限。

如果Globalasa包含向浏览器返回信息的命令而您没有保护Global asa文件，则信息将被返回给浏览器，即便应用程序的其他文件被保护。

而且，一定要对应用程序的文件应用统一的NTFS权限。

3 Web 服务器权限可以通过配置的Web服务器的权限来限制所有用户查看、运行和操作的ASP页的方式。

不同于 NTFS权限提供的控制特定用户对应用程序文件和目录的访问方式，Web服务器权限应用于所有用户，并且不区分用户帐号的类型。

Web应用中英文对照外文翻译文献(文档含英文原文和中文翻译)外文:A Comparative Study of Web Application Design ModelsUsing the Java TechnologiesAbstract.The Servlet technology has been the most widely used technology for building scalable Web applications. In the events, there are four design models for developing Web applications using the Java technologies: Model 1, Model2, Struts, and JavaServer Faces (JSF). Model 1 employs a series of JSP pages; Model 2 adopts the Model-View-Controller pattern; Struts is a framework employing the Model 2 design model; and JSF is a new technology that supports ready-to-use components for rapid Web application development. Model 1 is not recommended for medium-sized and large applications as it introduces maintenance nightmare. This paper compares and evaluates the ease of application development and theperformance of the three design models (Model 2, Struts, and JSF) by building three versions of an online store application using each of the three design models, respectively.1 IntroductionToday, Web applications are the most common applications for presenting dynamic contents. There are a number of technologies for building Web applications, the most popular of which is the Servlet technology . This technology gains its popularity from its superiority over other technologies such as CGI and PHP .Servlets are cumbersome to develop, however, because sending HTML tags requires the programmer to compose them into a String object and send this object to the browser. Also, a minor change to the output requires the servlet to be recompiled. To address this issue, Sun Microsystems invented JavaServer Pages (JSP) . JSP allows HTML tags to be intertwined with Java code and each page is translated into a servlet. A JSP page is a servlet. However, compilation occurs automatically when the page is first requested. As a result, changing the output does not need recompilation. In addition, JSP enables the separation of presentation from the business logic through the use of JavaBeans and custom tag libraries. The norm now in developing Javabased Web applications is to use servlets along with JavaServer Pages.In the later development, there are a number of design models for building servlet/JSP applications: Model 1, Model 2, Struts , and JSF . Model 1 and Model 2 were first mentioned in the early specifications of JSP. Model 1 strictly uses JSP pages, with no servlets, and Model 2 uses the combination of both servlets and JSP pages. The terms of Model 1 and Model 2 have been used ever since. Model 1 is suitable for prototypes and very small applications, and Model 2 is the recommended design model for medium sized and large applications.As Model 2 gained more acceptances in the industry, an open source initiative to build the Struts Framework was initiated. Struts perfects Model 2 by providing the controller part of the Model-View-Controller of Model 2. In addition, Struts provides better page navigation management and several custom tag libraries for more rapid development. Despite its steep learning curve and the fact that it wasnever defined in any specification, Struts has been gaining popularity as the alternative to Model 2.JavaServer Faces is built under the Java Community Process under JSR-127.Sun Microsystems proposed this technology in the hope that JSF will be the ultimate model for building Java Web applications. The most important feature of JSF is the availability of ready-to-use components such as extensible UI components, easy page navigation, input validators, data converters and JavaBeans management.The problem facing servlet/JSP programmers are to choose the most appropriate design model. Clearly, JSF provides a better solution in regard to development time. However, some people are not sanguine to adopt this technology for fear of performance penalty due to the overhead of the JSF implementation.We build three versions of an online store application named BuyDirect using Model 2, Struts and JSF. The parameters compared are the number of lines of code, the number of classes, and the performance measurement results. We investigate which of the design models allows the most rapid development process. We evaluate the performances of the applications built upon these models. We provide some suggestions to perfect the existing design models to make development more rapid.The rest of the paper is organised as follows. Section 2 discusses the issues in Web development. Section 3 explains how the three design models address these development issues. Section 4 provides the details of the hardware and software used in these experiments. Section 5 presents the experiment results and analysis. Section 6 reviews the related work. Section 7 concludes by offering some suggestions to improve the existing design models.2 Java Web Development IssuesAll Java Web development uses the Servlet technology as the underlying technology. As such, all Java Web applications have certain issues that need to be addressed:User Interface. The user interface is what the client browser renders as HTMLtags. Any server-side component used in the application must be encoded into the corresponding HTML elements. Besides for displaying the content and data, the user interface is also responsible in receiving input from the user.●Input Validation. User input needs to be validated. There are two types of inputvalidation, server-side and client-side. As the name implies, the server-side input validation is performed on the server after the input reaches the server.Client-side input validation is done on the browser, usually by using JavaScript or other scripting languages. The advantages of using client-side input validation are prompt response and reducing the server workload. The server-side input validation should always be performed regardless the presence of client-side validation because there is no guarantee the user browser's scripting feature is being on and malicious users can easily work around client-side validation.●Model Objects. Model objects in Java-based Web applications are in the formsof JavaBeans. Model objects make up the Model part of the MVC based design model. A model object can be used to bind a component value to be used at a later stage. In addition, it can encapsulate business logic required for processing.●Page Navigation. Almost all Web applications have multiple pages that the usercan navigate from one to another. All MVC-based design models use a servlet as the Controller part. This servlet also acts as the sole entry point to the application. Which page to be displayed after the current request is determined by the value of a specified request parameter. Managing page navigation is critically important.3 Web Application Design ModelsThe Model 2 design model is based on the Model-View-Controller (MVC) design pattern. As explained by Burbeck , there are three main modules in MVC, the Controller, the View, and the Model. The Controller acts as the central entry point to the application. All user interactions go through this controller. The View contains the presentation part of the application, and the Model stores data or encapsulates business logic of the application. In the later development, the StrutsFramework provides a common framework to easily build Model 2 applications. Then, the last initiative is the JavaServer Faces, which also employs the MVC design pattern.In the following sections, we discuss these three design models and explain how each design model addresses the development issues specified in the previous section.3.1 Model 2A Java Web application that is based on the Model 2 design model has one servlet(called the Controller servlet) that serves as the Controller part. All requests are first handled by this servlet, which immediately dispatches the requests to the appropriate views using RequestDispatcher objects. Views in the Model 2 design model are represented by JSP pages. To store data, a Model 2 application uses JavaBeans, which are the Model part of the application. In addition to storing data, the JavaBeans also encapsulate business logic. Each HTTP request carries an action parameter that indicates which view to dispatch this request to. The programmer must code the HTML tags for user interface in all JSP pages in the application and write input validation code. In addition, the model objects are managed by individual JSP pages.3.2 StrutsThe Struts Framework is an improvement of the Model 2 design model. It provides a default Controller servlet so that the user does not have to write and compile one. Struts alleviates the task of page navigation by allowing navigation rules to be present in its application configuration file (an XML document). Changes to the navigation rules do not require recompilation of a Java servlet class. In addition to easier page navigation, Struts provides custom tag libraries that define tags representing HTML elements. One of these tags is used for error handling and Struts is therefore capable of displaying localized error messages in support for internationalization. Struts applications use JavaBeans as their models, just like the Model 2 design model. In addition, Struts programmers have to write their own input validation code.3.3 JSFJSF also employs a controller servlet that is called FacesServlet. This servlet is the only entry point to a JSF application. JSF also uses JSP pages as its views and JavaBeans as its model objects. Unlike Model 2 and Struts, however, JSF provides ready-to-use user interface components that can be written on JSP pages. Upon an invocation of a page of a JSF application, the FacesServlet constructs a component tree that represents the JSP page being requested. Some of the components can also trigger events, making JSF event-driven. For page navigation, JSF uses an approach similar to Struts, i.e., by allowing navigation rules to be defined in an application configuration file (again, an XML document).What distinguishes a JSF application from non-JSF servlet/JSP application is that JSF applications are event-driven. The user interface of a JSF application is one or many JSP pages that host Web components such as forms and input boxes. These components are represented by JSF custom tags and can hold data. A component can be nested inside another, and it is possible to draw a tree of components. Just as in normal servlet/JSP applications, you use JavaBeans to store the data the user entered.4 Function EnvironmentThe software and hardware details for our experiments are described below.4.1 The Servlet ContainerA Java Web application runs in a servlet container, which is the engine that processes the incoming HTTP requests for the resources in the application. For this research project, we use Tomcat, an open source servlet container from the Apache Software Foundation. The version we use is 6.0.Basically, a servlet container processes a servlet by performing the following tasks:- Creating the HttpRequest Object- Creating the HttpResponse Object- Calling the service method of the Servlet interface, passing the HttpRequest and HttpResponse objects.4.2 Testing ClientsFor performance testing, we emulate multiple users using JMeter 1.9 , also from the Apache Software Foundation. JMeter allows the user to choose the number of threads to perform testing. Each thread emulates a different user. JMeter also lets us choose how many times a test will be done. To test a Web application using JMeter, you direct requests to certain IP address, context path, and port number. You can also specify request parameters to be included