August 28, 2015
Hot Topics:

Verifying User Input Using JSP Tag Libraries

  • December 11, 2003
  • By Vlad Kofman
  • Send Email »
  • More Articles »

In any Web-based application where program logic requires information submitted by the user to be validated, the creators of the application can check data in two ways. The first method is to do validation on the client side, even before anything is submitted to the server. Usually, this is done using JavaScript running in the client's Internet browser. While the form is being submitted, the script will check all required fields and pop up error messages in case of any discrepancies. The second way is to do validation on the server side, before performing any operation with the data, using the technology that the application server supports.

Server-side verification puts more strain on the server, but gives programmer more control, and guarantees that data will be checked. Client-side verification can easily be circumvented by the user (by disabling JavaScript), therefore allowing unchecked information to be submitted, but could be faster, because users don't have to post and get pages from the server.

Currently, more and more online applications rely on server-side validation, mainly because it guarantees checking and improves application security, but also because server hardware and software performance have significantly improved in recent years, and because it allows for greater flexibility of the program and sometimes is easier to implement.

In this article, I will describe a unique way of using a Java JSP tab library for server-side verification, and briefly describe the creation of JSP tags. The examples will build upon a Web application from my previous article "Applying MVC to web-based applications with JSP views"—a simple project that displays weather information after users submit a ZIP code or city name. The application followed Model-View-Controller (MVC) architecture and used the Tomcat application server.

Validation Process

In an enterprise-level application, data validation is a required part of the security process. Not only do applications have to catch empty or partial fields, but also have to guard against erroneous entries. If data is submitted into a RDBMS store or any other persistent storage and is used in SQL statements, users can accidentally (or purposely) submit bad data that can result in invalid SQL statements. A malicious user can even post escape strings or put specific data in the submit form to perform an operation not originally designed by the Web application developer. For example, they can delete a row or table from the database or get any information they want.

The JSP pages where I've implemented validation are "Views" in the MVC design, part of the online weather program. Each JSP view either submits or displays data. When form with a ZIP code or city name is submitted, information is posted to the server, where a Controller Servlet object performs an action based on a specific action key parameter from the JSP, and redirects to the next View. But, more detail on this later; let's look at the workings of JSP tags.

JSP Tags

You can think of the JSP tag as a custom action that is performed by Java code running on the server. In the JSP, a tag looks like a standard HTML tag except its logic is not executed on the client side, but on the server side as part of the Servlet into which a JSP is converted. Each tag is encapsulated in a separate class and its name and parameter attributes are indicated in a special deployment descriptor file with a tld extension. This file should be placed under the web-app directory WEB-INF in your application server, and indicated for use in JSP with a <%@taglib ... %> directive and in a web.xml file. When a JSP engine encounters a custom tag, it checks to see whether it knows where that the tag class is, and if it does, it executes the corresponding code. The tag classes are usually put into a jar file and placed under the lib directory under WEB-INF.

Ex. ..\WEB-INF\mytags.tld - deployment descriptor file

Ex. ..\WEB-INF\lib\mytags.jar tag library (or a full directory structure)

To show how to use tags for validation, I've created a custom JSP tag to validate the ZIP code field, named notValidZip. Tags, however, can perform any action, such as HTML formatting, field manipulation, or even database queries. For other checks, I use a tag library from Coldbeans Software (http://www.servletsuite.com), which is free for non-commercial use, and has extremely practical tags for the validation of HTML form fields. If you need to use tags on a commercial site, you can always write your own or purchase them.

Here is a part of the deployment descriptor file validtag.tld that deals with my notValidZip tag:





<info>testszip code</info>














It indicates that the name is notValidZip, its code is in the com.cj.valid.notValidZip class, and it has two attributes, one required and one optional.

To let the Web application know that I'm including a custom tag library, I added its information to the web.xml deployment descriptor file. Here is the code that does it:





And, finally, to include this tag library in the JSP, I added this line at the beginning on my JSP page:

<%@ taglib uri="/WEB-INF/validtag.tld"prefix="valTag" %>

Now, I can use any tag from that package by writing its <prefix> : <tag name>; for example:

<valTag:notValidZip value="<%=request.getParameter(\"ZIP\")%>">

 <!-- body -->


Tags usually have a body and optional attributes.

<valTag:tagnameattribute1="value1" attribute2="value2">

  <!-- body -->


But some tags may not have a body; for example <valTag:tagname />.

You can write any prefix you want when defining a tag library, but tag names must match names in the tld file.

As I said, the actual verification logic is done in a Java class also called "notValidZip", located in the tag lib jar file. The tag class extends the abstract TagSupport classes and imports the javax.servlet.jsp.JspException, javax.servlet.jsp.tagext. Tag, and javax.servlet.jsp.tagext.TagSupport classes. The main action logic is in the doStartTag() method, which is called when the JSP engine encounters my new tag.

The integer code returned by this method tells the JSP engine whether or not it should do the body of the tag. See Listing 1 at the end of this article.

So, let's review. First, you write the tag class, put it in the jar file under web-application 'lib' directory, create a deployment descriptor file for the tag, update the web.xml file with its location information, and use it in your JSPs by including it with taglib directive. If I need to do my ZIP code verification in multiple places, all I have to do is include my tag in multiple pages. See Listing 2.

Page 1 of 2

Comment and Contribute


(Maximum characters: 1200). You have characters left.



Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

Sitemap | Contact Us

Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel