core
SERVLETS AND
JAVASERVER PAGES
VOLUME 2–ADVANCED TECHNOLOGIES
SECOND EDITION


This page intentionally left blank


core
SERVLETS AND
JAVASERVER PAGES
VOLUME 2–ADVANCED TECHNOLOGIES
SECOND EDITION

MARTY HALL
LARRY BROWN
YAAKOV CHAIKIN

Upper Saddle River, NJ • Boston • Indianapolis • San Francisco
New York • Toronto • Montreal • London • Munich • Paris • Madrid
Capetown • Sydney • Tokyo • Singapore • Mexico City


Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and the publisher was aware of a trademark
claim, the designations have been printed with initial capital letters or in all capitals.
The authors and publisher have taken care in the preparation of this book, but make no expressed or
implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed

for incidental or consequential damages in connection with or arising out of the use of the information or
programs contained herein.
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales
(800) 382-3419

For sales outside the United States please contact:
International Sales


Visit us on the Web: www.prenhallprofessional.com
Library of Congress Control Number: 2003058100
Copyright © 2008 Pearson Education, Inc.
All rights reserved. Printed in the United States of America. This publication is protected by copyright, and
permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval
system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or
likewise. For information regarding permissions, write to:
Pearson Education, Inc
Rights and Contracts Department
501 Boylston Street, Suite 900
Boston, MA 02116
Fax (617) 671 3447
ISBN-13: 978-0-13-148260-9
ISBN-10:
0-13-148260-2
Text printed in the United States on recycled paper at Courier in Stoughton, Massachusetts.
First printing, December 2007


Contents


INTRODUCTION

xvii

Who Should Read This Book
Conventions
xix
About the Web Site
xx

ACKNOWLEDGMENTS

xxi

ABOUT THE AUTHORS

xxii

1

xviii

USING AND DEPLOYING WEB APPLICATIONS
1.1

1.2

2


Purpose of Web Applications
3
Organization
4
Portability
4
Separation
4
Structure of Web Applications
5
Locations for Various File Types
5

v


vi

Contents

1.3

1.4

1.5
1.6

1.7

2


Registering Web Applications with the Server
9
Registering a Web Application with Tomcat
10
Registering a Web Application with Other Servers
12
Development and Deployment Strategies
14
Copying to a Shortcut or Symbolic Link
15
Using IDE-Specific Deployment Features
16
Using Ant, Maven, or a Similar Tool
16
Using an IDE in Combination with Ant
17
The Art of WAR: Bundling Web
Applications into WAR Files
17
Building a Simple Web Application
18
Download and Rename app-blank to testApp
18
Download test.html, test.jsp, and TestServlet.java
19
Add test.html, test.jsp to the testApp Web Application
19
Place TestServlet.java into the
testApp/WEB-INF/classes/coreservlets Directory

20
Compile TestServlet.java
20
Declare TestServlet.class and the URL
That Will Invoke It in web.xml
21
Copy testApp to tomcat_dir/webapps
23
Start Tomcat
23
Access testApp with the URL of the Form
http://localhost/testApp/someResource
23
Sharing Data Among Web Applications
25

CONTROLLING WEB APPLICATION
BEHAVIOR WITH WEB.XML
34
2.1
2.2
2.3

2.4

Purpose of the Deployment Descriptor
35
Defining the Header and the Root Element
36
The Elements of web.xml

37
Version 2.4
38
Version 2.3
40
Assigning Names and Custom URLs
42
Assigning Names
42


Contents

2.5

2.6

2.7
2.8
2.9

2.10

2.11
2.12
2.13
2.14

2.15
2.16

2.17
2.18

Defining Custom URLs
44
Naming JSP Pages
50
Disabling the Invoker Servlet
52
Remapping the /servlet/ URL Pattern
53
Globally Disabling the Invoker: Tomcat
55
Initializing and Preloading Servlets and JSP Pages
56
Assigning Servlet Initialization Parameters
56
Assigning JSP Initialization Parameters
60
Supplying Application-Wide Initialization Parameters
63
Loading Servlets When the Server Starts
64
Declaring Filters
68
Specifying Welcome Pages
71
Designating Pages to Handle Errors
72
The error-code Element