in each HTTP request. As the output, JMeter notifies the response time of the server in milliseconds for a test. From the response time, we derive the number of hits/seconds the server is capable of serving.4.3 HardwareWe use different computers for running the applications and for testing, so as to obtain maximum performance measurement accuracy. The computer running the application is a XP machine having the following hardware specifications: Intel Core 1GHz CPU with 1G RAM. The computer running the testing clients is a Windows 2000 machine running JMeter. The computer has the following specifications: Intel Core 1GHz CPU with 1G RAM.5 ResultsWe obtain experimental results in two categories: the ease of development and performance. The ease of development category compares the number of classes and the number of lines of code. These numbers indicate how easy it is to develop an application by following a certain design model. An application with the fewer number of classes or the number of lines of code indicates that the application is relatively easier to build. The application with the more number of classes indicates that the application takes more time to develop.The performance measurement results are obtained by comparing two operations. The Search operation is the most common operation in such an application,and the Browse operation.5.1 Ease of Application DevelopmentAs Table 1 shows, it takes the most effort to implement the Model 2 design model. Using Struts alleviates the problem a bit, and the best saving in the development comes if one uses JSF.Table 1. The number of classes and the number of lines for the applications under studyThe Model 2 design model is characterised by the presence of a Controller servlet and a number of JavaBeans classes (as the Model) and JSP pages (as the Views). The Controller servlet is responsible for page navigation rules that employ a series of if statements. Model 2 application programmers must also code for the input validation that in this research is implemented inside a number of custom tag libraries. The other classes in the Model 2 design model are custom tag library and the tag library descriptors responsible for input validation and data display. In fact, input validation takes 590 lines of code, or almost 30% of the total amount of code.In the Struts application, the Controller servlet is provided by the framework, therefore a Struts programmer saves time for not having to write one. However, he/she still needs to write page navigation rules in the Application Configuration file, which is easier than writing a servlet because the Application Configuration file can be edited using a text editor and no compilation is necessary. Input validation must still be done manually, even though the Struts Framework provides an error handling mechanism. The number of classes and the number of lines of code for input validation are almost similar to the Model 2 application. In Struts, the other classes are Action classes to which the default Controller servlet dispatches requests.In JSF input validation comes free through the availability of validatorcomponent. As a result, a JSF application developer can skip this task. In addition, page navigation takes the same course as Struts, i.e. by utilising an Application Configuration file. The other classes in JSF are a ContextListener, an ActionListener, and a Database utility class.5.2 Performance MeasurementFor each operation, we measure the server response time (in milliseconds) for 1 to 10 concurrent users. The number of users is specified by setting the number of threads in Jmeter. Each test is conducted 10 times and the average is taken. Each operation is discussed further is the following sub-sections.5.2.1 Search OperationThe Search operation whose name or description matches the keyword. There is one SQL SELECT statement performed. Figure 2 compares the three versions of applications for the Search operation.Fig. 2. The performance comparison for the Search operation For the Model 2 application, the average server response time for one user is 173 ms and for 10 users is 919 ms. For the Struts application, these numbers are 189 ms and 900 ms, respectively. For the application built using JSF, the average server response time is 210 ms for one user and 932 ms for 10 users. The increase of the response time is proportional to the increase of the number of concurrent users, which means that the server is still able to cope with the load.The Model 2 application has the least overhead, therefore the averageperformance should be better than the Struts and JSF applications. However, the Struts application performs as well as the Model 2 application. This is because the server has enough memory to load all Struts libraries required to run Struts. Also, note that page navigation rules in Struts are loaded and stored in an object called ActionMapping. Therefore, given an action request parameter, the next page of navigation is obtained through a look-up. On the other hand, the Model 2 application uses a series of if statements to find the next page of navigation, given the action request parameter.The JSF application performs slightly worse than the other applications in almost all numbers of concurrent users. This could be due to the time taken by the JSF implementation to construct a component tree for each page requested. However, the difference in server response time between JSF and other applications is not that significant.5.2.2 Browse OperationThe Browse operation,like the Search operation, there is one SQL SELECT statement performed. Figure 3 gives the test results for this operation.Fig. 3. The performance comparison for the Browse operation On average, the Model 2 application performs the best because it has the least overhead. The average server response time is 111 ms for one user and 899 ms for 10 users. The Struts application has comparable performance, with one user average server response time of 180 ms and 10 user response time of 920 ms. The JSF lacks a bit behind the two applications with these numbers being 190 and 1009ms respectively. The increase of the server response time is proportional to the increase of the number of concurrent users, which means the server is able to serve those users well. The average performance measurement results of the Browse operation are very similar to the ones for the Search operation because the database operations of both operations are also similar.6 Related WorkCompare the performance of database-based Web applications using Java servlets, PHP version 3, and Common Gateway Interface (CGI). After a series of benchmark tests that performs data retrieval from a MySQL database, find that the solution of Java servlets with persistent database connection has the best performance. PHP3 using persistent database connections performs fairly well when compared to the CGI solution,also mention the advantages of using Java servlets. According to these authors. Java servlets are an excellent choice to meet the requirement of e-commerce (such as online shopping) applications and are able to handle client requests in a highly interactive mode.Comparing PHP 4, Java servlets, and Enterprise JavaBeans. Measure the performance of these three architectures using two applications. Study reveals that PHP4 is more efficient than Java servlets, and the EJBs perform even worse than servlets. However, note that servlets, being part of the Java solution, provides the flexibility of being able to be ported to another system with a different operating system.7 ConclusionWe find that it is most rapid to build Web applications using JSF. Model 2 applications are the least rapid but give the best performance. Struts applications sit in the middle of the other two design models in both comparisons.We make some suggestions that could improve the Servlets technology in general and enhance the performance of applications based on both design models. Struts. Struts is not based on any specification and there is no documentation that discusses its internal working. Therefore, it is hard to know what have been implemented and what could be improved.●The Servlets Technology. The Servlet 2.3 Specification does not define anycaching mechanism. There is no mention of caching in the upcoming Servlet2.4 Specification either. Despite the dynamic nature of the content of a Webapplication, some contents do not change very often. For example, the categories of products that a user can browse in an online store application probably only change once in a month. If those semi-static contents must be generated from the database every time they are requested, a lot of programming resources will be wasted. Servlet programmers get around the absence of caching by writing an object that caches certain content. However, since there is no standard for caching, many programmers write the same piece of code again and again.●Model 2.The main drawback is that the page navigation rules are hard-coded inthe Controller servlet. This means any minor change to the program flow will require the Controller servlet to be re-compiled. The solution to this problem is to provide a mapper that reads the page navigation rules when the application starts. The code could be conveniently written in the init method of the Controller servlet. This method is only executed once, i.e. the first time the servlet is loaded into memory. If the properties file needs to be re-read every time it changes, the programmer can check the timestamp of the properties file for each request, and compares it with the previous read of this file. If the timestamp is more current than the previous read, the mapper can be re-constructed. This feature can be enabled and disabled by using an initial parameter in the Context object. At the development phase, this feature should be enabled. At deployment, this feature should be off. The use of the properties file to store the page navigation rules also makes it possible to avoid a series of if statements in the Controller Servlet, which can be time-consuming for every request. Instead, a HashMap can be used, with action request parameters as keys and the next JSP pages as values. The other disadvantage of this design model is the absence of standard components for input validation and user interface. However, this has been solved in JSF.●JSF. JSF provides solutions to common problems in Web development, such aspage navigation management, UI components and input validators. However, because this technology is still very young, there are not too many UIcomponents available, forcing programmers to combine JSF with non-JSF servlets/JSP pages. JSF is event-driven. JSF programmers determine the behavior of a JSF application by writing event listeners, just like those listeners in a Swing application. In JSF version 1.0, there are currently two types of events that can be triggered: ActionEvent and ValueChangedEvent. However, this is good enough to provide sufficient level of interactivity between the application and its users. Adding more types of events will definitely make JSF more appealing.References［1］．Cecchet, E., Chanda A., Elnikety S., Marguerite J., Zwaenepoel W.: Performance Comparison of Middleware Architectures for Generating Dynamic Web Content. Proceeding of the 4th International Middelware Conference, 2003.［2］．Cecchet, E., Marguerite, J., and Zwaenepoel, W.: Performance and Scalability of EJB Applications. Proceedings of OOPSLA’02, 2002.［3］．Wu, A., Wang, H., and Wilkins, D.: Performance Comparison of Alternative Solutions for Web-To-Database Applications. Proceedings of the Southern Conference on Computing, the University of Southern Mississippi, 2000.基于Java技术的Web应用设计模型的比较研究摘要Servlet技术在建立可扩展性Web应用中是被应用最广泛的技术。

