Printing History: August 2004: First Edition. March 2008: Second Edition. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. The Head First series designations, Head First Servlets and JSP™, Second Edition, and related trade dress are trademarks of O’Reilly Media, Inc. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. O’Reilly Media, Inc. is independent of Sun Microsystems. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc., was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and the author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. In other words, if you use anything in Head First Servlets & JSP™ to, say, run a nuclear power plant or air traffic control system, you’re on your own. Readers of this book should be advised that the authors hope you remember them, should you create a huge, successful dotcom as a result of reading this book. We’ll take stock options, beer, or dark chocolate ISBN: 978-0-596-51668-0 [M]
table of contents
Table of Contents (Summary) Intro
xix
1
Why use Servlets & JSPs: an introduction
1
2
Web App Architecture: high-level overview
37
3
Mini MVC Tutorial: hands-on MVC
67
4
Being a Servlet: request AND response
93
5
Being a Web App: attributes and listeners
147
6
Conversational state: session management
223
7
Being a JSP: using JSP
281
8
Script-free pages: scriptless JSP
343
9
Custom tags are powerful: using JSTL
439
10
When even JSTL is not enough: custom tag development
499
11
Deploying your web app: web app deployment
601
12
Keep it secret, keep it safe: web app security
649
13
The Power of Filters: wrappers and filters
701
14
Enterprise design patterns: patterns and struts
737
A
Appendix A: Final Mock Exam
791
i
Index
865
Table of Contents (the real thing)
i
Intro Your brain on Servlets. Here you are trying to learn something, while here your brain is doing you a favor by making sure the learning doesn’t stick. Your brain’s thinking, “Better leave room for more important things, like which wild animals to avoid and whether naked snowboarding is a bad idea.” So how do you trick your brain into thinking that your life depends on knowing Servlets? Who is this book for?
xx
We know what your brain is thinking
xxi
Metacognition
xxiii
Bend your brain into submission
xv
What you need for this book
xxvi
Passing the certification exam
xxviii
Technical reviewers
xxx
Acknowledgments
xxxi
ix
table of contents
1
Why use Servlets & JSPs Web applications are hot. How many GUI apps do you know that are used by millions of users worldwide? As a web app developer, you can free yourself from the grip of deployment problems all standalone apps have, and deliver your app to anyone with a browser. But you need servlets and JSPs. Because plain old static HTML pages are so, well, 1999. Learn to move from web site to web app.
2
Exam objectives
2
What web servers and clients do, and how they talk?
4
Two-minute guide to HTML
7
What is the HTTP protocol?
10
Anatomy of HTTP GET and POST requests and HTTP responses
16
Locating web pages using URLs
20
Web servers, static web pages, and CGI
24
Servlets Demystified: write, deploy, and run a servlet
30
JSP is what happened when somebody introduced Java to HTML
34
Web app architecture Servlets need help. When a request comes in, somebody has to instantiate the servlet or at least allocate a thread to handle the request. Somebody has to call the servlet’s doPost() or doGet() method. Somebody has to get the request and the response to the servlet. Somebody has to manage the life, death, and resources of the servlet. In this chapter, we’ll look at the Container, and we’ll take a first look at the MVC pattern.
x
Exam Objectives
38
What is a Container and what does it give you?
