1 Understanding Web Applications, Servlets, and JSPs
This chapter includes the following sections:
The Web Applications Container
A Web application contains an application's resources, such as servlets, JavaServer Pages (JSPs), JSP tag libraries, and any static resources such as HTML pages and image files. A Web application adds service-refs (Web services) and message-destination-refs (JMS destinations/queues) to an application. It can also define links to outside resources such as Enterprise JavaBeans (EJBs).
Web Applications and Java EE
The Java EE programming model employs metadata annotations which simplify the application development process by allowing a developer to specify within the Java class itself how the application component behaves in the container, requests for dependency injection, and so on. Annotations are an alternative to deployment descriptors that were required by older versions of enterprise applications (Java EE 1.4 and earlier).
With Java EE annotations, the standard application.xml
and web.xml
deployment descriptors are optional. The Java EE programming model uses the JDK annotations feature for Web containers, such as EJBs, servlets, Web applications, and JSPs. See WebLogic Annotation for Web Components and http://docs.oracle.com/javaee/7/api/
. For more information about Java EE 7 Web application technologies, see http://www.oracle.com/technetwork/java/javaee/tech/index.html
.
However, Web applications deployed on WebLogic Server can still use a standard Java EE deployment descriptor file and a WebLogic-specific deployment descriptor file to define their resources and operating attributes.
Web Application Development Key Points
JSPs and HTTP servlets can access all services and APIs available in WebLogic Server. These services include EJBs, database connections by way of Java Database Connectivity (JDBC), Java Messaging Service (JMS), XML, and more.
A Web archive (WAR file) contains the files that make up a Web application. A WAR file is deployed as a unit on one or more WebLogic Server instances. A WAR file deployed to WebLogic Server always includes the following files:
-
One servlet or JavaServer Page (JSP), along with any helper classes.
-
An optional
web.xml
deployment descriptor, which is a Java EE standard XML document that describes the contents of a WAR file. -
A
weblogic.xml
deployment descriptor, which is an XML document containing WebLogic Server-specific elements for Web applications. -
A WAR file can also include HTML or XML pages and supporting files such as image and multimedia files.
The WAR file can be deployed alone or packaged in an enterprise application archive (EAR file) with other application components. If deployed alone, the archive must end with a .war
extension. If deployed in an EAR file, the archive must end with an .ear
extension.
Oracle recommends that you package and deploy your standalone Web applications as part of an enterprise application. This is an Oracle best practice which allows for easier application migration, additions, and changes. Also, packaging your applications as part of an enterprise application allows you to take advantage of the split development directory structure, which provides a number of benefits over the traditional single directory structure.
Note:
If you are deploying a directory in exploded format (not archived), do not name the directory .ear
, .jar
, and so on. For more information on archived format, see Web Application Developer Tools.
Servlets
A servlet is a Java class that runs in a Java-enabled server. An HTTP servlet is a special type of servlet that handles an HTTP request and provides an HTTP response, usually in the form of an HTML page. The most common use of WebLogic HTTP servlets is to create interactive applications using standard Web browsers for the client-side presentation while WebLogic Server handles the business logic as a server-side process. WebLogic HTTP servlets can access databases, Enterprise JavaBeans, messaging APIs, HTTP sessions, and other facilities of WebLogic Server.
Servlets and Java EE
WebLogic Server fully supports HTTP servlets as defined in the Servlet 3.1 specification at http://jcp.org/en/jsr/detail?id=340
. HTTP servlets form an integral part of the Java EE standard.
With Java EE metadata annotations, the standard web.xml
deployment descriptor is optional. The servlet specification states annotations can be defined on certain Web components, such as servlets, filters, listeners, and tag handlers. The annotations are used to declare dependencies on external resources. The container will detect annotations on such components and inject necessary dependencies before the component's life cycle methods are invoked. See WebLogic Annotation for Web Components.
The servlet specification defines the implementation of the servlet API and the method by which servlets are deployed in enterprise applications. Deploying servlets on a Java EE-compliant server, such as WebLogic Server, is accomplished by packaging the servlets and other resources that make up an enterprise application into a single unit, the Web application. A Web application utilizes a specific directory structure to contain its resources and a deployment descriptor that defines how these resources interact and how the application is accessed by a client. See The Web Applications Container.
What You Can Do with Servlets
-
Create dynamic Web pages that use HTML forms to get end-user input and provide HTML pages that respond to that input. Examples of this utilization include online shopping carts, financial services, and personalized content.
-
Create collaborative systems such as online conferencing.
-
Have access to a variety of APIs and features by using servlets running in WebLogic Server. For example:
-
Session tracking—Allows a Web site to track a user's progress across multiple Web pages. This functionality supports Web sites such as e-commerce sites that use shopping carts. WebLogic Server supports session persistence to a database, providing failover between server down time and session sharing between clustered servers. For more information see Session Tracking from a Servlet.
