Head First Servlets and JSP 2nd Edition

Head First Servlets and JSP™ Second Edition

by Bryan Basham, Kathy Sierra, and Bert Bates Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly Media books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected].

Series Creators:

Kathy Sierra, Bert Bates

Series Editor:

Brett D. McLaughlin

Design Editor:

Louise Barr

Cover Designers:

Edie Freedman, Steve Fehler, Louise Barr

Production Editor:

Sanders Kleinfeld

Indexer:

Julie Hawks

Interior Decorators:

Kathy Sierra and Bert Bates

Servlet Wrangler:

Bryan Basham

Assistant to the Front Controller:

Bert Bates

Printing History: August 2004: First Edition. March 2008: Second Edition. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. The Head First series designations, Head First Servlets and JSP™, Second Edition, and related trade dress are trademarks of O’Reilly Media, Inc. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. O’Reilly Media, Inc. is independent of Sun Microsystems. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc., was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and the author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. In other words, if you use anything in Head First Servlets & JSP™ to, say, run a nuclear power plant or air traffic control system, you’re on your own. Readers of this book should be advised that the authors hope you remember them, should you create a huge, successful dotcom as a result of reading this book. We’ll take stock options, beer, or dark chocolate ISBN: 978-0-596-51668-0 [M]

table of contents

Table of Contents (Summary) Intro

xix

1



Why use Servlets & JSPs: an introduction

1

2

Web App Architecture: high-level overview

37

3

Mini MVC Tutorial: hands-on MVC

67

4

Being a Servlet: request AND response

93

5

Being a Web App: attributes and listeners

147

6

Conversational state: session management

223

7

Being a JSP: using JSP

281

8

Script-free pages: scriptless JSP

343

9

Custom tags are powerful: using JSTL

439

10

When even JSTL is not enough: custom tag development

499

11

Deploying your web app: web app deployment

601

12

Keep it secret, keep it safe: web app security

649

13

The Power of Filters: wrappers and filters

701

14

Enterprise design patterns: patterns and struts

737

A

Appendix A: Final Mock Exam

791

i

Index

865

Table of Contents (the real thing)

i

Intro Your brain on Servlets.  Here you are trying to learn something, while here your brain is doing you a favor by making sure the learning doesn’t stick. Your brain’s thinking, “Better leave room for more important things, like which wild animals to avoid and whether naked snowboarding is a bad idea.” So how do you trick your brain into thinking that your life depends on knowing Servlets? Who is this book for?

xx

We know what your brain is thinking

xxi

Metacognition

xxiii

Bend your brain into submission

xv

What you need for this book

xxvi

Passing the certification exam

xxviii

Technical reviewers

xxx

Acknowledgments

xxxi

ix

table of contents

1

Why use Servlets & JSPs Web applications are hot. How many GUI apps do you know that are used by millions of users worldwide? As a web app developer, you can free yourself from the grip of deployment problems all standalone apps have, and deliver your app to anyone with a browser. But you need servlets and JSPs. Because plain old static HTML pages are so, well, 1999. Learn to move from web site to web app.

2

Exam objectives

2

What web servers and clients do, and how they talk?

4

Two-minute guide to HTML

7

What is the HTTP protocol?

10

Anatomy of HTTP GET and POST requests and HTTP responses

16

Locating web pages using URLs

20

Web servers, static web pages, and CGI

24

Servlets Demystified: write, deploy, and run a servlet

30

JSP is what happened when somebody introduced Java to HTML

34

Web app architecture Servlets need help. When a request comes in, somebody has to instantiate the servlet or at least allocate a thread to handle the request. Somebody has to call the servlet’s doPost() or doGet() method. Somebody has to get the request and the response to the servlet. Somebody has to manage the life, death, and resources of the servlet. In this chapter, we’ll look at the Container, and we’ll take a first look at the MVC pattern.

x

Exam Objectives

38

What is a Container and what does it give you?

