in eclipse IDE how can i access a java class from .jsp
exactly like accessing a servlet from a jsp file ?
in other word, what should i replace with question marks "????????"
<form name="myForm" action="???????????????" method="post">
</form>
when i run engine.java file from "mypackage" package tomcat application servers shows this address in the address bar.
http://localhost:8080/rouyesh/servlet/mypackage.engine
anybody can help please?
You'll need to use whatever the path relative to your current URL is, or the absolute path, just as you would with files. It might be prudent at this point to investigate a web framework, however, before you destroy your product with insanity :P.
If you just need to call the class from your JSP page, then just do it.
If you need to expose your class through an URL, the standard way to do so, is to enter through a servlet (exposed in the usual way) and call the class inside the servlet.
Your particular framework may provide such functionality out of the box. Read the documentation carefully.
Related
I am working on some security alerts on one of our servers whereby a 'file download' JSP file is able to let a user download contents of WEB-INF for the web application (Which is located in the root folder of the site). It is a very crudely simple file, written in 2007, that uses java.io.FileInputStream on unsanitised input to return a file to the user.
The alert actually claimed that this was a directory traversal problem, which it is in one way as the following URI would download the web.xml for the user:
http://domain.com/filedownload.jsp?filename=../../WEB-INF/web.xml&filepath=some/directory/
Now obviously the 'directory traversal' part should be corrected by doing user input sanitising (Which this script does not yet do). However, the following URI also delivers the web.xml to the user, but input sanitisation for directory traversal would not help here, unless the sanitisation checks for 'WEB-INF' and other 'illegal' directories...
http://domain.com/filedownload.jsp?filename=web.xml&filepath=WEB-INF/
Is there a standardised way to prevent this in common servlet containers or does this need to be entirely managed by the developer of the code? I noticed that the Java 'normalize()' function would not strip out this directory from the user input.
I tried searching for an answer for this, but all I could find was information about preventing the 'serving' of WEB-INF directly, but nothing about preventing it from being accessed from a JSP file itself.
Thanks,
Tom...
You say the JSP page is using java.io.FileInputStream to read the file. That is a standard Java class that is not aware of the fact that it is running inside a servlet container.
So java.io.FileInputStream will be able to access any file that can be accessed by the user process the servlet container (JVM) is running under. There's nothing you could configure in the servlet container to prevent that.
You might like to make sure that files in other areas of the filesystem completely unrelated to the servlet container can't be accessed, e.g. like "/etc/passwd".
Assuming you're running on Linux, what does this URL do:
http://domain.com/filedownload.jsp?filename=passwd&filepath=/etc/
If it does return the file, you've got a bigger problem! Perhaps the security software (not sure what you're using?) that created the alerts will prevent download. If not, operating system file permissions can help, as long as the web server isn't running under root or other privileged account, but that's a short-term emergency fix only.
So no, there there no standardised way to prevent this in common servlet containers, and yes, it does need to be entirely managed by the developer of the code.
When using java.io.FileInputStream, it's the responsibility of the writer / maintainer of the JSP page to ensure that only valid paths are accessed.
All I'm trying to do is make calls to my Java code from my .jsp pages. I have written some .jsp pages for a webapp, but as the project grows I want to start putting some of the code into .java classes or servlets.
Why doesn't Eclipse "see" everything in my /src or /lib /web or /WebContent or /WebContent/src or /WebContent/WEB-INF/lib or /Webcontent/WEB-INF/src as usable? After all, it "sees my sql jdbc .jar files and I can use them as soon as they are in /WebContent/WEB-INF/src (and not any other folder). But I wrote classes which are in packages, my code isnt in .jar file form, so eclipse is not picking up on them.
You need to have the Java EE version of Eclipse installed, and create a Java Web Application, which will allow you to set up a web.xml.
Eclipse JEE which I have installed to set up web projects is:
http://eclipse.org/downloads/packages/eclipse-ide-java-ee-developers/keplerr
Your web.xml will definte your web servlets, which can be JSP's or Java classes that extend a servlet implementation.
This has less to do with your IDE (eclipse) than it does with Java Web Applications.
You should read this documentation for starters from Oracle about web apps, and go from there on setting up an IDE:
http://docs.oracle.com/javaee/1.4/tutorial/doc/WebApp.html
Edit based on user feedback
Import should be to class level:
<%# page import="fully.qualified.SomeClass" %>
Then from your JSP code:
<%
SomeClass someClass = new SomeClass();
someClass.helloWorld();
%>
Edit 2 based on feedback
Try this link to do using page include: http://www.coderanch.com/t/286168/JSP/java/Calling-Java-classes-JSP-page
Alternative Approach
Add a new class to your web.xml, where you want to send your request/form data to. So your JSP would be 1 servlet, your other java class would be your other servlet.
On your JSP, create a form that has an action of your new "TestProgram" servlet
This answer to this question has nothing to do with my setup or import statements. The correct answer is that eclipse doesn't make it clear what code it "sees" (or that its compiling) when it runs the project. On my JSP page, it showed it as recognizing the call to my java code. However, when I ran the page, it was still compiling the older version of my java code, that didn't have my latest changes. I've found the best way to guarantee that the newest version of my referenced java code is compiled when I run my .jsp program (that calls the java) is to go to "Project->Build All" then go to "Servers", right click "Publish". If Publish isnt an option, and it thinks its already synchronized, then you may have to change the .jsp page, save it, then "Publish" will become active again.
