1 / 58

Matt Wheeler

Intermediate JSP. Matt Wheeler. Notes. This is a training NOT a presentation If you have questions please ask them Prerequisites Introduction to Java Stack Basic Java and XML skills Introduction to JSP Installed LDSTech IDE (or other equivalent). Overview. Review Scriptlets

taini
Download Presentation

Matt Wheeler

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Intermediate JSP Matt Wheeler

  2. Notes • This is a training NOT a presentation • If you have questions please ask them • Prerequisites • Introduction to Java Stack • Basic Java and XML skills • Introduction to JSP • Installed LDSTech IDE (or other equivalent)

  3. Overview • Review • Scriptlets • Expressions • Expression Language (EL) • Taglibs (JSTL, Spring, Stack) • Custom taglibs • Functions • Templating

  4. Review • Scriptlets • Expressions • …

  5. Scriptlets • Scriptlets are code in a JSP page (delimited with <% %>) • Will be compiled into the service method of the resulting servlet • Lets look at a simple example <% String user = request.getAttribute(“loggedInUser”); if (user != null) { %> Welcome <% } %>

  6. Expressions • Like scriptlets but evaluate a singular Java expression and return the result • Result must be a String or convertible to a String • The syntax is as follows: <%= expression %> • For example: <%= someBean.something%> <%-- Or we could enhance our previous example --%> <% String user= request.getAttribute(“loggedInUser”); if (user != null) { %> Welcome <%= user %> <% } %>

  7. Disadvantages • Maintenance, maintenance, maintenance • Difficult to read • Difficult to understand • Not testable • Not reusable • Difficult to refactor • Tightly coupled UI and back end code • The long version can be found here: • http://www.javaranch.com/journal/200603/Journal200603.jsp#a5

  8. Expression Language (EL) • The expression language is meant to provide easy access within a JSP page to application data/logic in JavaBeans • EL is really the bridge between the model and the view and allows for separation of concerns • For detailed information on the JSP EL please see: http://download.oracle.com/javaee/6/tutorial/doc/gjddd.html

  9. EL (continued) • Use of EL will help mitigate too much logic in JSP pages • EL allows access to properties and attributes of: • JavaBeans • Collections • Implicit objects //accessing a JavaBean ${someBean} ${someBean.someProperty} //accessing a value of a map with key of someKey ${someBean.map['someKey']} //accessing an implicit object (request) ${request.param}

  10. EL (JavaBeans) • EL looks for a specified bean in all scopes (request, session, application) to resolve the expression • ${someBean.whatever} • After a bean/resource named someBean is found EL attempts to access the whatever property of the bean public class SomeBean { private String whatever; public String getWhatever() { return this.whatever; } public void setWhatever(String whatever) { this.whatever = whatever; } }

  11. EL (Collections) • EL provides special syntax for accessing items in lists or maps • List properties can be accessed with array notation • Map items can be accessed with map or dot notation ${someBean.someList[0]} //access the first item in the list ${someBean.someMap['key']} //access the item in the map with key of 'key' ${someBean.someMap.key} //equivalently use dot notation for the same result

  12. EL (Implicit Objects) • Objects exposed for reference in EL without any extra work or configuration from the developer • Some of these objects include: • pageContext, request, session, application, pageScope, requestScope, sessionScope, applicationScope, param, paramValues, header, headerValues, cookie, cookies, initParam, exception ${requestScope['nameOfSubmitted']} //extracts value for attribute of given name ${param['nameOfRequestParam']} //gets value off the url for the given name ${header['Accept-Language']} //find value for header with name Accept-Language ${initParam['paramName']} //gets the value of the initParam with name paramName ${pageContext.request.servletPath} //gets the servlet path from the request

  13. EL (operators) • While most of the view logic will be in JavaBeans, EL allows for limited logic in the view • EL provides some basic operators • Logical: &&, ||, !, and, or not • Comparison: ==, !=, <, >, <=, >=, eq, ne, lt, gt, ge, le • Conditional (turnary): test ? result1 : result2 • Arithmetic: +, -, *, /, div, %, mod, E • Empty: empty, null • For operator precedence, please see: http://download.oracle.com/javaee/6/tutorial/doc/bnaik.html