-
JDBC drivers—JDBC drivers provide basic database access. With WebLogic Server's multi-tier JDBC implementations, you can take advantage of connection pools, server-side data caching, and transactions. For more information see Accessing Databases.
-
Enterprise JavaBeans—Servlets can use Enterprise JavaBeans (EJB) to encapsulate sessions, data from databases, and other functionality. See Referencing External EJBs, More about the ejb-ref* Elements, and Referencing Application-Scoped EJBs.
-
Java Messaging Service (JMS)—JMS allows your servlets to exchange messages with other servlets and Java programs. See Developing JMS Applications for Oracle WebLogic Server.
-
Java JDK APIs—Servlets can use the standard Java JDK APIs.
-
Forwarding requests—Servlets can forward a request to another servlet or other resource. Forwarding a Request.
-
-
Easily deploy servlets written for any Java EE-compliant servlet engine to WebLogic Server.
Servlet Development Key Points
The following are a few key points relating to servlet development:
-
Programmers of HTTP servlets utilize a standard Java API,
javax.servlet.http
, to create interactive applications. -
HTTP servlets can read HTTP headers and write HTML coding to deliver a response to a browser client.
-
Servlets are deployed to WebLogic Server as part of a Web application. A Web application is a grouping of application components such as servlet classes, JavaServer Pages (JSPs), static HTML pages, images, and security.
JavaServer Pages
JavaServer Pages (JSPs) are defined by a specification for combining Java with HTML to provide dynamic content for Web pages. When you create dynamic content, JSPs are more convenient to write than HTTP servlets because they allow you to embed Java code directly into your HTML pages, in contrast with HTTP servlets, in which you embed HTML inside Java code.
JSPs are Web pages coded with an extended HTML that makes it possible to embed Java code in a Web page. JSPs can call custom Java classes, called taglibs
, using HTML-like tags. The WebLogic appc
compiler weblogic.appc
generates JSPs and validates descriptors. You can also precompile JSPs into the WEB-INF/classes/
directory or as a JAR file under WEB-INF/lib/
and package the servlet class in the Web archive to avoid compiling in the server. Servlets and JSPs may require additional helper classes to be deployed with the Web application.
JSPs enable you to separate the dynamic content of a Web page from its presentation. It caters to two different types of developers: HTML developers, who are responsible for the graphical design of the page, and Java developers, who handle the development of software to create the dynamic content.
JSPs and Java EE
WebLogic JSP supports the JSP 2.3 specification at http://jcp.org/en/jsr/detail?id=245
. The main theme for Java EE is ease of development. The platform's Web tier contributes significantly to ease of development in two ways. First, the platform now includes the JavaServer Pages Standard Tag Library (JSTL) and JavaServer Faces technology. Second, all the Web-tier technologies offer a set of features that make development of Web applications on Java EE much easier, such as:
-
An expression language (EL) syntax that allows deferred evaluation of expressions, enables using expressions to both get and set data and to invoke methods, and facilitates customizing the resolution of a variable or property referenced by an expression.
-
Support for resource injection through annotations to simplify configuring access to resources and environment data.
-
Complete alignment of JavaServer Faces technology tags and JavaServer Pages (JSP) software code.
Because JSPs are part of the Java EE standard, you can deploy JSPs on a variety of platforms, including WebLogic Server. In addition, third-party vendors and application developers can provide JavaBean components and define custom JSP tags that can be referenced from a JSP page to provide dynamic content.
What You Can Do with JSPs
-
Combine Java with HTML to provide dynamic content for Web pages.
-
Call custom Java classes, called
taglibs
, using HTML-like tags. -
Embed Java code directly into your HTML pages, in contrast with HTTP servlets, in which you embed HTML inside Java code.
-
Separate the dynamic content of a Web page from its presentation.
Overview of How JSP Requests Are Handled
WebLogic Server handles JSP requests in the following sequence:
-
A browser requests a page with a
.jsp
file extension from WebLogic Server. -
WebLogic Server reads the request.
-
Using the JSP compiler, WebLogic Server converts the JSP into a servlet class that implements the
javax.servlet.jsp.JspPage
interface. The JSP file is compiled only when the page is first requested, or when the JSP file has been updated and has a more recent timestamp. Otherwise, the previously compiled JSP servlet class is re-used, making subsequent responses much quicker. -
The generated
JspPage servlet
class is invoked to handle the browser request.
It is also possible to invoke the JSP compiler directly without making a request from a browser. For details, see Using the WebLogic JSP Compiler.
Because the JSP compiler creates a Java servlet as its first step, you can look at the Java files it produces, or even register the generated JspPage servlet
class as an HTTP servlet. See Servlets.
Web Application Developer Tools
Oracle provides several tools to help simplify the creating, testing, debugging, and deploying of servlets, JSP, JSF-based Web applications.