外文翻译--MySQL和JSP的Web应用程序MySQL和JSP的Web应用程序是为解决Web开发人员在构建数据驱动的应用程序时所遇到的需要强大的数据库连接的特殊问题而设计的。

该书基于JavaServer页面的发展模式，提供了JSP数据库开发、JDBC和数据库模式所需的核心技术概述。

此外，该书还提出了互联网商业应用演示的概念，如接收和处理用户输入、设计和实施业务规则，并平衡服务器上的用户负载。

JSP是一种高度面向对象的网站开发技术，可以利用现代软件工程最佳实践，如SQL数据库和基于UML设计。

然而，并不是说使用JSP就能自动将您的网站打造成工程艺术的典范。

因此，在项目得到压力时，需要合并最佳实践以避免方便的陷阱。

JSP是一个沿路径循序渐进的步骤，从第一个静态Web服务器开始，通过CGI移动功能的服务器，最终发展成为脚本功能的服务器的第一代。

JSP是一个Web服务器，比Java引擎少了一个Java组件，能够熟悉网页。

在MySQL和JSP的Web应用程序中，读者可以研究到如何使用JDBC与大多数商业数据库进行沟通，并通过开源工具MySQL和Tomcat的解决方案，以经济实惠的方式测试书中的例子的应用程序和试验。

