I have been using JSTL to fetch values from my database and display it in my jsp page using a similar code as shown below.
<sql:setDataSource
var="myDS"
driver="com.mysql.jdbc.Driver"
url="jdbc:mysql://localhost:3306/mydb"
user="root" password="secret"
/>
<sql:query var="list_users" dataSource="${myDS}">
SELECT * FROM users;
</sql:query>
<c:forEach var="user" items="${listUsers.rows}">
<c:out value="${user.name}" />
<c:out value="${user.email}" />
<c:out value="${user.profession}" />
</c:forEach>
My team leader advised me that it is not a good practice to put queries in the jsp page directly. Since there is a database name and username and password in this code I'm not sure if this code implements proper security. I would like to know your thoughts on the matter, and if there is any alternative to do this using JSTL itself.
Since JSTL is executed on server side, there's no security hole because the query cannot be seen by clients of the application. There are other problems with this approach:
The query is not reusable. If you need it in other pages, you will need to repeat the query. When you have simple queries like this one you cannot check the problem, but this arises with more complex statements that needs parameters as well.
You're creating a connection manually per page! This will slow your application. Use a proper datasource for a database connection pool configured as a resource or programatically (C3PO or BoneCP, for example)
Move all your database code into proper Data Access Layer classes. And use <sql> for JSTL for learning purposes only, not for real world applications.
More info:
How to use JSTL sql tag
Retrieve values from JDBC and use JSTL tags to call the methods
Should a database connection stay open all the time or only be opened when needed?
You should really do your query in your java class, not in the jsp, like your team leader advised.
On the security side it doesn't really matter, all the code is available on the server, jsp or java. The sql tag shouldn't output that information in the generated page.
But really the question is more about the right use of the technologies:
jsp is used as a template, it should take data and show them to the end user. Some basic operation can be done life looping on data list or formating data, but this should be only specific to the view you want to make
java controler is used to recuperate data and configure the view as needed like which jsp to use and which data to send in that jsp
Related
I have a very simple project Parking Space Booking System made in PHP. I have to change it to Java. I've passed HTML5 form values (number of space, start date, end date, name, phone) according to this tutorial:
https://netbeans.org/kb/docs/web/quickstart-webapps.html
I printed them in response.js file<jsp: getProperty name="mybean" property="x" /> where x is name/number/start/end/phone -> for each separate line and those values are properly send from HTML5 and displayed. My question is now if I want to make logic operations should I use tag <% %> and put ther Java code like in PHP and <? ?> tag? Will I be able use then JDBC within <% %> and connect / send data / user queries to MySQL server?
Have you tried it? In theory you should be able to.
Also, does it have to be plain JSP with Scriptlet? You could use Servlets, which are pretty simple to use (especially with #WebServlet annotation, here you can find a few examples). And then separate your logic into layers: View, Controller, Model or any other layer separation that you find it useful.
Avoid <% %> and use html form actions.
I have an attribute which I have forwarded from a servelet to a jsp file and while I can use this object with EL I'd like to know how to access it inside the java tags. An example is something like the following:
Searching for "${search_phrase}" returned
<c:forEach var="video" items="${results}">
${video.getVideoName()}
${video.getVideoID()}
</c:forEach>
So results here is an ArrayList of type Video which is forwarded from a servlet to a jsp
I would like to access this ArrayList inside <% %> tags in order to perform some more involved tasks that I cant do with EL.
Anybody know how to do this?
On a side note, this ArrayList I'm creating could potentially get large. Where is this stored? On the server or in some users temp files? If it's stored in server memory does it get cleaned after some period of time / an event such as the user that requested the ArrayList closes connection to server?
It all depends where you stored the list. If you stored it in a request attribute (and not anywhere else), then it will be eligible to garbage-collection when the request has been handled.
If you stored it in a session attribute, then it will be stored in the server memory (and/or the file system or the database depending on the container configuration) until the session times out or is invalidated, or until you remove it. HTTP is a stateless protocol. The user doesn't have a connection to the server.
Java code between <% %> is not a java tag. It's scriptlet, and should not be used in a JSP. If you need to do something that EL or JSP tags can't do easily, then either
write a custom JSP tag yourself, put the Java code in this JSP tag, and invoke the tag from the JSP, or
or write a custom EL function, and invoke this function from the JSP
or prepare the work in a controller (servlet, MVC framework action) before dispatching to the JSP, so that the JSP can generate the markup easily.