  14. EL (operators) • Some examples ${someBean.administrator && someBean.owner} ${someBean.count > 0} ${someBean.count + 1 % 2} ${someBean.count * .1 gt 50 && (someBean.payTaxes || someBean.goToJail)} ${4.0 eq (3 + 1)/1} ${someBean.map['someKey']}

  15. EL (Evaluation) • There are multiple implicit resolvers that attempt to handle EL expressions • In general, say we are resolving ${someBean.abc} • One of the EL resolvers will, grab the first portion someBean • Will look for an implicit object of that name • Will then look for a bean of that name • Once found, it will look for a property on that name or implicit object (abc) and get that value

  16. Lab 1 https://tech.lds.org/wiki/Intermediate_JSP#Lab_1_Expression_Language_.28EL.29

  17. Taglibs • Primary goal of taglibs it to provide reusable functionality • Through reusable tag elements • Through functions that extend EL • Simplifies jsp pages making them more readable / maintainable by separating logic from the page’s presentation

  18. Basic Usage • Taglibs • Declare the namespace • Use the tag • Functions • Declare the namespace • Use the function <%@ taglib prefix="web" uri="http://code.lds.org/web" %> <web:display-exception style="font-style: italic" /> <%@ taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %> ${fn:join(array, ', ')}

  19. What did these save us? • Without the taglib <%@ page import="java.io.PrintWriter" %> <% String style = pageContext.getRequest().getAttributes(“exceptionStyle”); if (style == null || "".equals(style.trim())) { out.write("<pre style=\"font-style: 'Helvetica'; word-wrap: break-word; … \"> } else { writer.write("<pre style=\"" + style + "\">"); } if (pageContext.getException() == null) { out.write("No exception was available to print."); } else { pageContext.getException().printStackTrace(new PrintWriter(out)); } out.write("</pre>"); %>

  20. What did this save us? • Without the function <%! public String join(String[] array, String separator) { if (array == null) return ""; if (separator == null) separator = ""; StringBufferbuf = new StringBuffer(); for (int i=0; i<array.length; i++) { buf.append(array[i]); if (i < array.length-1) buf.append(separator); } return buf.toString(); } %> <% String joined = join(someArray, “,”)); … %>

  21. JSP Include • Allows you to include static or dynamic resources in a JSP page • Facilitates reuse • Allows separation into manageable pieces • Two include mechanisms available in JSP • <jsp:include page="some.jsp" /> • <%@include file="some.jsp" %>

  22. jsp:include • Executes the included content and then includes the result in the containing JSP page //include.jsp Include me, include me! ${parentValue} //include-demo.jsp <!DOCTYPE html> <html> <body> <% String parentValue = “Something spectial"; pageContext.setAttribute("parentValue", parentValue); %> <jsp:include page="/include.jsp" /> </body> </html> //resulting output: Include me, include me!

  23. @include (directive) • Includes the content and then executes the page • Can depend on (or conflict) with variables in the containing page • Page takes a relative url //include.jsp Include me, include me! ${parentValue} //include-demo.jsp <!DOCTYPE html> <html> <body> <% String parentValue = “Something special”; pageContext.setAttribute("parentValue", parentValue); %> <%@ include file="include.jsp" %> </body> </html> //resulting output: Include me, include me! Something special

  24. Additional info • Also note that using the jsp:include, parameters can be passed to the included page as follows: • For more info on jsp:include: http://java.sun.com/products/jsp/syntax/1.2/syntaxref1214.html • For more info on @include: http://java.sun.com/products/jsp/syntax/1.2/syntaxref129.html#997991 <jsp:include page="/include.jsp"> <jsp:param name="parameterName" value="parameterValue " /> </jsp:include>

  25. Demo DEMO

  26. Common Taglibs (JSTL) • JavaServer Pages Standard Tag Library (JSTL) taglibs for many common web use cases • Core • Xml processing • Internationalization and formatting • For more info: http://download.oracle.com/docs/cd/E17802_01/products/products/jsp/jstl/1.1/docs/tlddocs/index.html

  27. Core Tags (c:out) • c:out evaluates an expression and outputs it to the JspWriter • Allows you to provide a default <c:out value=”${someBean.someProperty}” default=”Empty” />

  28. Core (conditionals) • c:if – executes based on the result of the test attribute • If / else equivalent (choose, when, otherwise) <c:if test="${someBean.day < 12 && someBean.hour > 2}"> Party time </c:if> <c:choose> <c:when test="${empty someBean.results}"> Display this if there are no results </c:when> <c:otherwise> Display all of the results </c:otherwise> </c:choose>