73
The exception-type Element
75
Providing Security
78
Designating the Authentication Method
78
Restricting Access to Web Resources
80
Assigning Role Names
83
Controlling Session Timeouts
83
Documenting Web Applications
84
Associating Files with MIME Types
85
Configuring JSP Pages
86
Locating Tag Library Descriptors
86
Configuring JSP Page Properties
87
Configuring Character Encoding
93
Designating Application Event Listeners
93
Developing for the Clustered Environment
95
J2EE Elements

97

vii


viii

Contents

3

DECLARATIVE SECURITY
3.1

3.2

3.3

3.4

104

Form-Based Authentication
106
Setting Up Usernames, Passwords, and Roles
108
Telling the Server You Are Using Form-Based
Authentication; Designating Locations of Login
and Login-Failure Pages
110

Creating the Login Page
111
Creating the Page to Report
Failed Login Attempts
114
Specifying URLs That Should Be Password Protected
Listing All Possible Abstract Roles
118
Specifying URLs That Should Be
Available Only with SSL
119
Turning Off the Invoker Servlet
120
Example: Form-Based Authentication
122
The Home Page
122
The Deployment Descriptor
123
The Password File
127
The Login and Login-Failure Pages
128
The investing Directory
129
The ssl Directory
132
The admin Directory
138
The NoInvoker Servlet

140
Unprotected Pages
141
BASIC Authentication
143
Setting Up Usernames, Passwords, and Roles
145
Telling the Server You Are Using BASIC
Authentication; Designating Realm
145
Specifying URLs That Should Be Password Protected
Listing All Possible Abstract Roles
146
Specifying URLs That Should Be
Available Only with SSL
147
Example: BASIC Authentication
147
The Home Page
147

115

146


Contents

3.5
3.6

3.7

4

PROGRAMMATIC SECURITY
4.1

4.2
4.3
4.4
4.5

4.6

5

The Deployment Descriptor
149
The Password File
151
The Financial Plan
152
The Business Plan
154
The NoInvoker Servlet
156
Configuring Tomcat to Use SSL
156
WebClient: Talking to Web Servers Interactively
Signing a Server Certificate

167
Exporting the CA Certificate
170
Using WebClient with Tomcat and SSL
175

5.1

178

Combining Container-Managed
and Programmatic Security
180
Security Role References
182
Example: Combining Container-Managed
and Programmatic Security
183
Handling All Security Programmatically
188
Example: Handling All Security Programmatically
Using Programmatic Security with SSL
195
Determining If SSL Is in Use
195
Redirecting Non-SSL Requests
195
Discovering the Number of Bits in the Key
196
Looking Up the Encryption Algorithm

196
Accessing Client X.509 Certificates
197
Example: Programmatic Security and SSL
197

SERVLET AND JSP FILTERS

164

190

202

Creating Basic Filters
204
Create a Class That Implements the Filter Interface
Put the Filtering Behavior in the doFilter Method
Call the doFilter Method of the FilterChain Object

205
206
206

ix


x

Contents


5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10

5.11
5.12
5.13
5.14

6

Register the Filter with the Appropriate
Servlets and JSP Pages
207
Disable the Invoker Servlet
209
Example: A Reporting Filter
210
Accessing the Servlet Context from Filters
217
Example: A Logging Filter
218
Using Filter Initialization Parameters

221
Example: An Access Time Filter
223
Blocking the Response
226
Example: A Prohibited-Site Filter
227
Modifying the Response
234
A Reusable Response Wrapper
235
Example: A Replacement Filter
237
A Generic Modification Filter
237
A Specific Modification Filter
239
Example: A Compression Filter
245
Configuring Filters to Work with RequestDispatcher
Example: Plugging a Potential Security Hole
253
The Complete Filter Deployment Descriptor
260

