book

Head First Servlets and JSP, 2nd Edition

by Bryan Basham, Kathy Sierra, Bert Bates

March 2008

Intermediate to advanced

911 pages

20h 31m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who should probably back away from this book?

Servlets and CGI both play the role of a helper app in the web server
Actually, trying to format HTML inside a servlet’s out.println() pretty much sucks.
Your servlet inherits the lifecycle methods
Servlet Initialization: when an object becomes a servletBut a Servlet’s REAL job is to handle requests. That’s when a servlet’s life has meaning.Request and Response: the key to everything, and the arguments to service()
What happens if you do NOT say method=“POST” in your <form>?
Using relative URLs in sendRedirect()
What about the way we did it with the beer app? We passed the model info to the JSP using a request attribute...
What she really wants is a listener.She wants a ServletContextListenerTutorial: a simple ServletContextListenerMaking and using a context listenerWe need three classes and one DDWriting the listener classWriting the attribute class (Dog)Writing the servlet classWriting the Deployment DescriptorCompile and deployTry it outTroubleshootingThe full story...Listeners: not just for context events...The eight listenersThe HttpSessionBindingListener
Attributes are not parameters!The Three Scopes: Context, Request, and SessionAttribute APIThe dark side of attributes...But then something goes horribly wrong...Context scope isn’t thread-safe!The problem in slow motion...How do we make context attributes thread-safe?Synchronizing the service method is a spectacularly BAD ideaSynchronizing the service method won’t protect a context attribute!You don’t need a lock on the servlet... you need the lock on the context!Are Session attributes thread-safe?What’s REALLY true about attributes and thread-safety?Protect session attributes by synchronizing on the HttpSessionSingleThreadModel is designed to protect instance variablesBut how does the web container guarantee a servlet gets only one request at a time?Which is the better STM implementation?Only Request attributes and local variables are thread-safe!Request attributes and Request dispatchingRequestDispatcher revealedWhat’s wrong with this code?You’ll get a big, fat IllegalStateException!
Cookies
URL rewriting: something to fall back onURL rewriting kicks in ONLY if cookies fail, and ONLY if you tell the response to encode the URLURL rewriting works with sendRedirect()Getting rid of sessionsHow we want it to work...The HttpSession interfaceKey HttpSession methodsSetting session timeoutCan I use cookies for other things, or are they only for sessions?Using Cookies with the Servlet APISimple custom cookie exampleCustom cookie example continued...Key milestones for an HttpSessionSession lifecycle Events
Session migrationThe Beer Web App distributed across two VMsSession migration in action
Listener examplesListener examplesListener examplesSession-related ListenersSession-related Event Listeners and Event Objects API overview
Configuring servlet init parametersOverriding jspInit()
Attributes to the page directive
El is enabled by default!
Declare and initialize a bean attribute with <jsp:useBean>Get a bean attribute’s property value with <jsp:getProperty>
The same is true for JSP expression tags...... and for the jsp:getProperty standard action
She doesn’t know about EL functions
She doesn’t know about JSTL tags
You can explicitly declare the conversion of XML entitiesYou can explicitly declare NO conversion of XML entitiesConversion happens by default
Or you can do it this way:
She doesn’t know about the <error-page> DD tag.
What she really wants is a WAR file
A conceptual call stack example
She doesn’t know about the servlet Wrapper classes
“Off the path”
Common pressures
Code to interfacesSeparation of Concerns & CohesionHide Complexity
Loose CouplingRemote ProxyIncrease Declarative Control
A Fable: The Beer App Grows
What we want...How RMI pulls it off
Service Locator and Business Delegate both simplify model components
Where we left off...
New and (shorter) controller pseudo-code

Content preview from Head First Servlets and JSP, 2nd Edition

The declarative side of programmatic security

There’s a good chance that when a programmer hard-codes security role names in a servlet (to use as the argument to isUserInRole()), the programmer was just making up a fake name. He either didn’t know the real role names, or he’s writing a reusable component that’ll be used by more than one company, and those companies aren’t likely to have the exact role names the programmer used. (Of course, if the programmer really wants to build reusable components, hard-coding a role name is a Terrible Idea, but we’ll suspend disbelief for now.)

It turns out that the Deployment Descriptor has a mechanism for mapping hard-coded (which means made-up) role names in a servlet to the “official” <security-role> declarations in your Container. Imagine, for example, that the programmer used “Manager” as the isUserInRole() argument, but your company uses “Admin” as the <security-role>, and you don’t even have a “Manager” security role. So even if you can’t stop a programmer from hard-coding a role name, you at least have a work-around when the hard-coded roles don’t match your real role names. Because even if you do have the servlet source code, do you really want to change, recompile, and retest your code just to change every instance of “Manager” to “Admin”?