7.1 Overview of JSP scripting tags
JSP Specifications provides three types of elements which allow us to write complete java code in it to achieve dynamic behavior.
The three types of JSP scripting elements are
a) Declaration – refer section 7.2 for more details.
b) Scriplet- refer section 7.3 for more details.
c) Expression- refer section 7.4 for more details.
7.2 JSP Declarations
JSP Declarations are used to define or declare variables and methods. Any code written in declaration does not go inside auto generated _jspService() methods which means variables and methods declared in declaration will become instance variables.
7.2.1 Syntax
Syntax of declaration tag is <%! %> Note: Each line must be ended by semi colon (;)
7.2.2 Example
Let’s write an example jsp file which will define method and variable using declarations to see how these tags are used.
Declaration.jsp file defines
- a variable of type String which is initialized with some default value
- a method which takes two arguments and returns the sum
Declaration.jsp Code
<html> <head> <title> JSP using Declaration tag </title> </head> <body> <%! String description = "description variable is a instance variable." ; public int sum(int argument1, int argument2) { int result = argument1+ argument2; return result; } %> <!-- Call method --> <% out.println(description); out.println("<br/>"); int result = sum( 2, 3); out.println(result); %> </body> </html>
To see the result, access the Declaration.jsp using
http://localhost:8080/jsp-tutorial/Declaration.jsp
7.3 JPS Scriplet
JSP Scriplets are used to add any java code that gets executed at the time of service request. Any code written in scriplets goes inside auto generated _jspService() methods which means variables and methods declared in declaration will become local variables.
It’s a common mistake that developers tries to declare a method inside scriplets which is not allowed because all code written in scriplets goes inside _jspService() and in java we cannot have a method inside method.
In scriplets all implicit variables like request, response , out , application session etc are directly available for use.
7.3.1 Syntax
Syntax of declaration tag is <% %> ( there is no ! sign as compared to declaration)
Note: Each line must be ended by semi colon (;)
7.3.2 Example
Lets write an example (Scriplet.jsp) jsp file which will print the client details on screen using scriplet tag to see how these tags are used.
Scriplet.jsp Code
<html> <head> <title> JSP using Scriplet tag </title> </head> <body> <% String localName = request.getLocalName(); int port = request.getLocalPort(); String ipAddress = request.getLocalAddr(); out.println("Local Name ::" + localName); out.println("<br/>"); out.println("Port Number ::" + port); out.println("<br/>"); out.println("IP Address ::" + ipAddress); out.println("<br/>"); %> </body> </html>
To see the result, access the Scriplet.jsp using
http://localhost:8080/jsp-tutorial/Scriplet.jsp
7.4 JSP Expression
In JSP Expressions tag we can define a scripting expression which gets evaluated and result is sent to output stream. This tag is mainly used to display the value. Evaluated result of expression written in expression tag goes inside out.println () method inside auto generated _jspService().
In expression all implicit variables like request, response , out , application session etc are directly available for use.
7.4.1 Syntax
Syntax of declaration tag is <%= %>
Note: Expression inside tag must not be ended by semi colon (;)
7.4.2 Example
Lets write an example (Expression.jsp) jsp file which will print the client details on screen using expression tag to see how these tags are used.
<html> <head> <title> JSP using Expression tag </title> </head> <body> Local Name :: <%= request.getLocalName() %> <br/> Port :: <%= request.getLocalPort() %> <br/> IP Address :: <%= request.getLocalAddr() %> </body> </html>
To see the result, access the Expressions.jsp using
http://localhost:8080/jsp-tutorial/Expressions.jsp
7.5 Disable Scripting Tags
Extensive use of scripting elements is not recommended and use of expression language is encouraged. Expression Language is intended to replace the use of Java scriptlets in JSP pages.
JSP specification provides a way to disable the evaluation of scripting elements through configuration parameters in web.xml. This ensures that developers cannot use scriptlets in any case and instead use Expression language.
With this we can enforce the best practices more easily, We can disable the use of scripting tags using the web.xml deployment descriptor
- for a single page
- for a set of pages
- for the entire application.
To disable scripting element for a single page (say noScript.jsp) , we need to add below configuration in web.xml
<jsp-config> <jsp-property-group> <url-pattern>/noScriplet.jsp</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
Need to add the name of jsp in url- pattern tag
To disable scripting element for a group of pages (say all files with extension jsp ) , we need to add below configuration in web.xml. (Changes highlighted below )
<jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
We can also configure to disable scriplet on a set of pages, for example all jsp inside test directory
<jsp-config> <jsp-property-group> <url-pattern>/test/*</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
Lets try these configurations in out jsp-tutorial application.
a) Add the below configuration to restrict scriplets only in Expression.jsp created earlier in section 7.4.2 and try to access Expressions.jsp
<jsp-config> <jsp-property-group> <url-pattern>/Expressions.jsp</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
On accessing http://localhost:8080/jsp-tutorial/Expressions.jsp
But we can see the results for Declaration.jsp because we just restricted Expressions.jsp
b) Now update the configuration added in #a with below and access Declaration.jsp using http://localhost:8080/jsp-tutorial/Declaration.jsp
<jsp-config> <jsp-property-group> <url-pattern>*.jsp</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
c) Now add a folder named “ jsp ” under WebContent directory and copy Expressions.jsp. You should be able to access it using
http://localhost:8080/jsp-tutorial/jsp/Expressions.jsp
Now to disable scriplet in all jsp files resides under jsp sub directory of WebContent directory , you need to add following configurations
<jsp-config> <jsp-property-group> <url-pattern>/jsp/*</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
d) We can also configure multiple <jsp-property-group> tags . For example we want to disable scriplets in all l jsp files resides under jsp sub directory of WebContent directory and Declaration.jsp . To do so we need to add following configurations
<jsp-config> <jsp-property-group> <url-pattern>/jsp/*</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> <jsp-property-group> <url-pattern>/Declaration.jsp</url-pattern> <scripting-invalid>true</scripting-invalid> </jsp-property-group> </jsp-config>
You will be able to access Expressions.jsp present directly under Web Content directory but not Declaration.jsp and any of jsp file under jsp sub directory.