THE APPLICATION EVENTS FRAMEWORK
6.1

251


266

Monitoring Creation and Destruction
of the Servlet Context
270
6.2 Example: Initializing Commonly Used Data
271
6.3 Detecting Changes in Servlet Context Attributes
277
6.4 Example: Monitoring Changes to
Commonly Used Data
278
6.5 Packaging Listeners with Tag Libraries
288
6.6 Example: Packaging the Company Name Listeners
290
6.7 Recognizing Session Creation and Destruction
297
6.8 Example: A Listener That Counts Sessions
298
Disabling Cookies
305
6.9 Watching for Changes in Session Attributes
306
6.10 Example: Monitoring Yacht Orders
307


Contents


6.11 Identifying Servlet Request
Initialization and Destruction
314
6.12 Example: Calculating Server Request Load
315
6.13 Watching Servlet Request for Attribute Changes
322
6.14 Example: Stopping Request Frequency Collection
323
6.15 Using Multiple Cooperating Listeners
325
Tracking Orders for the Daily Special
326
Resetting the Daily Special Order Count
334
6.16 The Complete Events Deployment Descriptor
339

7

TAG LIBRARIES: THE BASICS
7.1

346

Tag Library Components
348
The Tag Handler Class
348
The Tag Library Descriptor File

349
The JSP File
352
7.2 Example: Simple Prime Tag
353
7.3 Assigning Attributes to Tags
357
Tag Attributes: Tag Handler Class
357
Tag Attributes: Tag Library Descriptor
358
Tag Attributes: JSP File
359
7.4 Example: Prime Tag with Variable Length
359
7.5 Including Tag Body in the Tag Output
362
Tag Bodies: Tag Handler Class
362
Tag Bodies: Tag Library Descriptor
363
Tag Bodies: JSP File
363
7.6 Example: Heading Tag
364
7.7 Example: Debug Tag
368
7.8 Creating Tag Files
371
7.9 Example: Simple Prime Tag Using Tag Files

372
7.10 Example: Prime Tag with Variable
Length Using Tag Files
374
7.11 Example: Heading Tag Using Tag Files
376

xi


xii

Contents

8

TAG LIBRARIES: ADVANCED FEATURES

378

8.1
8.2
8.3

Manipulating Tag Body
380
Example: HTML-Filtering Tag
381
Assigning Dynamic Values to Tag Attributes
385

Dynamic Attribute Values: Tag Handler Class
385
Dynamic Attribute Values: Tag Library Descriptor
386
Dynamic Attribute Values: JSP File
386
8.4 Example: Simple Looping Tag
387
8.5 Assigning Complex Objects
as Values to Tag Attributes
391
Complex Dynamic Attribute
Values: Tag Handler Class
391
Complex Dynamic Attribute
Values: Tag Library Descriptor
391
Complex Dynamic Attribute Values: JSP File
392
8.6 Example: Table Formatting Tag
393
8.7 Creating Looping Tags
398
8.8 Example: ForEach Tag
399
8.9 Creating Expression Language Functions
404
8.10 Example: Improved Debug Tag
407
8.11 Handling Nested Custom Tags

410
8.12 Example: If-Then-Else Tag
412

9

JSP STANDARD TAG LIBRARY (JSTL)
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.8
9.9
9.10

Installation of JSTL
420
c:out Tag
421
c:forEach and c:forTokens Tags
c:if Tag
424
c:choose Tag
425
c:set and c:remove Tags
427
c:import Tag

430
c:url and c:param Tags
433
c:redirect Tag
435
c:catch Tag
437

418

422


Contents

10

THE STRUTS FRAMEWORK: BASICS

440

10.1 Understanding Struts
441
Different Views of Struts
441
Advantages of Apache Struts (Compared to
MVC with RequestDispatcher and the EL)
442
Disadvantages of Apache Struts (Compared to
MVC with RequestDispatcher and the EL)

444
10.2 Setting Up Struts
446
Installing Struts
446
Testing Struts
448
Making Your Own Struts Applications
448
Adding Struts to an Existing Web Application
449
10.3 The Struts Flow of Control and the
Six Steps to Implementing It
450
Struts Flow of Control
450
The Six Basic Steps in Using Struts
454
10.4 Processing Requests with Action Objects
458
Understanding Actions
458
Example: One Result Mapping
463
Example: Multiple Result Mappings
470
Combining Shared Condition (Forward) Mappings
479
10.5 Handling Request Parameters with Form Beans
481