JSP是由Java Servlet演变而来的。

Servlet允许开发人员处理传入的所有正常信息，并将Web请求发送到一个共同的网关接口（CGI）程序。

此外，Servlet可以访问会话持久对象，这是Java的一个与特定用户会话相关的对象，可用于存储请求之间的状态。

Servlet编程是使用面向对象语言编写结构良好、模块化的Web应用程序的重要一步。

它还解决了状态持久性的问题，使更多的信息驻留在服务器上，减少了用户和服务器之间的反复传递。

然而，Servlet也存在一个问题。

由于它们最终需要输出HTML，HTML编码必须嵌入在Servlet代码中，这导致代码难以阅读和维护。

例如：Out.println("\n\nXXX\n");Out.println("");这种嵌入式编码很古老也很快，但当你编写许多网页时，它会变得非常混乱。

ASP外文翻译+原文ENGLISHE：Develop Web application program using ASP the architecture that must first establish Web application. Now in application frequently with to have two: The architecture of C/S and the architecture of B/S.Client/server and customer end / server hold the architecture of C/S.The customer / server structure of two floor.Customer / server ( Client/Server ) model is a kind of good software architecture, it is the one of best application pattern of network. From technology, see that it is a logic concept, denote will a application many tasks of decomposing difference carry out , common completion is entire to apply the function of task. On each network main computer of web site, resource ( hardware, software and data ) divide into step, is not balanced, under customer / server structure, without the client computer of resource through sending request to the server that has resource , get resource request, so meet the resource distribution in network not balancedness. With this kind of structure, can synthesize various computers to cooperate with work, let it each can, realize the scale for the system of computer optimization ( Rightsizing ) with scale reduce to melt ( Downsizing ). Picture is as follows:It is most of to divide into computer network application into two, in which the resource and function that part supports many users to share , it is realized by server; Another part faces every user , is realized by client computer, also namely, client computer is usual to carry out proscenium function , realizes man-machine interaction through user interface , or is the application program of specific conducted user. And server usually carries out the function of backstage supporter , manages the outside request concerning seting up, accepting and replying user that shared. For a computer, it can have double function , is being certain and momentary to carve to act as server , and again becomes client computer in another time.Customer / server type computer divide into two kinds, one side who offers service is called as server , asks one side of service to be called as customer. To be able to offer service, server one side must have certain hardware and corresponding server software; Also, customer one side mustalso have certain hardware and corresponding customer software.There must be a agreement between server and customer, both sides communicate according to this agreement.Apply customer / server model in Internet service , the relation between customer and server is not immutable. Some Internet node offers service on the one hand , also gets service on the other hand from other node; It is even in one time dialogue course, mutual role also exchanges probably. As in carry out file transmission , if be called as one side who offers file server, is called as one side who gets file customer, when using get or mget order since another node takes file, can think that what self use and it is client computer , is using put or mput order to another node dispatch file can again think the machine that used self is server.Multilayer customer / server structureAlong with the development of enterprise application, recently, have again arisen a kind of new multilayer architecture, it applies customer end to divide into two minutes: Customer application and server apply. Customer application is the part of original customer application , is another and partial to have been transfered to server to apply. New customer application takes the responsibility for user interface and simple regular business logic and new server application resident core , changeable business logic. Therefore its structure has become new ( Client application + Server application )/Server structure. Following picture shows:This kind of structure has solved traditional Client/Server can expand problem, have reduced customer end business logic , and have reduced the requirement of customer end for hardware. At the same time because of a lot of business logic concentrations have gone to unitary application server on, the maintenance work of application system had been also concentrated together, have eliminated the problem in the traditional structure of Client/Server that software distributes. This kind of structure is called as the architecture of B/S.Browser/Server and browser / server hold the architecture of B/S. Onessence, Browser/Server is also a kind of structure of Client/Server, it is a kind of from the traditional two levels of structural development of Client/Server come to the three-layer structural special case of Client/Server that applied on Web.In the system of Browser/Server, user can pass through browser to a lot of servers that spread on network to send request. The structure of Browser/Server is maximum to have simplified the work of client computer, on client computer, need to install and deploy few customer end software only , server will bear more work, for database visit and apply program carry out will in server finish.Under the three-layer architecture of Browser/Server, express layer ( Presentatioon ) , function layer ( Business Logic ) , data layer ( Data Service ) have been cut the unit of 3 relative independences: It is the first layer of to express layer: Web browser.In expressing layer contain system show logic, locate in customer end. It's task is to suggest by Web browser to the certain a Web server on network that service is asked , after verifying for user identity, Web server delivers needed homepage with HTTP agreement to customer end, client computer accept the homepage file that passed , and show it in Web browser on.Second layer function layer: Have the Web server of the application function of program extension.In function layer contain the systematic handling of general affairs logic, locate in Web server end. It's task is the request concerning accepting user , need to be first conducted and corresponding to expand application program and database to carry out connection , passes through the waies such as SQL to database server to put forward data handling to apply for, then etc. database server the result of handling data submit to Web server, deliver again by Web server to return customer end.The number of plies of 3th according to layer: Database server.In data layer contain systematic data handling logic, locate in database server end. It's task is to accept the request that Web server controls for database, realization is inquired and modified for database , update etc. function, submit operation result to Web server.Careful analysis is been easy to see , the architecture of Browser/Server of three-layer is the handling of general affairs of the two levels of structure of Client/Server logic modular from the task of client computer in split , from the first floor of individual composition bear the pressure of its task and such client computer have alleviated greatly, distribute load balancedly and have given Web server, so from the structural change of Client/server of original two floor the structure of Browser/Server of three-layer. This kind of three-layer architecture following picture shows.This kind of structure not only client computer from heavy burden andthe requirement of performance that rises continuously for it in liberation come out , also defend technology people from heavy maintenance upgrading work in free oneself. Since client computer handles general affairs , logic partial minutes have given function server, make client computer right off " slender " a lot of, do not take the responsibility for handling complex calculation and data again visit etc. crucial general affairs, is responsible to show part, so, maintenance people do not rush about again for the maintenance work of program between every client computer, and put major energy in the program on function server update work. Between this kind of three-layer structural layer and layer, the mutually independent change of any first floor does not affect the function of other layer. It has changed the defect of the two levels of architecture of Client/Server of tradition from foundation, it is the transform with deep once in application systematic architecture.The contrast of two architecturesThe architecture of Browser/Server and the architecture ofClient/Server compare with all advantages that not only have the architecture of Client/Server and also have the architecture ofClinet/Server the unique advantage that place does not have: Open standard: The standard adopted by Client/Server only in department unification for but, it's application is often for special purpose.It is lower to develop and defend cost: It need to be implemented on all client computers that the application of Client/Server must develop the customer end software for special purpose, no matter installation and disposition escalate still, have wasted manpower and material resources maximumly. The application of Browser/Server need in customer end have general browser , defend and escalate to work in server end go on , need not carry out any change as customer holds , have reduced the cost of development and maintenance so greatly.It is simple to use , interface friendly: The interface of the user of Client/Server is decided by customer end software, interface and the method of its use are not identical each, per popularize a system of Client/Server ask user study from the beginning, is hard to use. The interface of the user of Browser/Server is unified on browser, browser is easy to use , interface friendly, must not study use again other software, the use of a Lao Yong Yi that has solved user problem.Customer end detumescence: The customer end of Client/Server has the function that shows and handles data , as the requirement of customer end is a client computer " it is fat " very high. The customer of Browser/Server holds the access that not takes the responsibility for database again and the etc. task of complex data calculation, need it only show , the powerful role that has played server fully is so large to have reduced the requirement for customer end, customer end become very " thin ".。