39
How it looks in code (and what makes a servlet)
44
Naming servlets and mapping them to URLs using the DD
46
Story: Bob Builds a Matchmaking Site ( and MVC intro)
50
A Model-View-Controller (MVC) overview and example
54
A “working” Deployment Descriptor (DD)
64
How J2EE fits into all this
65
3
table of contents
Mini MVC tutorial Create and deploy an MVC web app. It’s time to get your hands dirty writing an HTML form, a servlet controller, a model (plain old Java class), an XML deployment descriptor, and a JSP view. Time to build it, deploy it, and test it. But first, you need to set up your development environment. Next, you need to set up your deployment environment following the servlet and JSP specs and Tomcat requirements. True, this is a small app... but there’s almost NO app that’s too small to use MVC. Exam Objectives
4
68
Let’s build an MVC application; the first design
69
Create the development and deployment environments
72
Create and test the HTML for the initial form page
75
Create the Deployment Descriptor (DD)
77
Create, compile, deploy, and test the controller servlet
80
Design, build, and test the model component
82
Enhance the controller to call the model
83
Create and deploy the view component (it’s a JSP)
87
Enhance the controller servlet to call the JSP
88
Being a Servlet Servlets need help. When a request A servlet’s job is to take a client’s request and send back a response. The request might be simple: “get me the Welcome page.” Or it might be complex: “Complete my shopping cart check-out.” The request carries crucial data, and your servlet code has to know how to find it and how to use it. And your servlet code has to know how to send a response. Or not... Exam Objectives A servlet’s life in the Container Servlet initialization and threads A Servlet’s REAL job is to handle GET and POST requests. The story of the non-idempotent request What determines whether you get a GET or POST request? Sending and using parameter(s) So that’s the Request... now let’s see the Response You can set response headers, you can add response headers Servlet redirect vs. request dispatcher Review: HttpServletResponse
94 95 101 105 112 117 119 126 133 136 140
xi
table of contents
5
Being a web app No servlet stands alone. In today’s modern web app, many components work together to accomplish a goal. You have models, controllers, and views. You have parameters and attributes. You have helper classes. But how do you tie the pieces together? How do you let components share information? How do you hide information? How do you make information thread-safe? Your job may depend on the answers.
xii
Exam Objectives
148
Init Parameters and ServletConfig to the rescue
149
How can a JSP get servlet init parameters?
155
Context init parameters to the rescue
157
Comparing ServletConfig with ServletContext
159
She wants a ServletContextListener
166
Tutorial: a simple ServletContextListener
168
Compile, deploy, and test your listener
176
The full story, a ServletContextListener review
178
Eight Listeners: they’re not just for context events...
180
What, exactly, is an attribute?
185
The Attribute API and the dark side of attributes
189
Context scope isn’t thread-safe!
192
The problem in slow motion...
193
Trying out Synchronization
195
Are Session attributes thread-safe?
198
The SingleThreadModel
201
Only Request attributes and local variables are thread-safe!
204
Request attributes and Request dispatching
205
6
table of contents
Conversational state Web servers have no short-term memory. As soon as they send you a response, they forget who you are. The next time you make a request, they don’t recognize you. They don’t remember what you’ve requested in the past, and they don’t remember what they’ve sent you in response. Nothing. But sometimes you need to keep conversational state with the client across multiple requests. A shopping cart wouldn’t work if the client had to make all his choices and then checkout in a single request. Exam Objectives
7
224
It’s supposed to be a conversation, (how sessions work)
226
Session IDs, cookies, and other session basics
231
URL rewriting: something to fall back on
237
When sessions get stale; getting rid of bad sessions
241
Can I use cookies for other things, or are they only for sessions?
250
Key milestones for an HttpSession
254
Don’t forget about HttpSessionBindingListener
256
Session migration
257
Listener examples
261
Being a JSP A JSP becomes a servlet. A servlet that you don’t create. The Container looks at your JSP, translates it into Java source code, and compiles it into a full-fledged Java servlet class. But you’ve got to know what happens when the code you write in the JSP is turned into Java code. You can write Java code in your JSP, but should you? And if not Java code, what do you write? How does it translate into Java code? We’ll look at six different kinds of JSP elements—each with its own purpose and, yes, unique syntax. You’ll learn how, why, and what to write in your JSP. And you’ll learn what not to write. Exam Objectives
282
Create a simple JSP using “out” and a page directive
283
JSP expressions, variables, and declarations
288
Time to see a JSP-generated servlet
296
The out variable isn’t the only implicit object...
298
The Lifecycle and initialization of a JSP
306
While we’re on the subject... let’s talk more about the three directives
314
Scriptlets considered harmful? Here’s EL
317
But wait... we haven’t seen: actions
323
xiii
table of contents
8
Script-free pages Lose the scripting. Do your web page designers really have to know Java? Do they expect server-side Java programmers to be, say, graphic designers? And even if it’s just you on the team, do you really want a pile of bits and pieces of Java code in your JSPs? Can you say, “maintenance nightmare”? Writing scriptless pages is not just possible, it’s become much easier and more flexible with the new JSP 2.0 spec, thanks to the new Expression Language (EL). Patterned after JavaScript and XPATH, web designers feel right at home with EL, and you’ll like it too (once you get used to it). But there are some traps... EL looks like Java, but isn’t. Sometimes EL behaves differently than if you used the same syntax in Java, so pay attention!
xiv
Exam Objectives
344
When attributes are beans
345
Standard actions: useBean, getProperty, setProperty
349
Can you make polymorphic bean references?