Struts Flow of Control: Updates for Bean Use
482
The Six Basic Steps in Using Struts
484
Understanding Form Beans
486
Displaying Bean Properties
488
Example: Form and Results Beans
490
10.6 Prepopulating and Redisplaying Input Forms
504
Struts Flow of Control
504
The Six Basic Steps in Using Struts
506
Using Struts html: Tags
508
Prepopulating Forms
510
Example: Prepopulating Forms
511

xiii


xiv

Contents


URL Design Strategies for Actions
523
Redisplaying Forms
525
Example: Redisplaying Forms
528

11

THE STRUTS FRAMEWORK: DOING MORE

538

11.1 Using Properties Files
539
Advantages of Properties Files
540
Struts Flow of Control—Updates for Properties Files
540
Steps for Using Properties Files
542
Example: Simple Messages
546
Dynamic Keys
552
Parameterized Messages
553
11.2 Internationalizing Applications
554
Loading Locale-Specific Properties Files

554
Setting Language Preferences in Browsers
554
Example: Internationalizing for
English, Spanish, and French
555
Results
556
11.3 Laying Out Pages with Tiles
558
Tiles Motivations
558
Prerequisites for Tiles
558
The Four Basic Steps in Using Tiles
560
Example: Simple Tiles
563
Handling Relative URLs
568
Example: e-boats Application
570
11.4 Using Tiles Definitions
582
Tiles Definitions Motivations
583
The Five Basic Steps in Using Tiles Definitions
583
Example: e-boats Application with Tiles Definitions
586



Contents

12

THE STRUTS FRAMEWORK:
VALIDATING USER INPUT

592

12.1 Validating in the Action Class
594
Struts Flow of Control
594
Performing Validation in the Action
596
Example: Choosing Colors and Font Sizes for Resume
599
12.2 Validating in the Form Bean
607
Struts Flow of Control
607
Performing Validation in the ActionForm
609
Example: Choosing Colors and
Font Sizes for a Resume (Take 2)
612
Using Parameterized Error Messages
620

Example: Validation with Parameterized Messages
620
12.3 Using the Automatic Validation Framework
624
Manual versus Automatic Validation
624
Client-Side versus Server-Side Validation
624
Struts Flow of Control
625
Steps in Using Automatic Validation
627
Example: Automatic Validation
633

APPENDIX
DEVELOPING APPLICATIONS WITH APACHE ANT
A.1
A.2
A.3

A.4

Summarizing the Benefits of Ant
646
Installing and Setting Up Ant
646
Creating an Ant Project
648
Defining the Ant Project

648
Writing Targets
650
Assigning Tasks to Targets
651
Running an Ant Target
651
Reviewing Common Ant Tasks
652
The echo Task
652
The tstamp Task
653
The mkdir Task
654

644

xv


xvi

Contents

A.5
A.6
A.7

A.8


A.9

INDEX

The delete Task
654
The copy Task
656
The javac Task
658
Example: Writing a Simple Ant Project
661
Using Ant to Build a Web Application
668
Ant Dependencies
669
Example: Building a Web Application
670
The prepare Target
670
The copy Target
671
The build Target
672
Using Ant to Create a WAR File
675
The jar Task
676
The manifest Task

678
Example: Creating a Web Application WAR File
The war Target
679

683

679


Chapter

Introduction

Suppose your company wants to sell products online. You have a database that gives
the price and inventory status of each item. However, your database doesn’t speak
HTTP, the protocol that Web browsers use. Nor does it output HTML, the format
Web browsers need. What can you do? Once users know what they want to buy, how
do you gather that information? You want to customize your site for visitors’ preferences and interests, but how? You want to keep track of user’s purchases as they shop
at your site, but what techniques are required to implement this behavior? When
your Web site becomes popular, you might want to compress pages to reduce bandwidth. How can you do this without causing your site to fail for those visitors whose
browsers don’t support compression? In all these cases, you need a program to act as
the intermediary between the browser and some server-side resource. This book is
about using the Java platform for this type of program.
“Wait a second,” you say. “Didn’t you already write a book about that?” Well, yes.
In May of 2000, Sun Microsystems Press and Prentice Hall released Marty Hall’s second book, Core Servlets and JavaServer Pages. It was successful beyond everyone’s
wildest expectations, selling approximately 100,000 copies, getting translated into
Bulgarian, Chinese simplified script, Chinese traditional script, Czech, French, German, Hebrew, Japanese, Korean, Polish, Russian, and Spanish, and being chosen by
Amazon.com as one of the top five computer programming books of 2001. What fun!
Since then, use of servlets and JSP has continued to grow at a phenomenal