Web 应用程序安全外文文献翻译(含：英文原文及中文译文)英文原文Basic Security Practices for Web ApplicationsEven if you have limited experience with and knowledge of application security, there are basic measures that you should take to help protect your Web applications. The following sections in this topic provide minimum-security guidelines that apply to all Web applications. General Web Application Security Recommendations; Run Applications with Minimum Privileges; Know Y our Users; Guard against Malicious User Input; Access Databases Securely; Create Safe Error Messages; Keep Sensitive Information Safely; Use Cookies Securely; Guard Against Denial-of-Service Threats.1. General Web Application Security RecommendationsEven the most elaborate application security can fail if a malicious user can use simple ways to gain access to your computers. General Web application security recommendations include the following: Back up data often and keep your backups physically secure. Keep your Web server physically secure so that unauthorized users cannot gain access to it, turn it off, and physically steal it, and so on. Use the Windows NTFS file system, not FA T32. NTFS offers substantially more security thanFA T32. Protect the Web server and all of the computers on the same network with strong passwords. Follow best practices for securing Internet Information Services (IIS). Close any unused ports and turn off unused services. Run a virus checker that monitors site traffic. Use a firewall. Learn about and install the latest security updates from Microsoft and other vendors. Use Windows event logging and examine the logs frequently for suspicious activity. This includes repeated attempts to log on to your system and excessive requests against your Web server.2. Run Applications with Minimum PrivilegesWhen your application runs, it runs within a context that has specific privileges on the local computer and potentially on remote computers. For information about configuring application identity, see Configuring Process Identity. To run with the minimum number of privileges needed, follow these guidelines: Do not run your application with the identity of a system user (administrator).Run the application in the context of a user with the minimum practical privileges. Set permissions (ACL’s, or Access Control Lists) on all the resources required for your application. Use the most restrictive setting. For example, if practical in your application, set files to be read-only. For a list of the minimum ACL permissions required for the identity of your application, see Required Access Control Lists (ACL’s).Keep files for your Web application in a folder below theapplication root. Do not allow users the option of specifying a path for any file access in your application. This helps prevent users from getting access to the root of your server.3. Know Y our UsersIn many applications, it is possible for users to access the site without having to provide credentials. If so, your application accesses resources by running in the context of a predefined user. By default, this context is the local ASPNET user (Windows 2000 or Windows XP) or NETWORK SERVICE user (Windows Server 2003) on the Web server. To restrict access to users who are authenticated, follow these guidelines: If your application is an intranet application, configure it to use Windows Integrated security. This way, the user's login credentials can be used to access resources. If you need to gather credentials from the user, use one of the authentication strategies. For an example, see the Forms Authentication Overview.4. Guard against Malicious User InputAs a general rule, never assume that input you get from users is safe. It is easy for malicious users to send potentially dangerous information from the client to your application. To help guard against malicious input, follow these guidelines: In forms, filter user input to check for HTML tags, which might contain script. For details, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding toStrings. Never echo (display) unfiltered user input. Before displaying entrusted information, encode HTML to turn potentially harmful script into display strings. Similarly, never store unfiltered user input in a database. If you want to accept some HTML from a user, filter it manually. In your filter, explicitly define what you will accept. Do not create a filter that tries to filter out malicious input; it is very difficult to anticipate all possible malicious input. Do not assume that information you get from the header (usually via the Request object) is safe. Use safeguards for query strings, cookies, and so on. Be aware that information that the browser reports to the server (user agent information) can be spoofed, in case that is important in your application. If possible, do not store sensitive information in a place that is accessible from the browser, such as hidden fields or cookies.5. Access Databases SecurelyDatabases typically have their own security. An important aspect Web application security is designing a way for the application to access the database securely. Follow these guidelines: Use the inherent security of your database to limit who can access database resources. The exact strategy depends on your database and your application:If practical in your application, use Windows Integrated security so that only Windows-authenticated users can access the database. Integrated security is more secure than using SQL Server standard security. If yourapplication uses anonymous access, create a single user with very limited permissions, and perform queries by connecting as this user. Do not create SQL statements by concatenating strings that involve user input. Instead, create a parameterized query and use user input to set parameter values. If you must store a user name and password somewhere to use as the database login credential, store them securely. If practical, encrypt or hash them. For details, see Encrypting and Decrypting Data.6. Create Safe Error MessagesIf you are not careful, a malicious user can deduce important information about your application from the error messages it displays. Follow these guidelines: Do not write error messages that echo information that might be useful to malicious users, such as a user name. Configure the application not to show detailed errors to users. If you want to display detailed error messages for debugging, check first that the user is local to the Web server. For details, see How to: Display Safe Error Messages. Use the custom Errors configuration element to control who can view exceptions from the server. Create custom error handling for situations that are prone to error, such as database access.7. Keep Sensitive Information SafelySensitive information is any information that you need to keep private. A typical piece of sensitive information is a password or an encryption key. If a malicious user can get to the sensitive information,then the data protected by the secret is compromised. Follow these guidelines: If your application transmits sensitive information between the browser and the server, consider using Secure Sockets Layer (SSL). Use Protected Configuration to secure sensitive information in configuration files such as the Web. config or Machine. config files. For more information, see Encrypting Configuration Information Using Protected Configuration. If you must store sensitive information, do not keep it in a Web page, even in a form that you think people will not be able to view (such as in server code).Use the strong encryption algorithms supplied in the System Security Cryptography namespace.8 . Use Cookies SecurelyCookies are an easy and useful way to keep user-specific information available. However, because cookies are sent to the browser's computer, they are vulnerable to spoofing or other malicious use. Follow these guidelines: Do not store any critical information in cookies. For example, do not store a user's password in a cookie, even temporarily. As a rule, do not store any sensitive information in a cookie that. Instead, keep a reference in the cookie to a location on the server where the information is located. Set expiration dates on cookies to the shortest practical time you can. Avoid permanent cookies if possible. Consider encrypting information in cookies. Consider setting the Secure and Http Only properties on your cookies to true.9. Guard against Denial-of-Service ThreatsAn indirect way that a malicious user can compromise your application is by making it unavailable. The malicious user can keep the application too busy to service other users, or if nothing else can simply crash the application. Follow these guidelines: Close or release any resource you use. For example, always close data connections and data readers, and always close files when you are done using them. Use error handling (for example, try/catch blocks). Include a finally block in which you release resources in case of failure. Configure IIS to use throttling, which prevents an application from using a disproportionate amount of CPU. Test size limits of user input before using or storing it. Put size safeguards on database queries to help guard against large queries using up system resources. Y ou can also use the Request Length Disk Threshold property in to reduce the memory overhead of large uploads and form posts.中文译文Web 应用程序的基本安全做法即使您对应用程序安全性的体验和了解非常有限, 也应采取一些基本措施来保护您的Web 应用程序。