354
The param attribute to the rescue
360
Converting properties
363
Expression Language (EL) saves the day!
368
Using the dot (.) operator to access properties and map values
370
The [] gives you more options (Lists, arrays...)
372
More dot and [ ] operator details
376
The EL implicit objects
385
EL functions, and handling “null”
392
Reusable template pieces—two kinds of “include”
402
The standard action
416
She doesn’t know about JSTL tags (a preview)
417
Reviewing standard actions and include
417
table of contents
9
Custom tags are powerful Sometimes you need more than EL or standard actions. What if you want to loop through the data in an array, and display one item per row in an HTML table? You know you could write that in two seconds using a for loop in a scriptlet. But you’re trying to get away from scripting. No problem. When EL and standard actions aren’t enough, you can use custom tags. They’re as easy to use in a JSP as standard actions. Even better, someone’s already written a pile of the ones you’re most likely to need, and bundled them into the JSP Standard Tag Library (JSTL). In this chapter we’ll learn to use custom tags, and in the next chapter we’ll learn to create our own.
http://localhost:8080/testJSP1/Tester.do
Exam Objectives
440
Looping without scripting
446
Conditional control with and
451
Using the and tags
455
With , there are now three ways to include content
460
Customizing the thing you include
462
Doing the same thing with
463
for all your hyperlink needs
465
Make your own error pages
468
The tag. Like try/catch...sort of
472
What if you need a tag that’s NOT in JSTL?
475
Pay attention to
480
What can be in a tag body
482
The tag handler, the TLD, and the JSP
483
The taglib is just a name, not a location
484
When a JSP uses more than one tag library
487
xv
table of contents
10
When even JSTL isn’t enough... Sometimes JSTL and standard actions aren’t enough. When you need something custom, and you don’t want to go back to scripting, you can write your own tag handlers. That way, your page designers can use your tag in their pages, while all the hard work is done behind the scenes in your tag handler class. But there are three different ways to build your own tag handlers, so there’s a lot to learn. Of the three, two were introduced with JSP 2.0 to make your life easier (Simple Tags and Tag Files). Exam Objectives
11
500
Tag Files: like include, only better
502
Where the Container looks for Tag Files
509
Simple tag handlers
513
A Simple tag with a body
514
What if the tag body uses an expression?
519
You still have to know about Classic tag handlers
529
A very small Classic tag handler
531
The Classic lifecycle depends on return values
536
IterationTag lets you repeat the body
537
Default return values from TagSupport
539
The DynamicAttributes interface
556
With BodyTag, you get two new methods
563
What if you have tags that work together?
567
Using the PageContext API for tag handlers
577
Deploying your web app Finally, your web app is ready for prime time. Your pages are polished, your code is tested and tuned, and your deadline was two weeks ago. But where does everything go? So many directories, so many rules. What do you name your directories? What does the client think they’re named? What does the client actually request, and how does the Container know where to look?
xvi
Exam Objectives
602
Key deployment task, what goes where?
603
WAR files
612
How servlet mapping REALLY works
616
Configuring welcome files in the DD
622
Configuring error pages in the DD
626
Configuring servlet initialization in the DD
628
Making an XML-compliant JSP: a JSP Document
629
12
table of contents
Keep it secret, keep it safe Your web app is in danger. Trouble lurks in every corner of the network. You don’t want the Bad Guys listening in to your online store transactions, picking off credit card numbers. You don’t want the Bad Guys convincing your server that they’re actually the Special Customers Who Get Big Discounts. And you don’t want anyone (good OR bad) looking at sensitive employee data. Does Jim in marketing really need to know that Lisa in engineering makes three times as much as he does? Exam Objectives
13
650
The Big 4 in servlet security
653
How to Authenticate in HTTP World
656
Top Ten Reasons to do your security declaratively
659
Who implements security in a web app?
