If I let anyone modify a freemarker viewpage, can I somehow make it hack free?
I know I read somewhere that I can make disable scriplets, but that was for .jsp pages so not sure if it will work with freemarker.
I basically want a way where I can set the attributes that will be available on the page, and let web designers go into the page and edit it all they want (all the while making it secure).
i.e. I don't want people to be able to access any of objects in the request pipeline, or output my connection string to the page etc.
Request and other objects are exposed to the FreeMarker template by Spring's FreeMarkerView, when FreeMarker is used as a Spring MVC view technology.
To have a full control over the data being exposed to the templates, you can use FreeMarker directly, as described in the FreeMarker docs. However, you can still use Spring's support for FreeMarker configuration (FreeMarkerConfigurationFactoryBean).
Related
I'm learning Spring MVC and want to create a site. The main problem is a template system. Should I use JSP / JSF / Apache FreeMarker / Thymeleaf or something else?
I saw a lot of discussion on this subject, but they are all outdated. So, I'm curious, what is fine now?
The best practices for server-side rendering have shifted towards using a template engine. These get the responsibility to merge the data with the template into the actual output.
Current preferences appear to be:
Thymeleaf
FreeMarker
JSP's and JSF are entirely different things and have become out of fashion.
The big plus for using an actual template engine is that you are forced to separate the concerns of gathering the data to present and rendering it; this separation allows you to (unit) test the templates.
Note, however, that the industry is shifting once more towards client-side rendering, where the server just returns the data as JSON-objects and the web application uses some framework like Angular, React, jQuery or Ember to build the pages.
Note on the edit: Originally the list included Velocity, but that is no longer supported by Spring.
You can use any of them as they are supported. JSP, FreeMaker and Thymeleaf are similar by idea: you create a template to be rendered. JSP and FreeMaker lacks some features that are available in Thymeleaf.
I like Thymeleaf's idea where you can load your template to the browser and see how the page is going to be rendered (real). Thymeleaf template is fully featured HTML page. That's not possible in JSP where you have JSP tags and FreeMaker where you have placeholders.
JSF is component based so that's a different approach.
If I have to choose I would use Thymeleaf.
There are many template engines available out there. But Spring Boot officially supports Thymeleaf, FreeMarker, Mustache and Groovy Templates. My preference is Thymeleaf because of its extendability.
There is a detailed comparison on various aspects of template engines explained in the below post.
https://springhow.com/spring-boot-template-engines-comparison/
I'm really new to JSP and Servlets and all that jazz, and I'm confused about how to approach it.
Right now my main confusion is as follows:
It seems there are two ways to get a web page to display on the screen in a Java EE/JSP project:
Create an HTML page with the extension .jsp and in the web.xml file, map it to a url pattern (let's assume just /)
Create a Java class that extends Servlet, override the doGET() method to return a string of HTML code and map to this Java class in the web.xml.
My JSP project requires a decent amount of Java code to perform logic and login/logout operations. I've read that it's bad practice to inlcude Java code inside JSP pages as it becomes impossible to reuse, hard to keep track of, messy etc. I want to include much of code in Java, which will feel much more natural for me.
How should I build my project (assuming it's a simple beginner project in which I want to employ the best practices for organization, testing etc in preparation for building a larger project)? How can cleanly deploy web pages from inside Java classes, rather than having many JSP pages containing bits of Java code?
The pattern I've used in the past is to:
1) Write the servlet to perform whatever logic is necessary and to construct a reasonable number of serializable java objects to hold all of the data you want to be rendered via HTML.
2) The servlet stores those objects into the HTTP request and forwards the request and response objects to a JSP:
request.getRequestDispatcher("/some.jsp").forward(request, response);
3) The JSP can access the java objects in the request and merge the data with the static HTML to complete the request.
This is exactly the problem MVC pattern solves.
You do all your complex logic in the Controller (simple Java class, or a Servlet), then pass the data to View (JSP, Velocity, Freemarker, anything that can process the data and make a HTML).
There are several implementations of MVC for Java most popular being Spring MVC and Struts. Alternatively, you can just use your servlet for all your logic and then manually forward the request to a JSP for processing:
request.getRequestDispatcher("/index.jsp").forward(request,response);
If your are looking for best practices in clean separation of java code from the presentation, you might as well use a MVC Framework (Spring MVC or Struts are well know examples) that will help you to cleanly separate :
view layer (JSP)
controller layer
service layer
domain objects
persistence layer
It may be hard to begin with, but you will find nice tutorials through official sites and google.
If you want to only use servlets and JSP, the common rule is to have all logic and Java code in servlets, and that those servlets simply forward to JSP pages that will do the view part. The communication between then is done with request attributes (and of course, session and application context attributes.
Good luck ...
To manage bit of java code, you can use Scriptlet.