中英文资料外文翻译文献Moving from Classic ASP to ABSTRACT is Microsoft new offering for Web application development, innovation within have resulted in significant industry popularity for this product. Consequently there is an increased need for education. The Web Application Development is a third year undergraduate course. To meet the demands of both industry and students, we have changed the focus of this course from Classic ASP to . This paper reports this move. The significant features of and the motivations for this move are discussed. The process, the problems encountered, and some helpful online learning resources are described.Key wordsWeb Application Development, Classic ASP, , Move, 1. INTRODUCTION is not just a new version of ASP. It provides innovation for moving Windows applications to Web applications. Web services and the .NET framework have made the vision of the Web as the next generation computing platform a reality. With server controls, Web forms and “code-behind”, we can develop a Web application by using a complete object-oriented programming (OOP) model. This increases the popularity of in industry. The industry project is the final course of the Bachelor of Computing Systems (BCS) degree at UNITEC, in which students undertake a real-world project. We have observed a rapid growth of related industry projects in our school.The Web Application Development (WAD) paper is a third year undergraduate course. It was originally offered using ASP 2.0 and ColdFusion. To meet the demands from both industry and students, we have changed the course content to cover , Visual () and ColdFusion. This change commencedwith the first semester of 2003.This paper will examine the features of and explain why these are unique. The motivations for moving to are discussed by analyzing the current situation of related to industry projects in our school, analyzing the results of short surveys on students, and analyzing whether is a better tool for teaching. Problems encountered during the move are also discussed and some of the learning resources are presented. It is anticipated that these will be helpful for teachers who intend to introduce .2. WHAT MAKES SPECIAL?There are many articles on the Internet discussing the advantages of over Classic Active Server Pages (ASP), such as that introduces an integrated development environment (IDE), a single development library for all types of applications, compiled as well as strongly typed code, and a true OO approach to Web application development (Goodyear, 2002, Bloom, 2002).Traditionally, we have three versions of ASP (ASP 1.0, ASP 2.0 and ASP 3.0), which are called Classic ASP. Although each version provides certain new features to overcome the shortcomings of its predecessors, these versions of ASP follow the same working model and share many limitations. Their successor supports complete new working model while preserving the traditional working model and provides innovative techniques to overcome the limitations of Classic ASP.2.1. Architecture enhances and extends the Windows DNA (Windows Distributed interNet Application). The windows DNA specification is a methodology for building n-tier applications using Microsoft (DCOM/COM) technologies. Breaking applications into functional pieces and deploying these across a network is a strategy to make better use of organizational resources. This needs a well-planned architecture. In the past, usually it was the windows DNA. DCOM communication normally has problems with firewalls and proxy servers. This means Windows DNA usually onlyworks well within an intranet, not on the Internet. DCOM/ COM also need registry entries. makes the process of creating and integrating Web Services easier, which can be used in a similar manner to the Windows DNA. Here DCOM/COM is no longer involved. HTTP (as channels), SOAP (as formatters) and XML are used for communication and data-transfer between distributed components. This overcomes the problem of communicating across the Internet and across corporate firewalls without resorting to proprietary solutions that require additional communications ports to be opened to external access. In addition, URI (uniform resource identifier) and UDDI (Universal Description Discovery and Integration) are used for remote components references instead of registry entries.2.2. Development integrates seamlessly with IDE. includes built-in support for creating and modifying content. This unifies the ASP/VB programming models for the developers. Instead of opening multiple IDEs (as with Classic ASP platform), developers can open a single IDE and do all their work from a clean, consistent interface. is equipped with powerful debugging environment. This means that the powerful debugger for Windows applications is now available to debug Web applications as well. enables programmers to take advantage of the OOP model, for example, code sharing. Under OOP model, one of the most common ways to achieve code sharing is inheritance, which is not available in Classic ASP. Since complete OO features are supported in , developers can transfer their OO design smoothly into code, enabling a software company to keep their Windows application development styles, with which they are familiar, in Web application development; and also they can convert their Windows applications into Web applications without major modifications.’s improved state maintenance features enable us to provide users with Web applications that are richer and faster than Classis ASP (Olges,2002). supports advanced session state management. There are two major problems with session management in Classic ASP: session objects are stored in the Web server memory and session IDs are stored on the client computers as cookies. These prevent session management from being efficiently implemented. solves these problems in two ways: it provides a “cookieless” option for session objects so that a session ID can be passed via URL; it provides three different session modes (inprocess, state server, and SQL Server), so that a session object can either be stored on the Web server, a remote server or a database.3. THE MOTIVATIONS FOR MOVING3.1. The industry motivationI’ve checked almost all the industry projects in our school for three semesters on whether they are WAD related, if yes, then what tools they have used. Table 1 shows a brief summary of the results.For these three semesters, the total ASP/ projects are increasing, but slowly. However the Classic ASP projects are dropping quickly and the projects are increasing rapidly (in the speed of more than 12% per semester). This gives us an idea that is preferred over Classic ASP in industry especially given that is only officially first released in 2002. Our student’s feedbacks from their industry communication confirm this view. A huge number of articles on the Internet also support this view. This encourages us to drop Classic ASP and move to in our WAD course. Higher education has over years recognized that it is a service industry and has to revaluate their approach in the industry by placing greater emphasis on meeting the expectations and needs of their stakeholders (Nair, 2002). 3.2. The student motivationThe students demand . When students enroll in our WAD course, most of them are aiming to become a professional software developer. As a matter of fact, some of them already are software developers, or they were software developers and are seeking to return to the workplace. Techniques highly demanded in workplace are of great interest to them.A short survey has been given to past students and current students respectively. For the past students, among the 11 responses, 100% students still want to learn ; and if they are given choice, 82% students prefer to learn rather than Classic ASP, 18% students like to learn both. These answers are also supported by comments, such as “I would prefer to know the technology that the industry requires me to work with”, “I would like to work in future as a WAD professional andI think would be usefu l in this field.” For the current students, among the16 responses, 75% students prefer to learn rather than Classic ASP. However, 25% students answered no idea. This could be due to that they lack of knowledge of Classic ASP. This survey is done after 6 weeks of teaching.3.3. The pedagogical motivationPedagogically speaking, a good tool for industry is not necessarily a good tool for teaching. Is a better tool for teaching than Classic ASP? provides much richer language features than Classic ASP. We often have options to perform certain tasks. A key benefit of is that there exists a more gradual transition in programming models from simple to powerful, or from easy to difficult. Although supports OOP model, you don’t have to program by using that model. A Web form without “code-behind” will work perfectly. An web page in complete Classic ASP model will still work. Although is integrated with , we are not limited to use . A notepad and a FTP client with a pre-created Web application directory also allow us to develop a reasonably large application. With , we can either develop a large distributed application with numbers of Web services and consumers, or develop a single simple Web application. Therefore, provides sufficient room for us to organize course materials at a suitable level for the students. The challenge for a lecturer is how to settle in at the right balance of power vs. simplicity, or at the right balance of difficulty vs. ease. offers a more conventional approach to programming than does Classic ASP. It possesses all the features of a modern programming language. The Classic ASP programming style favors developers coming from HTML coding background, whereas is more suited to professional software developers. Given our entire WAD students have taken C/Delphi programming courses, and our aim is to output software professionals, is a better teaching tool for us. enhances the programming concepts the students learned from the previous courses and provides a good bridge to Advanced Distributed Computing and Advanced Object- Oriented Programming.4. THE PROCESSOur first step was to learn . After reading books and online tutorials, the next step is practical. We set an implementation server on the laptop in a stand-alone environment. The .NET Framework requires IIS 5 and the above; Windows 2000 or Windows XP professional will work with .NET. However, Windows XP home edition or Windows 98 won’t work. On the client side, we can either use or WebMatrix. Among these, only costs money. The .NET Framework is included inside the package. We also can download the .NET Frameworkfrom the Internet. After the .NET Framework is installed, the QuickStart Tutorial is set up. It is also found on the Internet. This tutorial is a good starting point for experienced developers. It is claimed that the readers “should be fluent in HTML and general Web development term inology. …… should be familiar with the concepts behind interactive Web pages, including forms, scripts, and data access.” More complicated examples can be found from Microsoft .NET Framework SDK Documentation or Microsoft Visual Studio .NET Documentation.The second step was to test the teaching environment. A teaching server was set up for the Intranet on campus. It is configured for the client computers in the teaching lab. is installed on the client computers. provides two ways to access the Web server: FrontPage server extensions and File share. The FrontPage server extension is used on our teaching server. Programming testing has been done on all the major aspects of WAD. Except a few special ones, most of the problems occurred during the testing were minor problems which, after the communication with our Web technician, were resolved.Teaching materials have been updated. The major changes have been made on the data interaction, form and controls, application/session management, and error handling. Given that has made XML very practical and the using of Web service much easier. A lecture on XML and Web service has been added. As a result, ColdFusion lectures are reduced. The assessment has been adjusted accordingly. 5. THE PROBLEMSWe have to admit that with is a much more complicated client server environment than the Classic ASP environment. This complexity comes from the configuration system and the integration between the client computers and the Web server.On server, each level of the application directory can have a configuration file. All these configuration files are optional except Machine.config. A developer has full control over those optional configuration files. Developers become more involved with the server settings via these files. One problem that happened to several students and myself on our home servers is the permission problem. We found our applications didn’t have permission to write to database/XML files. Microsoft (2003) provides three solutions to this problem. The simplest one is to change the Machine.config file and set the username attribute to SYSTEM in the <processModel> section.We observed that behave differently in a stand-alone environment, asingle user client server environment, and a multiple user client server environment. A few problems don’t occur in the first two environments occur frequently in the last environment. The major one is when we try to create a new project or open an existing project, we often get an error message, “The user name or password you entered is incorrect, or you do not have authorization to permit this operation”, even if our user name and password are perfectly correct. This problem seems to be caused by FrontPage server extensions. Regularly cleaning VSWebCache partially solved the problem. This approach is confirmed by Kiely (2003).Another problem is a debug problem. When we try to use Debug|Start or Debug|Start Without Debugging in the multiple user client server environment within , we often get error messages. “…… Unable to start debugging on the web server. ……”. However,we don’t have the same problem for Debug|Start Without Debugging in the single user client server environment. We don’t have any problem in a standalone environment. After adding users to the debugging group on the server, the problem still exists. The reason of this problem is not clear to the author.6. RESOURCESThere is a huge amount of helpful online learning resources related to . Here are a couple of them, which are particularly helpful to the author./aspxtreme/. Accessed April 17, 2003. This site provides many tutorials covering wide range concepts. They usually show you how to do a particular task step by step. Some of the examples have both C# and VB versions./resources/spcollections/aspnet/default.asp. Accessed April 17, 2003. This site provides many articles from intermediate level to highly technical level. These articles are mostly from online magazines and they discuss many interesting topics in ./aspnet/. Accessed May 5, 2003. This site provides free source code and tutorials for developers. We can find complete examples for some typical tasks./. Accessed May 5, 2003. This site provides wide range of tutorials for different levels of readers. This is my favorite site. I’ve been with it since Classic ASP. I found that whenever I meet a challenging problem, I always find a solution here./tutorialsindex.aspx. Accessed May 5, 2003. This site provides wide range of articles for different levels of readers. Articles are groupedaccording to topics, which is very helpful when we do research on a particular topic.7. CONCLUSIONMoving from Classic ASP to has proven to be a challenging and exciting process. The author has learned a lot in this process. From the responses to our six-week survey, 100% students feel our WAD course challenging. However, most of them still prefer to learn rather than Classic ASP. We feel confident about the move. The issue is how to organize the course and help the students meet the challenge. is certainly an outstanding tool for both teaching and development. As a new development platform, we do need some time to absorb all the new features.从经典ASP到摘要是微软公司基于网络应用程序新开发出的产品，这个产品的普及在的创新当中具有重大意义，因此在方面的教育有了很大的需求。