660
Authorization roles and constraints
662
Authentication: four flavors
677
The FOUR authentication types
677
Securing data in transit: HTTPS to the rescue
682
Data confidentiality and integrity sparingly and declaratively
684
The power of filters Filters let you intercept the request. And if you can intercept the request, you can also control the response. And best of all, the servlet remains clueless. It never knows that someone stepped in between the client request and the Container’s invocation of the servlet’s service() method. What does that mean to you? More vacations. Because the time you would have spent rewriting just one of your servlets can be spent instead writing and configuring a filter that has the ability to affect all of your servlets. Want to add user request tracking to every servlet in your app? No problem. Manipulate the output from every servlet in your app? No problem. And you don’t even have to touch the servlet. Exam Objectives
702
Building the request tracking filter
707
A filter’s life cycle
708
Declaring and ordering filters
710
Compressing output with a response-side filter
713
Wrappers rock
719
The real compression filter code
722
Compression wrapper code
724
xvii
table of contents
14
Enterprise design patterns Someone has done this already. If you’re just starting to develop web applications in Java, you’re lucky. You get to exploit the collective wisdom of the tens of thousands of developers who’ve been down that road and got the t-shirt. Using both J2EE-specific and other design patterns, you can can simplify your code and your life. And the most significant design pattern for web apps, MVC, even has a wildly popular framework, Struts, that’ll help you craft a flexible, maintainable servlet Front Controller. You owe it to yourself to take advantage of everyone else’s work so that you can spend more time on the more important things in life...
A
Exam Objectives
738
Hardware and software forces behind patterns
739
Review of softweare design principles...
744
Patterns to support remote model components
745
Overview of JNDI and RMI
747
The Business Delegate is a “go-between”
753
Time for a Transfer Object?
759
Business tier patterns: quick review
761
Our very first pattern revisited... MVC
762
Yes! It’s Struts (and FrontController) in a nutshell
767
Refactoring the Beer app for Struts
770
Review of patterns
778
The final Coffee Cram Mock Exam. This is it. 69 questions. The tone, topics, and difficulty level are all virtually identical to the real exam. We know.
i xviii
Index
Final mock exam
791
Answers
828
865
9
using JSTL
Custom tags are powerful You mean, I spent all this time writing scriptlets for the things I can’t do with EL and standard actions, when I could have used JSTL?
Sometimes you need more than EL or standard actions. What if you want to loop through the data in an array, and display one item per row in an HTML table? You know you could write that in two seconds using a for loop in a scriptlet. But you’re trying to get away from scripting. No problem. When EL and standard actions aren’t enough, you can use custom tags. They’re as easy to use in a JSP as standard actions. Even better, someone’s already written a pile of the ones you’re most likely to need, and bundled them into the JSP Standard Tag Library (JSTL). In this chapter we’ll learn to use custom tags, and in the next chapter we’ll learn to create our own.
this is a new chapter
439
official Sun exam objectives
Building JSP pages using tag libraries
Coverage Notes:
9.1 Describe the syntax and semantics of the ‘taglib’
All of the objectives in this section are covered in this chapter, although some of the content is covered again in the next chapter (Developing Custom Tags).
directive: for a standard tag library, for a library of Tag Files.
9.2 Given a design goal, create the custom tag structure to support that goal.
9.3 Identify the tag syntax and describe the action semantics of the following JSP Standard Tag Library (JSTL v1.1) tags: (a) core tags: out, set, remove, and catch, (b) conditional tags: if, choose, when, and otherwise, (c) iteration tags: forEach, and (d) URL-related: url.
Installing the JSTL 1.1 The JSTL 1.1 is NOT part of the JSP 2.0 specification! Having access to the Servlet and JSP APIs doesn’t mean you have access to JSTL. Before you can use JSTL, you need to put two files, “jstl.jar” and “standard. jar” into the WEB-INF/lib directory of your web app. That means each web app needs a copy. In Tomcat 5, the two files are already in the example applications that ship out-of-the-box with Tomcat, so all you need to do is copy them from one directory and put them into your own app’s WEB-INF/lib directory. Copy the files from the Tomcat examples at: webapps/jsp-examples/WEB-INF/ lib/jstl.jar webapps/jsp-examples/WEB-INF/ lib/standard.jar And place it in your own web app’s WEB-INF/lib directory.
440
chapter 9
using JSTL
There’s got to be a way to iterate through a collection in a JSP...without scripting. I want to show one element per row in a table...
