My application is a Spring MVC application, does not use annotations (its quite an old application though it uses spring 3.1.1).
I have a JSP page that can be invoked via a tool like curl or directly from the web browser URL. The URL accepts a request parameter called location
http://localhost:8080/testdomain/registeruser.do?mylocation=fr
On invoking the above url, I call an implementation of SimpleFormController that reads the request parameter "mylocation"
How do I html encode the request parameter "mylocation". Before reading the parameter from the request [request.getParameter("mylocation")] in my controller, would is suffice if I call HtmlUtils.htmlEscape(request.getParameter("mylocation"))
Please note there is no form backing the input parameter for mylocation, as outlined earlier I could call this from a command line tool or browser URL.
There are two different things:
1) URL encoding/decoding - it is only to allow passing GET parameters to the server. Encoding is needed because server need to escape some special characters "?" , "&" in query string.
It is usually handled by web server like Tomcat.
2) And to prevent XSS you can use Jsoup. It is only needed if you will present value from parameter on the web page.
Some frameworks, like JSF can prevent XSS automatically. They can escape HTML when it is displayed on the web page.
Related
I would like to read jsp page from my application and save it to a file - it's output, not the code itself. Plus, my application has basic authentication (username+password).
If it was a Servlet, I could just access it's doGet method.
One solution I've found is this - Open URL connection, provide authentication details and read the stream.
I'm wondering if there's another option, maybe accessing the generated Servlet in the web container and then using reflection to call the class doGet.
You can precompile the JSP and then call the servlet (you don't have to use reflection even).
If you try to call the JSP's servlet without precompiling then it might not exit yet (because usually the server only compiles the JSP after it was called for the first time).
To precompile the JSP, check your web server documentation.
Personally I think you're better of using URL connection. Precompiling JSPs is not portable (as in you need to do it in a different way for each web server).
Edit
You can also use RequestDispatcher.include() method with a wrapped response object as described in this answer.
As a developer of Java web application, when do I need to use URL Rewriting and what is the difference between URL Rewriting and Forwarding?
I searched on other websites, I get contradictory information depending upon whom you are talking to like SEO people would answer this question differently.
AFAIK in both cases the client (browser) is not informed of the change and the end user sees exactly same URL that the client originally requested when the repose is returned from the server.
Please that this question is in the context of Java Servlet API in which forward method and sendRedirect methods are defined in which redirecting and forwarding are completely 2 different things. This question is about the difference between forward (as defined by forward method in the Servlet API's) and URL rewriting. The question clearly states that the answer should be in the context of Java servlet. Most importantly when do I need to use URL rewriting, again in the context of developing Java web application.
The term "forwarding" is ambiguous in this question. In JSP/Servlet world, "forwarding" is more known from the MVC concept that the request URL (as visible in browser address bar) effectively calls the servlet (as matched by its URL pattern in web.xml or #WebServlet) which acts as a controller to prepare the model and uses a JSP as view to present the model. That JSP in turn is been called by "forwarding". This is done by RequestDispatcher#forward():
request.getRequestDispatcher("/WEB-INF/foo.jsp").forward(request, response);
This does indeed not reflect the JSP's URL in the browser address bar. This takes place entirely server side. Basically, the servlet "loads" the JSP and passes the request/response to it so that it can do its job of generating the HTML stuff. Note that the JSP in the above example is hidden in /WEB-INF folder which makes it inaccessible for endusers trying to enter its full path in browser address bar.
In general web development world, the term "forwarding" is also known from "URL forwarding" which is essentially the same as URL redirection. This in turn indeed causes a change in the browser address bar. This is in JSP/Servlet world more formally known as "redirecting" (although most starters initially confuse it with "forwarding"). This is done by HttpServletResponse#sendRedirect():
response.sendRedirect("another-servlet-url");
Basically, the server tells the client by a HTTP 3nn response with a Location header that the client should make a new GET request on the given Location. The above is effectively the same as the following:
response.setStatus(302);
response.setHeader("Location", "another-servlet-url");
As it's the client (the webbrowser) who is been instructed to do that job, you see this URL change being reflected back in the browser address bar.
The term "URL rewriting" is also ambiguous. In JSP/Servlet world, "URL rewriting" is the form of appending the session ID to the URL so that cookieless browsers can still maintain a session with the server. You'll probably ever have seen a ;jsessionid=somehexvalue attribute in the URL. This is by default not done automatically, but most Servlet based MVC frameworks will do it automatically. This is done by HttpServletResponse#encodeURL() or encodeRedirectURL():
String encodedURL = response.encodeURL(url); // or response.encodeRedirectURL(url)
// Then use this URL in links in JSP or response.sendRedirect().