  29. Core (Looping and Iteration) • c:forEach – loops over an array, Collection, Iterator, Enumeration, Map, String of comma separated values <c:forEach var="result" items=“${results}"> <tr> <td>${result.property1}</td><td>${result.property2}</td> </tr> </c:forEach>

  30. Core (c:set) • Facilitates scoped variable manipulation • Sets the value of the given key in the given scope • Basically equivalent to: • Value can also be provided as the body content of the tag • If var is null (i.e. not specified – var="null" will set the attribute to the String "null") the value is removed <c:set var="key" value="${header['User-Agent']}" scope="session" /> <% pageContext.session.setAttribute("key", ${header['User-Agent']} ); %> <c:set var="key" scope="session"> <c:if test="${admin}"> Append confidential data </c:if> </c:set>

  31. Core (c:set) • <c:set> - can also be used to set a property on a scoped object <c:set target="someBean" property="something" value="awesome" />

  32. Core (Urls) • <c:url> - Aids in constructing correctly formatted URLs with encoding applied • <c:param> - Often used in correlation with c:url to add query parameters to the url • Note that the name and value are URL encoded by default (more later) • For example: <c:url value="http://www.whatever.com/whatever.jsp"> <c:param name=“&apathy" value="&don'tcare" /> <c:param name=“@ignorance" value="@don'tknow" /> </c:url> Result would be something like: http://www.whatever.com/whatever.jsp?%26apathy=%26don'tcare&%40ignorance=%40don'tknow;jsessionid=123456789

  33. Core • Internationalization and Formatting Taglib • Provides support for internationalization related functions such as: • Locales, resource bundles, and base names •  Xml Processing Taglib • Provides support for basic xml processing as well as xml flow control and transformations

  34. JSTL Functions • For more info: http://download.oracle.com/javaee/5/jstl/1.1/docs/tlddocs/

  35. Other Useful Taglibs • Spring taglibs • http://static.springsource.org/spring/docs/3.1.0.M1/spring-framework-reference/html/spring.tld.html • Stack Security taglib • JSP doesn’t defend against xss like JSF did (i.e. encode all output) • In JSF everything output with an h:outputText was encoded by default • In JSP you have to take special care to encode values that are displayed to avoid cross site scripting errors

  36. XSS: The Problem • In short, cross-site scripting is when user entered data executes as a script instead of being displayed as text • For example: • Assume a page takes a parameter on the url and displays it • And then in your page, you put ${param.userInput} • Instead of showing on the page as text this will actually become a script in the page and be executed displaying an alert to the user • For more info: http://en.wikipedia.org/wiki/Cross-site_scripting http://whatever.com/?userInput=<script>alert('You should encode this silly.');</script>

  37. XSS: Avoidance • To avoid this, all output (especially user entered data) should be encoded before it is displayed • Stack provides following encoding functions • Or in code • More comprehensive information: • https://tech.lds.org/wiki/Java_Stack_Security_%28Encoding%29_Tech_Tip • http://code.lds.org/maven-sites/stack/module.html?module=security-web/index.html <%@ taglib prefix="ssw" uri="http://code.lds.org/security/web" %> ${ssw:encodeHtml(param.something)} ${ssw:encodeAttribute(param.something)} ${ssw:encodeJS(param.something)} EncodingUtils.encodeHtml(String input); EncodingUtils.encodeAttribute(String input); EncodingUtils.encodeJS(String input);

  38. Other Stack Provided Taglibs • Other taglibs • message-source • xsrfToken • display-exception

  39. Lab 2 https://tech.lds.org/wiki/Intermediate_JSP#Lab_2_Taglibs

  40. Custom Taglibs • Example • As the page is being processed, the tag is read, mapped to the appropriate taglib handler, and processed • Further note that hello maps to a tag class (org.lds.stack.whatever.web.HelloTag) that processes the tag <%@ taglib prefix="what" uri="http://code.lds.org/whatever/web" %> <what:hello formal="true" />