rate. The Java 2 Platform has become the technology of choice for developing
e-commerce applications, dynamic Web sites, and Web-enabled applications and
service. Servlets and JSP continue to be the foundation of this platform—they provide the link between Web clients and server-side applications. Virtually all major
xvii


xviii

Introduction

Web servers for Windows, UNIX (including Linux), Mac OS, VMS, and mainframe
operating systems now support servlet and JSP technology either natively or by
means of a plug-in. With only a small amount of configuration, you can run servlets
and JSP in Microsoft IIS, the Apache Web Server, IBM WebSphere, BEA
WebLogic, Oracle Application Server 10g, and dozens of other servers. Performance of both commercial and open-source servlet and JSP engines has improved
significantly.
To no one’s surprise, this field continues to grow at a rapid rate. As a result, we
could no longer cover the technology in a single book. Core Servlets and JavaServer
Pages, Volume 1: Core Technologies, covers the servlet and JSP capabilities that you
are likely to use in almost every real-life project. This book, Volume 2: Advanced
Technologies, covers features that you may use less frequently but are extremely valuable in robust applications. For example,
•

•

•

•

•


•

Deployment descriptor file. Through the proper use of the
deployment descriptor file, web.xml, you can control many aspects of
the Web application behavior, from preloading servlets, to restricting
resource access, to controlling session time-outs.
Web application security. In any Web application today, security is a
must! The servlet and JSP security model allows you to easily create
login pages and control access to resources.
Custom tag libraries. Custom tags significantly improve the design
of JSPs. Custom tags allow you to easily develop your own library of
reusable tags specific to your business applications. In addition to
creating your own tags, we cover the Standard Tag Library (JSTL).
Event handling. With the events framework, you can control
initialization and shutdown of the Web application, recognize
destruction of HTTP sessions, and set application-wide values.
Servlet and JSP filters. With filters, you can apply many pre- and
post-processing actions. For instance, logging incoming requests,
blocking access, and modifying the servlet or JSP response.
Apache Struts. This framework greatly enhances the standard
model-view-controller (MVC) architecture available with servlets and
JSPs. More importantly, Apache Struts still remains one of the most
common frameworks used in industry.

Who Should Read This Book
The main audience is developers who are familiar with basic servlet and JSP technologies, but want to make use of advanced capabilities. As we cover many topics in this
book—the deployment descriptor file, security, listeners, custom tags, JSTL, Struts,



Introduction

Ant—you may want to first start with the technologies of most interest, and then later
read the remaining material. Most commercial servlet and JSP Web applications take
advantage of the technologies presented throughout, thus, at some point you may
want to read the complete book.
If you are new to servlets and JSPs, you will want to read Core Servlets and JavaServer Pages, Volume 1: Core Technologies. In addition to teaching you how to install
and configure a servlet container, Volume 1 provides excellent coverage of the servlet
and JSP specifications. Volume 1 provides the foundation material to this book.
Both books assume that you are familiar with basic Java programming. You don’t
have to be an expert Java developer, but if you know nothing about the Java programming language, this is not the place to start. After all, servlet and JSP technology is an
application of the Java programming language. If you don’t know the language, you
can’t apply it. So, if you know nothing about basic Java development, start with a
good introductory book like Thinking in Java, Core Java, or Core Web Programming,
all from Prentice Hall.