The list is accessible using the getAttribute method corresponding to the setAttribute method you used to store the list:
HttpServletRequest.setAttribute() --> HttpServletRequest.getAttribute()
HttpSession.setAttribute() --> HttpSession.getAttribute()
ServletContext.setAttribute() --> ServletContext.getAttribute()
I think you should use something like
<c:forEach var="video" items="${results}">
<c:forEach var="videoType" items="${video.types}"> //suppose videoType is an object
<c:out value="${videoTypeDetails}" />
</c:forEach>
</c:forEach>
I'm starting building web apps in Spring 3 (and in J2EE) in general.
Looking at the petclinic example I've seen that the programmer creates many JSP pieces, like header, includes, footer and then stitches them together using static inclusion. Anyway what I'd like is that I may have a base page, like Base.jsp and be able to include things like this:
<body>
<jsp:include page="${subpage}"></jsp:include>
</body>
the reason is that I'd like a main page, then being able to put in the ModelAndView returned by the controller which parts of the pages display in each situation (with the data attached to it). This works, but it gives no errors in case ${subpage} is not found, the jsp name is wrong or missing. I'd like more error checking...
Is this the best and recommended way to do this? And if this seems a good idea for what I've in mind, what's the correct way of doing it?
You might want to use Apache Tiles 2 integration for managing your JSP files. Spring has good integration support Apache Tiles. It also shows if there's an error in your page. I've put an example of it at http://krams915.blogspot.com/2010/12/spring-mvc-3-tiles-2-integration.html
It appears you have additional quotes in your subpage. Get rid of them. For example:
<c:set var="subpage" value="/jsp/index.jsp" />
If you have to set it in a controller or servlet - just use request.setAttribute("subpage", "/jsp/index.jsp")
For error checking you can use:
<c:catch var="myException">
<c:import url="${subpage}" />
</c:catch>
and later you can check it with:
<c:if test="${myException != null}">
...
</c:if>
Take a look at Sitemesh (http://www.opensymphony.com/sitemesh). It is a servlet filter-based page layout system that is easy to use. I have done a number of projects using it with Spring MVC and it worked very well.
Suppose an example. I have following interface:
public interface DataSource<T> {
Future<T> fetch();
}
This datasource can do asynchronous data fetching. And we have following tag for using datasource in JSP:
<html>
<d:fetch from="${orderDS}" var="orders">
<c:foreach in="${orders}" var="order">
<div class="order">
<c:out value="${order.title}" />
</div>
</c:foreach>
</d:fetch>
</html>
So, what I want? I want JSP rendering engine to call my custom tag (FetchTag in this example) twice. On first call FetchTag will do DataSource.fetch() call and save Future locally as a object field. On second call FetchTag do Future.get() call and will be blocked until data becomes available.
Is there any way to do such a thing?
I think a better design would not try to alter JSP rendering. Put all that database code on the server side, where it belongs, and use an AJAX call to get that data from a server-side component.
In general, I've found that embedding stuff in custom tag libraries is a bad idea. JSTL and/or Spring tag libraries are all that I need. If I feel like my UI needs to do more, I'm thinking about it incorrectly.
For JS disabled clients, I'd just make them do the round trip for the data and not try to do it in the background. Give them a choice: wait or turn on JS.
Is there a cleaner way to do this in a JSP/Struts1 setup ?
... some HTML here ...
EDIT: In admin mode I would like to have access to additional parameters from a form element,
e.g. from the form element:
input type="text" value="Test user" name="Owner"
EDIT 2: Actually, my problem is very similar to the question that was asked in : Conditionally Render In JSP By User
But I don't really get the "pseudo-code" from the likely answer
Is SessionConfig exposed as a bean in your JSP (as part of request / session / Struts Form)?
If it's not, you can expose it. And if it's a static class containing global settings (which, by the looks of it, is a possibility), you can create a small wrapper and put it in the servlet context which you'd then be able to access from Struts tags as scope="application".
Once that's done you can check your condition via Struts tags:
<logic:equal name="sessionConfig" property="adminMode" value="true">
... your HTML here
</logic:equal>
Or, if you're using EL / JSTL, same can be done via <core:if>.
Without more information, it's hard to answer this, but I'd think instead of separate views: one for admin mode, one for normal mode. Extracting the parts of your pages into tiles will help you do this without a lot of pain; see: http://tiles.apache.org/