  41. Associated tld file <?xml version="1.0" encoding="UTF-8" ?> <taglibxmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-jsptaglibrary_2_1.xsd" version="2.1"> <description>Tag library for stack security web.</description> <tlib-version>1.0</tlib-version> <uri>http://code.lds.org/whatever/web</uri> <tag> <description>Spits out hello.</description> <name>hello</name> <tag-class>org.lds.stack.whatever.web.HelloTag</tag-class> <body-content>empty</body-content> <attribute> <description>Whether hello formal or informal</description> <name>formal</name> <required>false</required> <rtexprvalue>true</rtexprvalue> </attribute> </tag> </taglib>

  42. Taglib class (HelloTag) • HelloTag public class HelloTag extends BodyTagSupport { private Boolean formal; public intdoStartTag() throws JspException { try { if (formal) { String username = (String) ((HttpServletRequest) pageContext.getRequest()).getAttribute("currentUser"); pageContext.getOut().write("Good day to you " + username); } else { pageContext.getOut().write("Howdy Partner. "); } } catch (IOException e) { throw new JspException("Error: IOException while writing to client"); } return SKIP_BODY; } public void setFormal(Boolean formal) { this. formal = formal; } }

  43. Functions • Sometimes a taglib might be overkill and all that is needed is some calculation or processing • You may not want to embed that code in the page, particularly if it is reusable • Accordingly EL functions allow you to call a static Java function to perform the processing

  44. Functions (example) • Suppose you have a class with static methods • In a tld file define the function for use in JSP • Then in the JSP page use the function as follows public class MiscUtils { public static String concat(String one, String two) { return one+two; } } <function> <description>Concatenates two strings into one.</description> <name>concat</name> <function-class>org.lds.stack.web.util.MiscUtils</function-class> <function-signature>java.lang.Stringconcat( java.lang.String, java.lang.String )</function-signature> </function> <%@ taglib prefix="util"uri="http://code.lds.org/web" %> Hello ${util:concat(param.firstName, param.lastName)}

  45. Tag Files (Taglets) • Simpler way to create taglibs • Better for content driven tags as opposed to complex logic tags • Tag files are not quite as powerful as the regular tag approach • However they are much simpler to create • For instance you cannot put a scriptlet in a taglet

  46. Tag Files (Taglets) • Basically you create a .tag file in WEB-INF/tags (or a subdirectory) • The container then makes it available as a JSP taglib • It uses the name of the file as the tag name by default and the namespace points to a tagdir instead of a uri • Lets re-create our hello tag using this approach <%@ taglib prefix="tags" tagdir="WEB-INF/tags"%> <%@ taglib prefix="util" uri="http://code.lds.org/web" %>

  47. Tag Files (Taglets) • We would create a file named hello.tag and place it in WEB-INF/tags (maybe put Hello! in it) • WEB-INF/tags/hello.tag • And that is it, believe it or not, it is ready for use <!DOCTYPE html > <%@tag description="Base Template Tag" pageEncoding="UTF-8“ %> Hello! <%@ taglib prefix="tags" tagdir="WEB-INF/tags"%> <tags:hello /> <%-- Which of course will print the very useful Hello! --%>

  48. Tag Files (Taglets) • In out hello.tag file we can add an attribute as follows: • Then you would add some logic to the tag (hello.tag): <%-- this directive only valid in tag files --%> <@% attribute name="formal" required="false" rtexprvalue="true" %> <%-- Replace Hello! with the following --%> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <c:choose> <c:when test="${formal} "> Good day ${request.currentUser} </c:when> <c:otherwise> Howdy partner </c:otherwise> </c:choose>

  49. Tag Files • Now our new tag can be used as follows: • Notice that the tag is really just a basic jsp file, but that you can customize with the attributes specified <%@ taglib prefix="tags" tagdir="WEB-INF/tags"%> <tags:hello formal="true" /> //or <tags:hello> <jsp:attribute name="formal" value="${user.formal}" /> </tags:hello>

  50. <jsp:doBody /> • Define a portion of the tag that can be overridden by the user of the tag • bodytest.tag • This tag could be utilized as follows: Before body content <jsp:doBody /> After body content <%@ taglib prefix="tags" tagdir="WEB-INF/tags"%> <tags:bodytest> My body content </tags:bodytest> <%-- or if you have other content in the body --%> <tags:bodytest> <jsp:attribute name="whatever" value="Good stuff"/> <jsp:body>My body content</jsp:body> </tags:bodytest>

More Related