Conventions
Throughout the book, concrete programming constructs or program output are presented in a monospaced font. For example, when abstractly discussing server-side
programs that use HTTP, we might refer to “HTTP servlets” or just “servlets,” but
when we say HttpServlet we are talking about a specific Java class.
User input is indicated in boldface, and command-line prompts are either generic
(Prompt>) or indicate the operating system to which they apply (DOS>). For
instance, the following indicates that “Some Output” is the result when “java
SomeProgram” is executed on any platform.
Prompt> java SomeProgram
Some Output

URLs, file names, and directory names are presented in a sans serif font. So, for
example, we would say “the StringTokenizer class” (monospaced because we’re
talking about the class name) and “Listing such and such shows SomeFile.java” (sansserif because we’re talking about the file name). Paths use forward slashes as in

URLs unless they are specific to the Windows operating system. So, for instance, we
would use a forward slash when saying “look in install_dir/bin” (OS neutral), but use
backslashes when saying “see C:\Windows\Temp” (Windows specific).
Important standard techniques are indicated by specially marked entries, as in the
following example.

xix


xx

Introduction

Core Approach
Pay particular attention to items in Core Approach sections. They
indicate techniques that should always or almost always be used.

Core Notes and Core Warnings are called out in a similar manner.

About the Web Site
The book has a companion Web site at
site includes:
•
•
•
•
•

This free


Documented source code for all examples shown in the book, which
can be downloaded for unrestricted use.
Links to all URLs mentioned in the text of the book.
Up-to-date download sites for servlet and JSP software.
Information on book discounts.
Book additions, updates, and news.


Acknowledgments

Many people helped us with this book. Without their assistance, we would still be on
the second chapter. Chuck Cavaness (Cypress Care, Inc.), Bob Evans (JHU Applied
Physics Laboratory), Randal Hanford (Boeing), Kalman Hazins (JHU Applied Physics Laboratory), Michael Kolodny (Raba Technologies), Kyong Park (Raba Technologies), Eric Purcell (Lockheed-Martin), Ylber Ramadani (George Brown College),
and Richard Slywczak (NASA Glenn Research Center) provided valuable technical
feedback on many different chapters. Their recommendations improved the book
considerably.
Teresa Horton spotted our errant commas, awkward sentences, typographical
errors, and grammatical inconsistencies. She improved the result immensely. Vanessa
Moore designed the book layout and produced the final version; she did a great job
despite our many last-minute changes. Greg Doench of Prentice Hall believed in the
concept from before the first edition and encouraged us to write a second edition.
Thanks to all.
Most of all, Marty would like to thank B.J., Lindsay, and Nathan for their patience
and encouragement. Larry would like to thank Lee for her loving and unfailing support. Yaakov would like to thank the Almighty for shining His grace and mercy upon
him every day; his parents, Mr. Ilia and Mrs. Galina Khaikin, who in the ’80s had the
vision to take him to his first programming class when he was just 13 years old; his
children, Moshe and Esther Miriam, who bring challenge and joy into his life; and of
course his wife, Perel, for her constant loving support and encouragement. God has
blessed us with great families.


xxi


About the Authors

Marty Hall is president of coreservlets.com, Inc., a small company that provides
training courses and consulting services related to server-side Java technology. He
also teaches Java and Web programming in the Johns Hopkins University part-time
graduate program in Computer Science, where he directs the Distributed Computing and Web Technology concentration areas. Marty is the author of five books
from Prentice Hall and Sun Microsystems Press: the first and second editions of
Core Servlets and JavaServer Pages, More Servlets and JavaServer Pages, and the
first and second editions of Core Web Programming. You can reach Marty at

Larry Brown is a Network and Systems manager at a U.S. Navy Research and
Development laboratory. He is the co-author of the second editions of Core Web
Programming, also from Prentice Hall and Sun Microsystems Press. You can reach
Larry at
Yaakov Chaikin is a senior consultant at a software development company
based in Columbia, MD. Besides his day job, he teaches Web development
technologies at the graduate Computer Science program of Loyola College in
Maryland, where he heads the Web Development track. At times, he also helps
his wife with her Web/graphic design business, tbiq.com. Yaakov can be reached
at

xxii


core
SERVLETS AND
JAVASERVER PAGES

VOLUME 2–ADVANCED TECHNOLOGIES
SECOND EDITION


USING AND
DEPLOYING WEB
APPLICATIONS

Topics in This Chapter
• The purpose of Web applications
• The structure of Web applications
• Web application registration
• Development and deployment strategies
• WAR files
• Web application data sharing