Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

JSP Validation and Exception handling

• Why validate?• Client side validation• Server side validation• Why catch exceptions?• Exception handling in JSP• Examples • Context for the assignment• Summary

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Input validation

• Why? Security!– We wish to stop users accessing the system who are not

recognised • Input validation needs to be “airtight”

– Use of regular expressions (http://www.regexlib.com/)

– DIY validation routines

– Input validation libraries

• Assume all input is malicious• Constrain the possible inputs e.g. length• If necessary tidy up the input i.e. strip off unwanted characters• Reject all input that does not meet your criteria• Form validation - article (http://www.elated.com/articles/form-

validation-with-javascript/)

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Input: When to do the validation?

• Two choices: Client side (i.e. the browser)• Reduces the work on the server• However, can be disabled, avoided or interfered with

• Server side– Has the advantage of being processed by the server before sent on for

further processing or storage, e.g. to database

• If you give this some thought for web applications...

• They are using the request/response model– Industry tends to use JavaScript on the client – universal* to all

browsers– PHP, Ruby, JSP or VBScript etc on the server side– Why use this model?

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Client side validation

• Either use HTML (to restrict) or JavaScript (to actively check) input format

• See the example .zip file on the schedule for this week

• Read the readme file for instructions of how to use it – unzip to your C:\ drive on your home PC

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Server side validation

• Example with user input for a password• Code checks for length and format of password• If appropriate permits user to continue otherwise

sends user back to entry form to try again

• http://fcet11:8080/nas1/examples/login.html

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Exceptions

• Exceptions are by definition exceptional events that occur during program execution

• Typical exceptional events (errors) are:– Database server is down– File is locked by another user– Mathematical errors (division by zero etc.)– No more memory available– Device or service not responding (e.g. DoS attack)– Alas, there are many others...

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Exception Handling

• Unfortunately, it is not usually possible to know in advance that an exception is about to occur

• How do we tell our program what to do in case an exception does happen?

• Fortunately for object oriented coders, this problem has a generic solution

• Since JSP is based on Java we can use this solution in our web applications

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Try…Catch• In Java (and JSP) we can use a try…catch block

around any piece of code that may cause an exception. [Same idea used in VB.net, PHP and others]

<%try{

// Code which can throw can exception}catch(Exception e){

// Exception handler code here}%>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Exceptions

• For very practical reasons, Java enforces the use of try…catch blocks around any piece of code that can cause an exception to be thrown.

• By ‘thrown’, it is meant that the exception has occurred. (Used in vernacular English too - “toys thrown out of pram”, “throw a tantrum”)

• When an exception is thrown, one of several things can happen depending on what you want your web application to do at that point.

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Exception Handling

• Do nothing… let your program fall over and read the error message that Java produces on the server– Not nice, as you may have experienced!

• You could handle the exception locally (i.e. in your code at the point where the exception occurred) within your catch block.

• Or, you could redirect the user to an error page and do something there– Nicer in finished websites, simplifies handler

• Examples follow

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Form.htm

<html>

<head></head>

<body>

<form action="FormHandler.jsp" method="post">

Enter your age ( in years ) : <input type="text" name="age" />

<input type="submit" value="Submit" />

</form>

</body>

</html>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

FormHandler.jsp<html><head></head><body><%

int age;age = Integer.parseInt(request.getParameter("age"));

%><p>Your age is : <%= age %> years.</p><p><a href="Form.htm">Back</a>.</p></body></html>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

But……..

• This code works fine until a user enters something other than an integer via the form.

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Simple Fix - Local Try…Catch

<%int age;try {

age = Integer.parseInt(request.getParameter("age"));%><p>Your age is : <%= age %> years.</p><%

}catch(NumberFormatException e) {

%><p>You must enter a number!</p><%

}%>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

User-Defined Error Page<%@ page errorPage="ExceptionHandler.jsp" %><html><head></head><body><%

int age;age = Integer.parseInt(request.getParameter("age"));

%><p>Your age is : <%= age %> years.</p><p><a href="Form.html">Back</a>.</p></body></html>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

User-Defined Error Page<%@ page isErrorPage="true" import="java.io.*" %> <html><head></head><body><p style=“color: red;"><%= exception.toString() %></p><%

out.println("<!--");StringWriter sw = new StringWriter();PrintWriter pw = new PrintWriter(sw); exception.printStackTrace(pw);out.print(sw);sw.close();pw.close();out.println("-->");

%></body></html>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Ok, Good, Better!

• This works well but we can do better!• Currently, the error message that is displayed is a

standard Java message.• These can be difficult to understand so instead we’ll

pass our own message to our error page for it to display…

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Combined Version

<%int age;try{

age = Integer.parseInt(request.getParameter("age"));}catch (NumberFormatException e){

throw new JspException("Please enter a valid integer value!");}

%>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Combined Version

• This time we catch the NumberFormatException locally and throw a new JspException with our own exception message.

• JspException is a JSP special exception class which extends java.lang.Exception.

• We need to change the error page code to this:

<p style=“color: red;"><%= exception.getMessage() %></p>

Java for enterprise networks

Version 2.3 Feb 2008

j.c.westlake@staffs.ac.uk

Summary

• JSP errors at run time and can be a combination of <% or } problems– Handling these gracefully improves the web application

• Validation to catch errors from say user input can be improved by the use of exception JSPs– Validation can also include checking input

• All the exception examples are in a zip file on the week 6 part of the Java WWW schedule