39

How it looks in code (and what makes a servlet)

44

Naming servlets and mapping them to URLs using the DD

46

Story: Bob Builds a Matchmaking Site ( and MVC intro)

50

A Model-View-Controller (MVC) overview and example

54

A “working” Deployment Descriptor (DD)

64

How J2EE fits into all this

65

3

table of contents

Mini MVC tutorial Create and deploy an MVC web app. It’s time to get your hands dirty writing an HTML form, a servlet controller, a model (plain old Java class), an XML deployment descriptor, and a JSP view. Time to build it, deploy it, and test it. But first, you need to set up your development environment. Next, you need to set up your deployment environment following the servlet and JSP specs and Tomcat requirements. True, this is a small app... but there’s almost NO app that’s too small to use MVC. Exam Objectives

4

68

Let’s build an MVC application; the first design

69

Create the development and deployment environments

72

Create and test the HTML for the initial form page

75

Create the Deployment Descriptor (DD)

77

Create, compile, deploy, and test the controller servlet

80

Design, build, and test the model component

82

Enhance the controller to call the model

83

Create and deploy the view component (it’s a JSP)

87

Enhance the controller servlet to call the JSP

88

Being a Servlet Servlets need help. When a request A servlet’s job is to take a client’s request and send back a response. The request might be simple: “get me the Welcome page.” Or it might be complex: “Complete my shopping cart check-out.” The request carries crucial data, and your servlet code has to know how to find it and how to use it. And your servlet code has to know how to send a response. Or not... Exam Objectives A servlet’s life in the Container Servlet initialization and threads A Servlet’s REAL job is to handle GET and POST requests. The story of the non-idempotent request What determines whether you get a GET or POST request? Sending and using parameter(s) So that’s the Request... now let’s see the Response You can set response headers, you can add response headers Servlet redirect vs. request dispatcher Review: HttpServletResponse

94 95 101 105 112 117 119 126 133 136 140

xi

table of contents

5

Being a web app No servlet stands alone. In today’s modern web app, many components work together to accomplish a goal. You have models, controllers, and views. You have parameters and attributes. You have helper classes. But how do you tie the pieces together? How do you let components share information? How do you hide information? How do you make information thread-safe? Your job may depend on the answers.

xii

Exam Objectives

148

Init Parameters and ServletConfig to the rescue

149

How can a JSP get servlet init parameters?

155

Context init parameters to the rescue

157

Comparing ServletConfig with ServletContext

159

She wants a ServletContextListener

166

Tutorial: a simple ServletContextListener

168

Compile, deploy, and test your listener

176

The full story, a ServletContextListener review

178

Eight Listeners: they’re not just for context events...

180

What, exactly, is an attribute?

185

The Attribute API and the dark side of attributes

189

Context scope isn’t thread-safe!

192

The problem in slow motion...

193

Trying out Synchronization

195

Are Session attributes thread-safe?

198

The SingleThreadModel

201

Only Request attributes and local variables are thread-safe!

204

Request attributes and Request dispatching

205

6

table of contents

Conversational state Web servers have no short-term memory. As soon as they send you a response, they forget who you are. The next time you make a request, they don’t recognize you. They don’t remember what you’ve requested in the past, and they don’t remember what they’ve sent you in response. Nothing. But sometimes you need to keep conversational state with the client across multiple requests. A shopping cart wouldn’t work if the client had to make all his choices and then checkout in a single request. Exam Objectives

7

224

It’s supposed to be a conversation, (how sessions work)

226

Session IDs, cookies, and other session basics

231

URL rewriting: something to fall back on

237

When sessions get stale; getting rid of bad sessions

241

Can I use cookies for other things, or are they only for sessions?

250

Key milestones for an HttpSession

254

Don’t forget about HttpSessionBindingListener

256

Session migration

257

Listener examples

261

Being a JSP A JSP becomes a servlet. A servlet that you don’t create. The Container looks at your JSP, translates it into Java source code, and compiles it into a full-fledged Java servlet class. But you’ve got to know what happens when the code you write in the JSP is turned into Java code. You can write Java code in your JSP, but should you? And if not Java code, what do you write? How does it translate into Java code? We’ll look at six different kinds of JSP elements—each with its own purpose and, yes, unique syntax. You’ll learn how, why, and what to write in your JSP. And you’ll learn what not to write. Exam Objectives

282

Create a simple JSP using “out” and a page directive

283

JSP expressions, variables, and declarations

288

Time to see a JSP-generated servlet

296

The out variable isn’t the only implicit object...

298

The Lifecycle and initialization of a JSP

306

While we’re on the subject... let’s talk more about the three directives

314

Scriptlets considered harmful? Here’s EL

317

But wait... we haven’t seen: actions

323

xiii

table of contents

8

Script-free pages Lose the scripting. Do your web page designers really have to know Java? Do they expect server-side Java programmers to be, say, graphic designers? And even if it’s just you on the team, do you really want a pile of bits and pieces of Java code in your JSPs? Can you say, “maintenance nightmare”? Writing scriptless pages is not just possible, it’s become much easier and more flexible with the new JSP 2.0 spec, thanks to the new Expression Language (EL). Patterned after JavaScript and XPATH, web designers feel right at home with EL, and you’ll like it too (once you get used to it). But there are some traps... EL looks like Java, but isn’t. Sometimes EL behaves differently than if you used the same syntax in Java, so pay attention!

xiv

Exam Objectives

344

When attributes are beans

345

Standard actions: useBean, getProperty, setProperty

349

Can you make polymorphic bean references?