网络安全参考文献1. [1] Gursimran Kaur, Sukhjit Singh. (2020). "An Improved Network Security using Firewalls and IDS/IPS". International Journal of Recent Technology and Engineering (IJRTE).2. [2] Lubaina Rashid S. M., K. Murali, A. Sreekanth, V. Sowmya Vani. (2019). "Enhancing Network Security using Machine Learning Algorithms". International Journal of Recent Technology and Engineering (IJRTE).3. [3] Yin Yang, Muyi Li, Wenjie Wang, Heng Zhang. (2020). "Security testing of web applications based on artificial intelligence". International Journal of Advanced Computer Research (IJACR).4. [4] S. Ramapriya, S. Uma Maheswari, J. Premkumar. (2019). "An Improved Defense Mechanism for Network Security". International Journal of Engineering & Technology (IJEAT).5. [5] V. Lalithasree, K. Subashini, V. N. Nagaveni. (2019). "A Survey on Network Security Techniques and Cryptography". International Journal of Engineering and Advanced Technology (IJEAT).6. [6] Hualiang Zhang, Yanan Sun, Chunqing Wu, Xiaodong Lin, Chenglin Zhao. (2021). "Research on Network Security Situation Awareness Technology Based on Machine Learning". Wireless Personal Communications.7. [7] W. Zhang, Z. Feng, L. Lv, H. Li. (2019). "An ImprovedNetwork Security Intrusion Detection Method Based on Sequence Mining". Proceedings of the International Conference on Computer Science and Artificial Intelligence (CSAI).8. [8] Zuyuan Fang, Tingting Zhang, Dingyi Fang, Weiwei Yu, Zhibo Wu. (2021). "A Secure Network Coding Key Distribution Scheme Based on Fully Homomorphic Encryption". Journal of Communications and Networks.Please note that the numbering in brackets is added for reference purposes only.。