EL and standard actions are limited What happens when you bump into a brick wall? You can go back to scripting, of course—but you know that’s not the path. Developers usually want way more standard actions or—even better—the ability to create their own actions. That’s what custom tags are for. Instead of saying , you want to do something like . And you can. But it’s not that easy to create the support code that goes behind the tag. For the JSP page creator, custom tags are much easier to use than scripting. For the Java programmer, however, building the custom tag handler (the Java code invoked when a JSP uses the tag) is tougher. Fortunately, there’s a standard library of custom tags known as the JSP Standard Tag Library (JSTL 1.1). Given that your JSP shouldn’t be doing a bunch of business logic anyway, you might find that the JSTL (combined with EL) is all you’ll ever need. Still, there could be times when you need something from, say, a custom tag library developed specifically for your company. In this chapter, you’ll learn how to use the core JSTL tags, as well as custom tags from other libraries. In the next chapter, we’ll learn how to actually build the classes that handle calls to the custom tags, so that you can develop your own.
you are here �
441
where’s my html?
The case of the disappearing HTML (reprised) On page 384, you saw how EL sends the raw string of content directly to the response stream:
Tip of the Day:
${pageContent.currentTip}
What we got
What we want
Tip of the Day: tags make things bold!
This comes out as an “invisible” bolded empty space.
> Remember this? The
Tip of the Day:
tags make things bold!
Rendered as
Rendered as
http://localhost:8080/testJSP1/Tester.do
< is rendered > is rendered as “<”, and as “>”.
http://localhost:8080/testJSP1/Tester.do
Tip of the Day:
Tip of the Day:
tags make things bold!
tags make things bold!
What we need is a way to convert those angle brackets into something the browser will render as angle brackets, and there are two ways to do this. Both use a static Java method that converts HTML special characters into their entity format:
Use an EL function
Use a Java helper method
Tip of the Day:
${fn:convEntity(pageContent.currentTip)}
442
chapter 9
Here’s the helper method to make this one work.
Tip of the Day:
${pageContent.convertedCurrentTip}
public String getConvertedCurrentTip() { return HTML.convEntity(getCurrentTip()); }
using JSTL
There’s a better way: use the tag Whichever approach you use, it’s a bit unclear exactly what’s going on... and you may have to write that helper method for all your servlets. Luckily, there’s a better way. The tag is perfect for the job. Here’s how conversion works:
You can explicitly declare the conversion of XML entities If you know or think you might run into some XML entities that need to be displayed, and not just rendered, you can use the escapeXml attribute on c:out. Setting this to true means that any XML will be converted to something the web browser will render, angle brackets and all:
Tip of the Day:
You can explicitly declare NO conversion of XML entities Sometimes, you want just the opposite behavior. Maybe you’re building a page that takes content, and you want to display that content with HTML formatting. In that case, you can turn off XML conversion:
Your HTML is treated as XHTML, which in turn is XML... so this affects HTML characters, too.
Tip of the Day:
Conversion happens by default The escapeXml attribute defaults to true, so you can leave it out if you want. A c:out tag without an escapeXML attribute is just the same as a c:out tag with escapeXML set to “true.”
This is equivale we had before...nt to what tags are evaluatedany HTML displayed as text , not .
Tip of the Day:
This is actually identical in functionality to this.
you are here �
443
escaping html
there are no
Dumb Questions
Q: A:
Which HTML special characters are converted?
It turns out this conversion is rather simple. There are only five characters that require escaping: <, >, &, and the two quote symbols, single and double ". All of these are converted into the equivalent HTML entities. For example, < becomes <, & becomes &, and so on.
Q:
Character
Character Entity Code
< > & ' "
< > & ' "
Last month my company hired a web consultant to audit our web application. She noticed that we were using EL everywhere to output strings entered by users. She said this was a security risk and recommended we output all user strings using the c:out tag. What gives?
A:
Your consultant was right. The security risk she is referring to is called cross-site hacking or cross-site scripting. The attack is sent from one user to another user’s web browser using your webapp as the delivery mechanism.
User1 “cracker”
The cracker enters a comment field in your webapp, which is stored in the database. The cracker includes viral JavaScript code in the comment. Your webapp
User2 “innocent” The innocent user views the cracker’s comment, but the text the cracker entered also includes JavaScript code that compromises user2’s system!
Q: A:
What happens if value of the EL expression is null?
Good question. You know an EL expression ${evalsToNull} generates an empty string in the response output, and so will . But that’s not the end of the story with c:out. The c:out tag is smart, and it recognizes when the value is null and can perform a special action. That action is to provide a default value...
444
chapter 9
to render Using the c:out tas gprevents the text of user g of this form cross-site hackin