Also mentioned in other answers, you can use jsp:forward or response.sendRedirect
to call web pages.
Also see What is the difference between jsp:forward and response.sendRedirect
I'm not sure where you heard that its bad practice to include Java code in the HTML(JSP) files but in order to have a dynamically data driven website, Java is what you would use in the HTML(JSP). Keep in mind, all of your front end design will be in the HTML using JSP, and all of the your logic for handling requests and redirectors and passing data will be managed in the servlets using Java.
Your servlets can pass data, whether it be from a database or other data source, to the front end and your JSP will just help in displaying that data. It's called JSP for a reason. You can write Java in it.
The best approach for designing websites in Java is to use the MVC pattern that way it helps seperate all of the core functions of the site and can easily be scaled and managed.
Do you have any code that you have to show what you have done so far?
Are there any sample / tutorial on Spring MVC with JSP without using Tag Libraries. Pure JSP.
I am not conversant with Tag Libraries and I am good with JSP. So I would like to see if there are any examples and tutorials using pure JSP without ANY tag libraries.
I don't mean to say this in a degrading manner, but if you are good with JSP, you should be able to pick up the Spring MVC tags easily. JSP, custom tags and ELs go hand-in-hand. They are created for a reason: to make your life simpler. A quick example, if you use Spring MVC's form tag, Spring MVC will automatically prefill the form fields for you based on the data you have in the model. Think about how tedious your code will be to prefill the checkboxes/radiobuttons or preselect the drop down lists.
If you are also Spring Security, the provided custom tags allow you to easily control what data to be displayed based on the user roles.
Writing all of that using pure JSP don't even make sense to me... not to mention the amount of time wasted writing less than perfect home grown solutions.
I would like to provide users to write plugins to my application, the initial design and implementaion involve a Velocity (VTL) template engine to allow
Secure: uesrs can't call internall Java code (without hacking using reflection)
Simple: Limited and confined API, I can write my own domain specific language
Portable: I can store VTL templates in a JAR, in the database or anywhere I like
Decoupled: template context and logic / controller is not coupled to the web / HTML
Then with the limitations of VTL (no tag library support as first) we looked at Freemarker
It has all the advantages, but I wonder if this is as good as it gets
The other alternatives are eclipse JET, and I don't know of anything else at the moment
I would like a solution that can have Java content assist (like JSP) but that can be saved in the database
Is there something like this out there? (Besides JET, and JBoss's Freemarker buggy plugin)
Check out Thymeleaf.
I haven't used it.. YET!
It appears the developer designed it to address the shortcomings of Velocity and FreeMaker.
I have successfully used FreeMarker on several projects.
To address your concerns:
Processing a template - even one written by a user - is secure if you don't expose any unsafe method in your model. In general, the model should only contain immutable objects (e.g. Strings, numbers) and collections of those (e.g. List, Map), and not be related in any way to the control layer of your MVC application.
FreeMarker is simple enough for programmers, but not necessarily for web designers or editors.
FreeMarker templates can be stored anywhere you like, since the template loader can be anything you can imagine. Have a look at the API documentation.
FreeMarker templates are confined to the view layer of your MVC application, as long as you don't publish any sensible method in your model (see first point). Unlike JSP, they are completely unaware of the Servlet API.
As for content assist, most major IDE's (IntelliJ, Eclipse, probably NetBeans) have support for the FreeMarker syntax and should provide auto-completion for the keywords. If you want a JavaScript-based editor for FreeMarker, I'm not as affirmative since I know of none.
Good luck!
This is a design question and good practice question. How do you structure your Java web development such that a lot of logic is not in the JSP file. Should you use any of the JSP tags for if structures or loops. I see a lot of code where the logic is hard to follow because of poorly designed JSP files. And then when you want to output to a different format like a PDF or XML document, you can't do it because all the logic is in the JSP file.
Are there any tips or practices that you follow for Java Web development.
I am currently using a combination of Spring, Hibernate, Struts...and work with some Servlet code.
There are good practices associated with Java development. Many of us that have worked a while know them. What are some good practices for JSP development.
The easiest way to avoid placing logic in JSPs is simply to perform all that logic before forwarding a request to a JSP. The only logic you should need to do in a JSP is some basic looping (e.g. for creating HTML table rows), evaluating conditional statements, and data formatting.
All of this can be done without using scriptlet code (Java code) in the JSPs by using JSP tag libraries and EL. The most important tag library is JSTL. The JSTL tag library provides most of the logic you should ever need to perform in a view, though you may occasionally also use niche 3rd party tag libraries like displaytag which can reduce the amount of JSP code you need to write for specific tasks.
Since you're already using Spring you may want to check out Spring Webflow. I assume you're using Spring form tags, but if not, you should check those out as well. With this combination there should be very little need [if any] to use JSP tags in your view logic.