(Which in turn is -again- an ambiguous term. With "URL encoding" you'd normally think of percent encoding. There's no Servlet API provided facility for this, this is normally to be done by URLEncoder#encode() or, MVC-technically more correct, in the JSP by JSTL's <c:url> and <c:param> or any UI component provided by the servlet-based MVC framework, such as JSF's <h:outputLink>)
In general web development world (especially with Apache HTTPD / PHP folks), "URL rewriting" is more known as whatever Apache HTTPD's mod_rewrite is doing: mapping incoming URLs to the concrete resources without reflecting the URL change in the client side. In JSP/Servlet world this is also possible and it's usually done by a Filter implementation which uses RequestDispatcher#forward(). A well known implementation is the Tuckey's URLRewriteFilter.
I admit that this has also confused me for long when I just started with JSP/Servlet, for sure while having my roots in the Apache HTTPD / PHP world.
Rewriting is a layer (often before your servlet) that causes a URL to be handled like a different URL by modifying the URL before the request is served. The servlet responds through a single request as if the rewritten URL was requested, usually having never known the rewrite occured.
Forwarding (or redirection) is performed by the browser (typically automatically) when instructed by the server via some 3xx error codes (when redirection is allowed by the client). In this case two requests would be served (not necessarily both from your servlet); the first responding with an error code and a URL to redirect to, and the second serving the proper request after the client redirects.
I wrote custom servlet in Liferay and want to know which user page calls it and know other parameters like theme. But the request's attributes and session fields are all nulls.
How to make custom servlet to receive request as if portlet does?
Thanks
P.S. I don't want to use this solution https://www.everit.biz/web/guest/blog/-/blogs/getting-current-liferay-user-in-a-standalone-webapp?_33_redirect=/web/guest/blog
which reads cookies manually. I want to do such as Liferay does, i.e. by using it's API. Is it possible?
Update 1.
I have a portlet and a servlet in one WAR. I can know who am I (logged in user) from within portlet JSP like this:
HttpServletRequest request = (HttpServletRequest)pageContext.getRequest();
ThemeDisplay themeDisplay = (ThemeDisplay)request.getAttribute(WebKeys.THEME_DISPLAY);
themeDisplay.getUser()
Now I want to do the same from a servlet. Is it possible?
I am working in eclips which deploys automatically.
You either have to mimic what Liferay does in the portlet request handling (not recommended) or, alternatively, put your servlet code into a portlet - this can be the "resource handling" of a portlet - here you get full access to the http request and can do everything yourself with regards to data types transmitted in the stream.
I'd rather recommend this as it will be significantly easier to upgrade. Portlet Resource Handler are very similar to servlets from a logical point of view. There might be other (more advisable) options, but this is what comes to my mind for this type of problem.
I have a simple web application running in Tomcat. There is a servlet which is forwarding the request and response to a jsp page which in turn prints something to the browser.
Now I have an aspect which captures the response. In this case a HttpServletResponse. Now what I want to do is that I want to capture the reponse and add some content in it to be displayed in the browser through JSP page.
I dont want to add the content in the jsp page rather I want to add some content without changing my jsp or servlet, using runtime weaving functionality of aspectJ.
I have not been able to figure out any solution yet.Please help me with this.Thanks.
We don't do that with the response. Request object is a better candidate for that. You must understand that JSP is a server-side technology, therefore your request used to be alive in the JSP page.
Moreover, I would suggest you to look at Servlet Filters, those are meant for this kinda scenarios.
UTIL.getServletPath("/SetupPage?PG=setupusersettings") %>">
What is SetupPage. Is it an directory?
Why ? is used?
What is PG?
setupusersettings is an jsp page, all i can find and it will redirect to that page.
you need to learn the basics of web programming. You can find millions of stuffs on Web about it. Shortly;
/SetupPage?PG=setupusersettings
SetupPage seems like a web application, you requested. Basicly, as soon as you call /SetupPage, the request will be sent to this application.
"?" is a seperator. after that, you can send parameters (you can send parameters using HTTP GET/POST) to this application. In this case, the name of parameter is PG and the value "setupusersettings". For exampe, you can access the value of this parameter in your web application
Google "Web programming java servlet tutorial"
Regards.
If you click on the resulting link (URL) it will (literally) "call the resource /SetupPage with the attribute/value pair [PG -> setupusersettings]".
PG is an attribute name (could be an acronym for Page).
Look for a resource named "SetupPage.???" (could be a python/perl script or any other executable file). You may have to look at the http servers configuration files to get the local location of this file. The redirection to is most probably done by this executable.