Verifying User Input Using JSP Tag Libraries
Currently, more and more online applications rely on server-side validation, mainly because it guarantees checking and improves application security, but also because server hardware and software performance have significantly improved in recent years, and because it allows for greater flexibility of the program and sometimes is easier to implement.
In this article, I will describe a unique way of using a Java JSP tab library for server-side verification, and briefly describe the creation of JSP tags. The examples will build upon a Web application from my previous article "Applying MVC to web-based applications with JSP views"—a simple project that displays weather information after users submit a ZIP code or city name. The application followed Model-View-Controller (MVC) architecture and used the Tomcat application server.
In an enterprise-level application, data validation is a required part of the security process. Not only do applications have to catch empty or partial fields, but also have to guard against erroneous entries. If data is submitted into a RDBMS store or any other persistent storage and is used in SQL statements, users can accidentally (or purposely) submit bad data that can result in invalid SQL statements. A malicious user can even post escape strings or put specific data in the submit form to perform an operation not originally designed by the Web application developer. For example, they can delete a row or table from the database or get any information they want.
The JSP pages where I've implemented validation are "Views" in the MVC design, part of the online weather program. Each JSP view either submits or displays data. When form with a ZIP code or city name is submitted, information is posted to the server, where a Controller Servlet object performs an action based on a specific action key parameter from the JSP, and redirects to the next View. But, more detail on this later; let's look at the workings of JSP tags.
You can think of the JSP tag as a custom action that is performed by Java code running on the server. In the JSP, a tag looks like a standard HTML tag except its logic is not executed on the client side, but on the server side as part of the Servlet into which a JSP is converted. Each tag is encapsulated in a separate class and its name and parameter attributes are indicated in a special deployment descriptor file with a tld extension. This file should be placed under the web-app directory WEB-INF in your application server, and indicated for use in JSP with a <%@taglib ... %> directive and in a web.xml file. When a JSP engine encounters a custom tag, it checks to see whether it knows where that the tag class is, and if it does, it executes the corresponding code. The tag classes are usually put into a jar file and placed under the lib directory under WEB-INF.
Ex. ..\WEB-INF\mytags.tld - deployment descriptor file
Ex. ..\WEB-INF\lib\mytags.jar tag library (or a full directory structure)
To show how to use tags for validation, I've created a custom JSP tag to validate the ZIP code field, named notValidZip. Tags, however, can perform any action, such as HTML formatting, field manipulation, or even database queries. For other checks, I use a tag library from Coldbeans Software (http://www.servletsuite.com), which is free for non-commercial use, and has extremely practical tags for the validation of HTML form fields. If you need to use tags on a commercial site, you can always write your own or purchase them.
Here is a part of the deployment descriptor file validtag.tld that deals with my notValidZip tag:
It indicates that the name is notValidZip, its code is in the com.cj.valid.notValidZip class, and it has two attributes, one required and one optional.
To let the Web application know that I'm including a custom tag library, I added its information to the web.xml deployment descriptor file. Here is the code that does it:
And, finally, to include this tag library in the JSP, I added this line at the beginning on my JSP page:
Now, I can use any tag from that package by writing its <prefix> : <tag name>; for example:
Tags usually have a body and optional attributes.
<!-- body -->
But some tags may not have a body; for example <valTag:tagname />.
You can write any prefix you want when defining a tag library, but tag names must match names in the tld file.
As I said, the actual verification logic is done in a Java class also called "notValidZip", located in the tag lib jar file. The tag class extends the abstract TagSupport classes and imports the javax.servlet.jsp.JspException, javax.servlet.jsp.tagext. Tag, and javax.servlet.jsp.tagext.TagSupport classes. The main action logic is in the doStartTag() method, which is called when the JSP engine encounters my new tag.
The integer code returned by this method tells the JSP engine whether or not it should do the body of the tag. See Listing 1 at the end of this article.
So, let's review. First, you write the tag class, put it in the jar file under web-application 'lib' directory, create a deployment descriptor file for the tag, update the web.xml file with its location information, and use it in your JSPs by including it with taglib directive. If I need to do my ZIP code verification in multiple places, all I have to do is include my tag in multiple pages. See Listing 2.