网络安全外文翻译文献Title: Internet Security: A Review of Current and Future ChallengesThe internet has become an integral part of modern life, connecting people across the globe, enabling commerce, and driving innovation. However, with the increasing interconnectedness of our digital world comes a growing need for internet security. This article provides a review of current internet security challenges and explores the emerging threats and trends we can expect to see in the future.1、Current ChallengesThe primary challenge with internet security lies in the ever-changing nature of cyber threats. Hackers, nation-states, and cybercriminals are constantly developing new tools and techniques to bypass security measures and steal sensitive information. Ransomware, phishing, and identity theft are just a few examples of the common threats we see today.Another major challenge is the lack of cybersecurity personnel. According to the 2022 Global Information Security Survey, 53% of organizations reported a shortage of cybersecurity staff.This shortage makes it difficult to stay ahead of the constantly evolving threat landscape.2、Future Threats and TrendsAs technology advances, we can expect to see an increase in the complexity and severity of cyber threats. Artificial intelligence (AI) and machine learning (ML) will play a larger role in both offensive and defensive cyber operations.AI-powered autonomous hacking machines capable of launching sophisticated attacks or identifying and exploiting vulnerabilities are just one example of the emerging threats we may face.The internet of things (IoT) will also present new challenges. As our physical devices become increasingly connected to the internet, they become potential targets for cybercriminals. IoT devices are often viewed as low-hanging fruit, as many of them have poor security protocols, making them easy prey for hackers.3、Solutions and RecommendationsTo stay ahead of internet security threats, organizations must prioritize investing in cybersecurity personnel andtechnologies. Regular software updates, strong password policies, and robust network firewalls are essential building blocks of any cybersecurity strategy.Organizations should also prioritize implementing AI andML-based security solutions. These technologies can help identify and prevent emerging threats by analyzing vast amounts of data and detecting patterns typical of malicious activity. Furthermore, IoT device manufacturers must prioritize building security into their products from the outset. This includes implementing strong encryption methods, updating software regularly, and providing customers with easy-to-use security features.In conclusion, the internet remns a crucial element of modern life, but with the ever-growing complexity and severity of cyber threats, internet security must be a top priority. By investing in cybersecurity personnel and technologies, implementing and ML-based security solutions, and prioritizing IoT device security, organizations can better protect themselves agnst the ever-changing threat landscape.。