354

The param attribute to the rescue

360

Converting properties

363

Expression Language (EL) saves the day!

368

Using the dot (.) operator to access properties and map values

370

The [] gives you more options (Lists, arrays...)

372

More dot and [ ] operator details

376

The EL implicit objects

385

EL functions, and handling “null”

392

Reusable template pieces—two kinds of “include”

402

The standard action

416

She doesn’t know about JSTL tags (a preview)

417

Reviewing standard actions and include

417

table of contents

9

Custom tags are powerful Sometimes you need more than EL or standard actions. What if you want to loop through the data in an array, and display one item per row in an HTML table? You know you could write that in two seconds using a for loop in a scriptlet. But you’re trying to get away from scripting. No problem. When EL and standard actions aren’t enough, you can use custom tags. They’re as easy to use in a JSP as standard actions. Even better, someone’s already written a pile of the ones you’re most likely to need, and bundled them into the JSP Standard Tag Library (JSTL). In this chapter we’ll learn to use custom tags, and in the next chapter we’ll learn to create our own.

http://localhost:8080/testJSP1/Tester.do

Exam Objectives

440

Looping without scripting

446

Conditional control with and

451

Using the and tags

455

With , there are now three ways to include content

460

Customizing the thing you include

462

Doing the same thing with

463

for all your hyperlink needs

465

Make your own error pages

468

The tag. Like try/catch...sort of

472

What if you need a tag that’s NOT in JSTL?

475

Pay attention to

480

What can be in a tag body

482

The tag handler, the TLD, and the JSP

483

The taglib is just a name, not a location

484

When a JSP uses more than one tag library

487

xv

table of contents

10

When even JSTL isn’t enough... Sometimes JSTL and standard actions aren’t enough. When you need something custom, and you don’t want to go back to scripting, you can write your own tag handlers. That way, your page designers can use your tag in their pages, while all the hard work is done behind the scenes in your tag handler class. But there are three different ways to build your own tag handlers, so there’s a lot to learn. Of the three, two were introduced with JSP 2.0 to make your life easier (Simple Tags and Tag Files). Exam Objectives

11

500

Tag Files: like include, only better

502

Where the Container looks for Tag Files

509

Simple tag handlers

513

A Simple tag with a body

514

What if the tag body uses an expression?

519

You still have to know about Classic tag handlers

529

A very small Classic tag handler

531

The Classic lifecycle depends on return values

536

IterationTag lets you repeat the body

537

Default return values from TagSupport

539

The DynamicAttributes interface

556

With BodyTag, you get two new methods

563

What if you have tags that work together?

567

Using the PageContext API for tag handlers

577

Deploying your web app Finally, your web app is ready for prime time. Your pages are polished, your code is tested and tuned, and your deadline was two weeks ago. But where does everything go? So many directories, so many rules. What do you name your directories? What does the client think they’re named? What does the client actually request, and how does the Container know where to look?

xvi

Exam Objectives

602

Key deployment task, what goes where?

603

WAR files

612

How servlet mapping REALLY works

616

Configuring welcome files in the DD

622

Configuring error pages in the DD

626

Configuring servlet initialization in the DD

628

Making an XML-compliant JSP: a JSP Document

629

12

table of contents

Keep it secret, keep it safe Your web app is in danger. Trouble lurks in every corner of the network. You don’t want the Bad Guys listening in to your online store transactions, picking off credit card numbers. You don’t want the Bad Guys convincing your server that they’re actually the Special Customers Who Get Big Discounts. And you don’t want anyone (good OR bad) looking at sensitive employee data. Does Jim in marketing really need to know that Lisa in engineering makes three times as much as he does? Exam Objectives

13

650

The Big 4 in servlet security

653

How to Authenticate in HTTP World

656

Top Ten Reasons to do your security declaratively

659

Who implements security in a web app?

