book

Head First Servlets and JSP, 2nd Edition

by Bryan Basham, Kathy Sierra, Bert Bates

March 2008

Intermediate to advanced

911 pages

20h 31m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who should probably back away from this book?

Servlets and CGI both play the role of a helper app in the web server
Actually, trying to format HTML inside a servlet’s out.println() pretty much sucks.
Your servlet inherits the lifecycle methods
Servlet Initialization: when an object becomes a servletBut a Servlet’s REAL job is to handle requests. That’s when a servlet’s life has meaning.Request and Response: the key to everything, and the arguments to service()
What happens if you do NOT say method=“POST” in your <form>?
Using relative URLs in sendRedirect()
What about the way we did it with the beer app? We passed the model info to the JSP using a request attribute...
What she really wants is a listener.She wants a ServletContextListenerTutorial: a simple ServletContextListenerMaking and using a context listenerWe need three classes and one DDWriting the listener classWriting the attribute class (Dog)Writing the servlet classWriting the Deployment DescriptorCompile and deployTry it outTroubleshootingThe full story...Listeners: not just for context events...The eight listenersThe HttpSessionBindingListener
Attributes are not parameters!The Three Scopes: Context, Request, and SessionAttribute APIThe dark side of attributes...But then something goes horribly wrong...Context scope isn’t thread-safe!The problem in slow motion...How do we make context attributes thread-safe?Synchronizing the service method is a spectacularly BAD ideaSynchronizing the service method won’t protect a context attribute!You don’t need a lock on the servlet... you need the lock on the context!Are Session attributes thread-safe?What’s REALLY true about attributes and thread-safety?Protect session attributes by synchronizing on the HttpSessionSingleThreadModel is designed to protect instance variablesBut how does the web container guarantee a servlet gets only one request at a time?Which is the better STM implementation?Only Request attributes and local variables are thread-safe!Request attributes and Request dispatchingRequestDispatcher revealedWhat’s wrong with this code?You’ll get a big, fat IllegalStateException!
Cookies
URL rewriting: something to fall back onURL rewriting kicks in ONLY if cookies fail, and ONLY if you tell the response to encode the URLURL rewriting works with sendRedirect()Getting rid of sessionsHow we want it to work...The HttpSession interfaceKey HttpSession methodsSetting session timeoutCan I use cookies for other things, or are they only for sessions?Using Cookies with the Servlet APISimple custom cookie exampleCustom cookie example continued...Key milestones for an HttpSessionSession lifecycle Events
Session migrationThe Beer Web App distributed across two VMsSession migration in action
Listener examplesListener examplesListener examplesSession-related ListenersSession-related Event Listeners and Event Objects API overview
Configuring servlet init parametersOverriding jspInit()
Attributes to the page directive
El is enabled by default!
Declare and initialize a bean attribute with <jsp:useBean>Get a bean attribute’s property value with <jsp:getProperty>
The same is true for JSP expression tags...... and for the jsp:getProperty standard action
She doesn’t know about EL functions
She doesn’t know about JSTL tags
You can explicitly declare the conversion of XML entitiesYou can explicitly declare NO conversion of XML entitiesConversion happens by default
Or you can do it this way:
She doesn’t know about the <error-page> DD tag.
What she really wants is a WAR file
A conceptual call stack example
She doesn’t know about the servlet Wrapper classes
“Off the path”
Common pressures
Code to interfacesSeparation of Concerns & CohesionHide Complexity
Loose CouplingRemote ProxyIncrease Declarative Control
A Fable: The Beer App Grows
What we want...How RMI pulls it off
Service Locator and Business Delegate both simplify model components
Where we left off...
New and (shorter) controller pseudo-code

Content preview from Head First Servlets and JSP, 2nd Edition

Dueling <auth-constraint> elements

If two or more <security-constraint> elements have partially or fully overlapping <web-resource-collection> elements, here’s how the container resolves access to the overlapping resources. A and B refer to the DD on the previous page.

Rules for interpreting this table:

1 When combining individual role names, all of the role names listed will be allowed.

2 A role name of “ * “ combines with anything else to allow access to everybody.

3 An empty <auth-constraint> tag combines with anything else to allow access to nobody! In other words, an empty <auth-constraint> is always the final word!

4 If one of the <security-constraint> elements has no <auth-constraint> element, it combines with anything else to allow access to everybody.

Note

When two different nonempty <auth-constraint> elements apply to the same constrained resource, access is granted to the union of all roles from both of the <auth-constraint> elements.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9780596516680Errata Page Supplemental Content

Q:	Q: I understand that putting in an empty <auth-constraint/> element tells the Container that NOBODY from any role can access the constrained resource. But I don’t understand WHY you would ever do that. What good is a resource that nobody can access?
A:	A: When we said, “NOBODY”, we meant, “Nobody from OUTSIDE the web app”. In other words, a client can’t access the constrained resource, but another part of the web app can ...

Head First Servlets and JSP, 2nd Edition

by Bryan Basham, Kathy Sierra, Bert Bates

Dueling <auth-constraint> elements

Note

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Head First Java, 2nd Edition

Head First Java, 3rd Edition

Servlets and JSP Tutorial for Beginners

Learning Java, 6th Edition

Publisher Resources