How to disable scripting elements in JSP pages?

With the introduction of Expression Language in JSP 2.0 it is recommended to use the EL instead of using a scripting elements / scriptlets. That means if we want to access a server-side objects it is recommended to use EL then to write some Java codes in the JSP pages.

For this purpose in JSP 2.0 we are given a feature to disable the scripting elements by defining a scripting-invalid element within the <jsp-property-group> in the deployment descriptor (web.xml) file.

Here is the JSP configuration that you need to add in the web.xml file:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
         version="3.0">
    <display-name>JSP Examples</display-name>

    <jsp-config>
        <jsp-property-group>
            <url-pattern>*.jsp</url-pattern>
            <scripting-invalid>true</scripting-invalid>
        </jsp-property-group>
    </jsp-config>
</web-app>

When you try to request a JSP page that have a scripting elements in, it will give you an error message like this:

HTTP Status 500 - /sessionWriteRead.jsp (line: 10, column: 2) Scripting elements ( <%!, <jsp:declaration, <%=, <jsp:expression, <%, <jsp:scriptlet ) are disallowed here.

How do I add comment in JSP pages?

In this example you’ll see how to add comments in JSP page / JSP scriptlets. To add comments we can use either the JSP comment style or HTML comment style. The different between this is that the HTML comment will be sent or included in the webpage while the JSP comment is not included in the webpage.

The JSP comment style start with the <%-- and end with the --%>. To create an HTML comment style we can use the <-- and closed by the -->. Beside this two comment styles you can still use the comment block that we use in our Java code in the JSP scriptlets.

<%@ page import="java.util.Date" %>
<%@ page import="java.text.SimpleDateFormat" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE hml>
<html>
<head>
    <title>Commenting JSP Page</title>
</head>
<body>

<%--The JSP snippet below is used to print the current date--%>
<%
    Date date = new Date();
    SimpleDateFormat formatter = new SimpleDateFormat("EEE, dd/MM/yyyy");

    out.println("Today is: " + formatter.format(date));
%>
</body>
</html>

What are the scripting elements in JSP page?

There are three types of scripting elements available when writing a JSP page. These scripting elements includes:

  • Scriptlets which is a block of Java code.
  • Expression that can be evaluated and the result is printed out.
  • Declarations can be used to declares variables or methods.

Scriptlets

A scriptlets is a block of Java code that begins with <% and closed by %>. We can have multiple block of scriptlets inside a JSP page. The following example show you how to write a scriptlets:

<%@ page import="java.text.DateFormat" %>
<%@ page import="java.text.SimpleDateFormat" %>
<%@ page import="java.util.Date" %>
<%@ page import="java.util.Calendar" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<html>
<head>
    <title>JSP - Scripting Scriptlets</title>
</head>
<body>
<%
    DateFormat formatter = new SimpleDateFormat("EEE, dd/MM/yyyy HH:mm:ss");
    out.print(formatter.format(new Date()));
%>
<br/>
<%
    Calendar calendar = Calendar.getInstance();
    out.print(formatter.format(calendar.getTime()));
%>
</body>
</html>

In the scriptlets above we can use the formatter object on the first scriplet to be used in the second scriptlet. Any objects or variables declared in the first scriptlet is available on the second scriptlet.

Expression

To create an expression in JSP we can use the <%= and closed by the %>. The expression in this kind of block will be evaluated and the value is printed out as the JSP page output. We can say that the expression block is a shortcut for the out.print() method in JSP page. You also notice that an expression doesn’t end with a semicolon.

Here is an example of expression in JSP page:

<%@ page import="java.util.Date" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<html>
<head>
    <title>JSP - Scripting Expressions</title>
</head>
<body>
Today is: <%= new Date() %><br/>
Session Id: <%= session.getId() %><br/>

<%--The above expression is equals with the following scriptlets--%>

Today is: <% out.print(new Date()); %><br/>
Session Id: <% out.print(session.getId()); %>
</body>
</html>

Declarations

The last scripting elements is this declarations. The declarations elements starts with a <%! and ends with %>. We can use this block to declare variables and methods that can be used in a JSP page. Let’s see an example below:

<%@ page import="java.util.Date" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<!DOCTYPE html>
<%!
    public int add(int number1, int number2) {
        return number1 + number2;
    }

    public Date getDate() {
        return new Date();
    }
%>
<html>
<head>
    <title>JSP Declarations</title>
</head>
<body>
Today is: <%= getDate() %><br/>
20 + 10 = <%= add(20, 10) %>
</body>
</html>

How do I delete a cookie in Servlet?

The Servlet API doesn’t provide a direct way to delete a cookie in a Servlet application. If you want to delete a cookie you have to create a cookie that have the same name with the cookie that you want to delete and set the value to an empty string. You also need to set the max age of the cookie to 0. And then add this cookie to the servlet’s response object.

Let’s see the code example below:

package org.kodejava.example.servlet;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebServlet(name = "DeleteCookieServlet", urlPatterns = "/deleteCookie")
public class DeleteCookieServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        //
        // To delete a cookie, we need to create a cookie that have the same
        // name with the cookie that we want to delete. We also need to set
        // the max age of the cookie to 0 and then add it to the Servlet's
        // response method.
        //
        Cookie cookie = new Cookie("username", "");
        cookie.setMaxAge(0);
        response.addCookie(cookie);
    }
}

How do I obtain ServletContext of another application?

The ServletContext.getContext(String uripath) enable us to access servlet context of another web application deployed on the same application server. A configuration need to be added to enable this feature.

In the example below we will forward the request from the current application to the /otherapp/hello.jsp page. We place a string in the request object attribute of the current application and going to show it in the hello.jsp page.

package org.kodejava.example.servlet;

import javax.servlet.RequestDispatcher;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@WebServlet(urlPatterns = {"/context"})
public class GetAnotherContextServlet extends HttpServlet {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {

        //
        // Get ServletContext of another application on the same Servlet
        // container. This allow us to forward request to another application
        // on the same application server.
        //
        ServletContext ctx = request.getServletContext().getContext("/otherapp");

        //
        // Set a request attribute and forward to hello.jsp page on another 
        // context.
        //
        request.setAttribute("MESSAGE", "Hello There!");
        RequestDispatcher dispatcher = ctx.getRequestDispatcher("/hello.jsp");
        dispatcher.forward(request, response);
    }
}

To enable this feature in Tomcat we need to enable the crossContext attribute by setting the value to true, the default value is false. Update the server.xml file to add the following configuration.

...
<Context 
    path="/webapp" 
    debug="0" 
    reloadable="true" 
    crossContext="true"/>
...