660

Authorization roles and constraints

662

Authentication: four flavors

677

The FOUR authentication types

677

Securing data in transit: HTTPS to the rescue

682

Data confidentiality and integrity sparingly and declaratively

684

The power of filters Filters let you intercept the request. And if you can intercept the request, you can also control the response. And best of all, the servlet remains clueless. It never knows that someone stepped in between the client request and the Container’s invocation of the servlet’s service() method. What does that mean to you? More vacations. Because the time you would have spent rewriting just one of your servlets can be spent instead writing and configuring a filter that has the ability to affect all of your servlets. Want to add user request tracking to every servlet in your app? No problem. Manipulate the output from every servlet in your app? No problem. And you don’t even have to touch the servlet. Exam Objectives

702

Building the request tracking filter

707

A filter’s life cycle

708

Declaring and ordering filters

710

Compressing output with a response-side filter

713

Wrappers rock

719

The real compression filter code

722

Compression wrapper code

724

xvii

table of contents

14

Enterprise design patterns Someone has done this already. If you’re just starting to develop web applications in Java, you’re lucky. You get to exploit the collective wisdom of the tens of thousands of developers who’ve been down that road and got the t-shirt. Using both J2EE-specific and other design patterns, you can can simplify your code and your life. And the most significant design pattern for web apps, MVC, even has a wildly popular framework, Struts, that’ll help you craft a flexible, maintainable servlet Front Controller. You owe it to yourself to take advantage of everyone else’s work so that you can spend more time on the more important things in life...

A

Exam Objectives

738

Hardware and software forces behind patterns

739

Review of softweare design principles...

744

Patterns to support remote model components

745

Overview of JNDI and RMI

747

The Business Delegate is a “go-between”

753

Time for a Transfer Object?

759

Business tier patterns: quick review

761

Our very first pattern revisited... MVC

762

Yes! It’s Struts (and FrontController) in a nutshell

767

Refactoring the Beer app for Struts

770

Review of patterns

778

The final Coffee Cram Mock Exam. This is it. 69 questions. The tone, topics, and difficulty level are all virtually identical to the real exam. We know.

i xviii

Index

Final mock exam

791

Answers

828

865

9

using JSTL

Custom tags are powerful You mean, I spent all this time writing scriptlets for the things I can’t do with EL and standard actions, when I could have used JSTL?

Sometimes you need more than EL or standard actions. What if you want to loop through the data in an array, and display one item per row in an HTML table? You know you could write that in two seconds using a for loop in a scriptlet. But you’re trying to get away from scripting. No problem. When EL and standard actions aren’t enough, you can use custom tags. They’re as easy to use in a JSP as standard actions. Even better, someone’s already written a pile of the ones you’re most likely to need, and bundled them into the JSP Standard Tag Library (JSTL). In this chapter we’ll learn to use custom tags, and in the next chapter we’ll learn to create our own.

this is a new chapter

439

official Sun exam objectives

Building JSP pages using tag libraries

Coverage Notes:

9.1 Describe the syntax and semantics of the ‘taglib’

All of the objectives in this section are covered in this chapter, although some of the content is covered again in the next chapter (Developing Custom Tags).

directive: for a standard tag library, for a library of Tag Files.

9.2 Given a design goal, create the custom tag structure to support that goal.

9.3 Identify the tag syntax and describe the action semantics of the following JSP Standard Tag Library (JSTL v1.1) tags: (a) core tags: out, set, remove, and catch, (b) conditional tags: if, choose, when, and otherwise, (c) iteration tags: forEach, and (d) URL-related: url.

Installing the JSTL 1.1 The JSTL 1.1 is NOT part of the JSP 2.0 specification! Having access to the Servlet and JSP APIs doesn’t mean you have access to JSTL. Before you can use JSTL, you need to put two files, “jstl.jar” and “standard. jar” into the WEB-INF/lib directory of your web app. That means each web app needs a copy. In Tomcat 5, the two files are already in the example applications that ship out-of-the-box with Tomcat, so all you need to do is copy them from one directory and put them into your own app’s WEB-INF/lib directory. Copy the files from the Tomcat examples at: webapps/jsp-examples/WEB-INF/ lib/jstl.jar webapps/jsp-examples/WEB-INF/ lib/standard.jar And place it in your own web app’s WEB-INF/lib directory.

440

chapter 9

using JSTL

There’s got to be a way to iterate through a collection in a JSP...without scripting. I want to show one element per row in a table...

