book

Head First Servlets and JSP, 2nd Edition

by Bryan Basham, Kathy Sierra, Bert Bates

March 2008

Intermediate to advanced

911 pages

20h 31m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Who should probably back away from this book?

Servlets and CGI both play the role of a helper app in the web server
Actually, trying to format HTML inside a servlet’s out.println() pretty much sucks.
Your servlet inherits the lifecycle methods
Servlet Initialization: when an object becomes a servletBut a Servlet’s REAL job is to handle requests. That’s when a servlet’s life has meaning.Request and Response: the key to everything, and the arguments to service()
What happens if you do NOT say method=“POST” in your <form>?
Using relative URLs in sendRedirect()
What about the way we did it with the beer app? We passed the model info to the JSP using a request attribute...
What she really wants is a listener.She wants a ServletContextListenerTutorial: a simple ServletContextListenerMaking and using a context listenerWe need three classes and one DDWriting the listener classWriting the attribute class (Dog)Writing the servlet classWriting the Deployment DescriptorCompile and deployTry it outTroubleshootingThe full story...Listeners: not just for context events...The eight listenersThe HttpSessionBindingListener
Attributes are not parameters!The Three Scopes: Context, Request, and SessionAttribute APIThe dark side of attributes...But then something goes horribly wrong...Context scope isn’t thread-safe!The problem in slow motion...How do we make context attributes thread-safe?Synchronizing the service method is a spectacularly BAD ideaSynchronizing the service method won’t protect a context attribute!You don’t need a lock on the servlet... you need the lock on the context!Are Session attributes thread-safe?What’s REALLY true about attributes and thread-safety?Protect session attributes by synchronizing on the HttpSessionSingleThreadModel is designed to protect instance variablesBut how does the web container guarantee a servlet gets only one request at a time?Which is the better STM implementation?Only Request attributes and local variables are thread-safe!Request attributes and Request dispatchingRequestDispatcher revealedWhat’s wrong with this code?You’ll get a big, fat IllegalStateException!
Cookies
URL rewriting: something to fall back onURL rewriting kicks in ONLY if cookies fail, and ONLY if you tell the response to encode the URLURL rewriting works with sendRedirect()Getting rid of sessionsHow we want it to work...The HttpSession interfaceKey HttpSession methodsSetting session timeoutCan I use cookies for other things, or are they only for sessions?Using Cookies with the Servlet APISimple custom cookie exampleCustom cookie example continued...Key milestones for an HttpSessionSession lifecycle Events
Session migrationThe Beer Web App distributed across two VMsSession migration in action
Listener examplesListener examplesListener examplesSession-related ListenersSession-related Event Listeners and Event Objects API overview
Configuring servlet init parametersOverriding jspInit()
Attributes to the page directive
El is enabled by default!
Declare and initialize a bean attribute with <jsp:useBean>Get a bean attribute’s property value with <jsp:getProperty>
The same is true for JSP expression tags...... and for the jsp:getProperty standard action
She doesn’t know about EL functions
She doesn’t know about JSTL tags
You can explicitly declare the conversion of XML entitiesYou can explicitly declare NO conversion of XML entitiesConversion happens by default
Or you can do it this way:
She doesn’t know about the <error-page> DD tag.
What she really wants is a WAR file
A conceptual call stack example
She doesn’t know about the servlet Wrapper classes
“Off the path”
Common pressures
Code to interfacesSeparation of Concerns & CohesionHide Complexity
Loose CouplingRemote ProxyIncrease Declarative Control
A Fable: The Beer App Grows
What we want...How RMI pulls it off
Service Locator and Business Delegate both simplify model components
Where we left off...
New and (shorter) controller pseudo-code

Content preview from Head First Servlets and JSP, 2nd Edition

Protecting the request data

Remember that in the DD, the <security-constraint> is about what happens after the request. In other words, the client has already made the request when the Container starts looking at the <security-constraint> elements to decide how to respond. The request data has already been sent over the wire. How can you possibly remind the browser that, “Oh, by the way... if the user happens to request this resource, switch to secure sockets (SSL) before sending the request.”

What can you do?

You already know how to force the client to get a login screen—by defining a constrained resource in the DD, the Container will automatically trigger the authentication process when an unauthenticated user makes the request.

So now we have to figure out how to protect the data coming in from a request... even (and sometimes especially) when the client has not yet logged in.

We might want to protect their login data!

Turn the page to see how it all works...

Unauthorized client requests a constrained resource that has NO transport guarantee

Client requests /BuyStuff.jsp, which has been configured in the DD with a <security-constraint>.
The Container checks the <security-constraint> and finds that /BuyStuff is a constrained resource... which means the user MUST be authenticated.The Container finds that there is NO transport-guarantee for this request.
The Container sends a 401 response ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9780596516680Errata Page Supplemental Content

Head First Servlets and JSP, 2nd Edition

by Bryan Basham, Kathy Sierra, Bert Bates

Protecting the request data

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Head First Java, 2nd Edition

Head First Java, 3rd Edition

Servlets and JSP Tutorial for Beginners

Learning Java, 6th Edition

Publisher Resources