Kind of hard to explain in one line but my problem is essentially like this:
I made a java applet that I want to run on a web page that I packaged into a .jar file. I'm able to get the applet working fine using the <applet> tag but the problem is, if the user views the page source, they will see:
<applet archive="directory/program.jar">
Assuming .jar files can be easily opened and all the class files decompiled, all the user would have to do is go to www.url.com/directory/program.jar to download my .jar and they would have all my source code :(
So I'm wondering if there is either a way to protect my code/jar from being decompiled (other than obfuscation) or to use some kind of server-side script to feed the contents of the .jar directly to the browser from a server-side location not publically visible.
Any help is appreciated.
This is fundamentally impossible.
Java applets run the client.
Anything that runs on the client can be disassembled and modified by a sufficiently advanced user.
You should move your sensitive logic to the server and invoke it using HTTP requests ( and remember that the user can use Fiddler).
While you're at it, you should probably replace your applet with HTML and Javascript.
Other than obfuscation or encryption, no--one way or the other, the browser will have access to the jar.
You might be able to create an applet that loads more functionality at runtime.
There is no effective way to block access to the source code of any page; for the page to be readable by browsers and search engines, the source code has to be accessible, and therefore can be viewed and/or copied. That's just how the web works. HTML is sent as a text document and interpreted client-side.
Disabling the right-click is little more than an annoyance, and it works sporadically in alternative browsers. Even if you succeed, the View Source option in the menu is always present. The viewer could also use a download tool such as Wget, or even get the page from the Google cache without visiting your site at all.
Edit: Oops! I misunderstood your question. You should follow #SLaks advice and "move your sensitive logic to the server and invoke ot using HTTP requests ( and remember that the user can use Fiddler)."
While quantum mechanics do rule the universe, they have less of a grip on your code than you might suspect. You cannot both deploy code to the client browser and not deploy code to the client browser. You have the option of doing one or the other.
You can prevent direct browsing to your .jar file by locating it beneath the WEB-INF directory in your WAR file. This will also prevent <applet archive="directory/program.jar"> from working.
Once the jar is beneath the WEB-INF directory you will need something to feed the resource to the client browser; the Spring resources servlet is good for this (If you are using Java and Spring). I feel confident that other such tools exist. With the Sprint resours servlet, your would deploy your applet with something like this: <applet archive="resource/program.jar".
If you write your own resource distributor, you can add security to make it harder to get the jar file; perhaps add a header to your requests like IRGud: <user_id here> and fail any request that does not have that header (or acceptable contents in the header).
$(function() {
$("#ac1").autocomplete('getdata.jsp');
}
I'm calling that page in liferay6..
so, What sort of changes I will have to make in portlet.xml and another file ..
I'm getting this error....
http://localhost:8080/web/guest/getdata.jsp?q=abc 404 Not Found
(This error is coming in Firebug not in UI)
Thanks in Advance,
Mayur Patel
First of all, if you are using a portlet specific resource as the data, you should probably be using portlet:resourceURL or liferay-portlet:resourceURL instead of a static address to the file getdata.jsp. ResourceURLs create fully qualified URLs that target your own portlet. The resource served are supposed to be content fragments instead of full blown pages. That way they are especially suitable for AJAX-calls.
Where is the getdata.jsp file located? You could define the full path to the file i.e. /my-service/getdata.jsp instead of relying on the relative address that points to the /web/guest url-mapping. That way you can be sure that the file is found provided that you are not going to share the portlet with others that might not install the portlet the same way as you have done.
I have some embedded Java code in which I'm trying to load a properties file that is located in the same folder as the JSP file:
Properties titles = new Properties();
titles.load(new FileReader("titles.txt"));
The code above throws a FileNotFoundException.
How exactly does one refer to the 'current folder' in this situation?
Two things:
JSPs should not contain java code. use an mvc framework (spring mvc, stripes etc) as controller and use the JSP as view only. That makes life a lot easier
You are not supposed to access resource files through the file system in a web app, use classloader access as suggested by redlab. The problem is that a web app may or may not be unpacked on the file system, that's up to the servlet container
The main problem I see is that you can't make any valid assumptions as to what the path is, as you don't know where your compiled JSPs are
So: create a controller class, put the properties file in the same folder and load it from the controller class via getClass().getClassLoader().getResourceAsStream("titles.txt");
FileReader requires absolute path, or relative the where the java is run. But for web applications this is usually done via /etc/init.d/tomcat startup and you can't rely on what is the current dir.
You can obtain the absolute path of your application by calling servletContext.getRealPath("/relative/path/to/file.txt")
You can get the relative part of the URL by calling request.getRequestURL().
That said, you'd better use this code in a servlet, not a JSP - JSP is a view technology and logic should not be placed in it.
By using the classloader that loads your class you can get the file easily.
getClass().getClassLoader().getResourceAsStream("titles.txt");
However I don't know if it will work with JSP
You could also use ServletContext.getResourceAsStream(""), but then you have to give the full webcontent-relative path.