EL and standard actions are limited What happens when you bump into a brick wall? You can go back to scripting, of course—but you know that’s not the path. Developers usually want way more standard actions or—even better—the ability to create their own actions. That’s what custom tags are for. Instead of saying , you want to do something like . And you can. But it’s not that easy to create the support code that goes behind the tag. For the JSP page creator, custom tags are much easier to use than scripting. For the Java programmer, however, building the custom tag handler (the Java code invoked when a JSP uses the tag) is tougher. Fortunately, there’s a standard library of custom tags known as the JSP Standard Tag Library (JSTL 1.1). Given that your JSP shouldn’t be doing a bunch of business logic anyway, you might find that the JSTL (combined with EL) is all you’ll ever need. Still, there could be times when you need something from, say, a custom tag library developed specifically for your company. In this chapter, you’ll learn how to use the core JSTL tags, as well as custom tags from other libraries. In the next chapter, we’ll learn how to actually build the classes that handle calls to the custom tags, so that you can develop your own.

you are here �

441

where’s my html?

The case of the disappearing HTML (reprised) On page 384, you saw how EL sends the raw string of content directly to the response stream:

Tip of the Day:

${pageContent.currentTip}

What we got

What we want

Tip of the Day:
tags make things bold!

This comes out as an “invisible” bolded empty space.

> Remember this? The

Tip of the Day:

tags make things bold!

Rendered as

Rendered as

http://localhost:8080/testJSP1/Tester.do

< is rendered > is rendered as “<”, and as “>”.

http://localhost:8080/testJSP1/Tester.do

Tip of the Day:

Tip of the Day:

tags make things bold!

tags make things bold!

What we need is a way to convert those angle brackets into something the browser will render as angle brackets, and there are two ways to do this. Both use a static Java method that converts HTML special characters into their entity format:

Use an EL function

Use a Java helper method

Tip of the Day:

${fn:convEntity(pageContent.currentTip)}

442

chapter 9

Here’s the helper method to make this one work.

Tip of the Day:

${pageContent.convertedCurrentTip}

public String getConvertedCurrentTip() { return HTML.convEntity(getCurrentTip()); }

using JSTL

There’s a better way: use the tag Whichever approach you use, it’s a bit unclear exactly what’s going on... and you may have to write that helper method for all your servlets. Luckily, there’s a better way. The tag is perfect for the job. Here’s how conversion works:

You can explicitly declare the conversion of XML entities If you know or think you might run into some XML entities that need to be displayed, and not just rendered, you can use the escapeXml attribute on c:out. Setting this to true means that any XML will be converted to something the web browser will render, angle brackets and all:

Tip of the Day:

You can explicitly declare NO conversion of XML entities Sometimes, you want just the opposite behavior. Maybe you’re building a page that takes content, and you want to display that content with HTML formatting. In that case, you can turn off XML conversion:

Your HTML is treated as XHTML, which in turn is XML... so this affects HTML characters, too.

Tip of the Day:

Conversion happens by default The escapeXml attribute defaults to true, so you can leave it out if you want. A c:out tag without an escapeXML attribute is just the same as a c:out tag with escapeXML set to “true.”

This is equivale we had before...nt to what tags are evaluatedany HTML displayed as text , not .

Tip of the Day:

This is actually identical in functionality to this.

you are here �

443

escaping html

there are no

Dumb Questions

Q: A:

Which HTML special characters are converted?

It turns out this conversion is rather simple. There are only five characters that require escaping: <, >, &, and the two quote symbols, single and double ". All of these are converted into the equivalent HTML entities. For example, < becomes <, & becomes &, and so on.

Q:

Character

Character Entity Code

< > & ' "

< > & ' "

Last month my company hired a web consultant to audit our web application. She noticed that we were using EL everywhere to output strings entered by users. She said this was a security risk and recommended we output all user strings using the c:out tag. What gives?

A:

Your consultant was right. The security risk she is referring to is called cross-site hacking or cross-site scripting. The attack is sent from one user to another user’s web browser using your webapp as the delivery mechanism.

User1 “cracker”

The cracker enters a comment field in your webapp, which is stored in the database. The cracker includes viral JavaScript code in the comment. Your webapp

User2 “innocent” The innocent user views the cracker’s comment, but the text the cracker entered also includes JavaScript code that compromises user2’s system!

Q: A:

What happens if value of the EL expression is null?

Good question. You know an EL expression ${evalsToNull} generates an empty string in the response output, and so will . But that’s not the end of the story with c:out. The c:out tag is smart, and it recognizes when the value is null and can perform a special action. That action is to provide a default value...

444

chapter 9

to render Using the c:out tas gprevents the text of user g of this form cross-site hackin

×

Sign In

Email

Password

Remember me Forgot password?

Sign In

---

Login with Facebook Login with Google