-
Oracle JDeveloper is an enterprise IDE providing a unified development experience for Oracle Fusion Middleware products.
-
Oracle Enterprise Pack for Eclipse is an Eclipse-based development environment with pre-packaged tooling for Web applications targeting the Oracle platform.
Both tools provide advanced code editor features, collaborative teamwork development, visual development and debugging, and streamlined deployment capabilities.
Other Tools
You can use the WebLogic Ant utilities to create skeleton deployment descriptors. These utilities are Java classes shipped with your WebLogic Server distribution. The Ant task looks at a directory containing a Web application and creates deployment descriptors based on the files it finds in the Web application. Because the Ant utility does not have information about all desired configurations and mappings for your Web application, the skeleton deployment descriptors the utility creates are incomplete. After the utility creates the skeleton deployment descriptors, you can use a text editor, an XML editor, or the WebLogic Server Administration Console to edit the deployment descriptors and complete the configuration of your Web application.
Web Application Security
You can secure a Web application by restricting access to certain URL patterns in the Web application or programmatically using security calls in your servlet code.
At run time, your user name and password are authenticated using the applicable security realm for the Web application. Authorization is verified according to the security constraints configured in web.xml
or the external policies that might have been created for the Web application using the WebLogic Server Administration Console.
At run time, the WebLogic Server active security realm applies the Web application security constraints to the specified Web application resources. Note that a security realm is shared across multiple virtual hosts.
For detailed instructions and an example on configuring security in Web applications, see Securing Resources Using Roles and Policies for Oracle WebLogic Server. For more information on WebLogic security, refer to Developing Applications with the WebLogic Security Service.
Developing Applications with the WebLogic Security Service also includes information on using the Java Authentication Service Provider Interface for Containers (JASPIC) specification (http://www.jcp.org/en/jsr/detail?id=196
) to implement authentication mechanisms.
Limiting the Number of Parameters in an HTTP Request
You can prevent overloading the WebLogic Server domain with excessive parameters in HTTP requests by setting the MaxRequestParameterCount
attribute on the WebServer
MBean. This attribute limits the number of parameters allowed in a request. The default value of MaxRequestParameterCount
is 10,000. If the number of parameters on an incoming HTTP request exceeds the maximum value set in the MaxRequestParameterCount
attribute, then the following error is logged:
<Error> <ServletContext> <BEA-000000> <Rejecting request since max request parameter limit exceeded 10000>
You can set this parameter either on the WebServer
MBean or on the VirtualHost
MBean. Use WLST online to set this attribute as shown in the following examples:
-
Using the
WebServer
MBeanconnect('<admin_user>','<admin_pwd>','<admin_url>') edit() startEdit() cd('Servers/<server_name>') cmo.getWebServer().setMaxRequestParameterCount(1000) save() activate() exit()
-
Using the
VirtualHost
MBeanconnect('<admin_user>','<admin_pwd>','<admin_url>') edit() startEdit() cd('VirtualHosts/<virtual_host>') cmo.setMaxRequestParameterCount(1000) save() activate() exit()
Note:
If you have set MaxRequestParameterCount
on the WebAppContainer
MBean, Oracle recommends setting the attribute on the WebServer
MBean instead.
Avoiding Redirection Attacks
When a request on a Web application is redirected to another location, the Host header contained in the request is used by default in the Location header that is generated for the response. Because the Host header can be spoofed—that is, corrupted to contain a different host name and other parameters—this behavior can be exploited to launch a redirection attack on a third party.
To prevent the likelihood of this occurrence, set the FrontendHost
attribute on either the WebServerMBean or ClusterMBean to specify the host to which all redirected URLs are sent. The host specified in the FrontendHost
attribute will be used in the Location header of the response instead of the one contained in the original request.
See FrontendHost
in MBean Reference for Oracle WebLogic Server.
P3P Privacy Protocol
The Platform for Privacy Preferences (P3P) provides a way for Web sites to publish their privacy policies in a machine-readable syntax. The WebLogic Server Web application container can support P3P.
There are three ways to tell the browser about the location of the p3p.xml
file:
-
Place a policy reference file in the "well-known location" (at the location
/w3c/p3p.xml
on the site). -
Add an extra HTTP header to each response from the Web site giving the location of the policy reference file.
-
Place a link to the policy reference file in each HTML page on the site.
For more detailed information, see http://www.w3.org/TR/p3pdeployment#Locating_PRF
.
Displaying Special Characters on Linux Browsers
To display special characters on Linux browsers, set the JVM's file.encoding
system property to ISO8859_1
. For example, java -Dfile.encoding=ISO8859_1 weblogic.Server
.
For a complete listing, see http://docs.oracle.com/javase/8/docs/technotes/guides/intl/encoding.doc.html
.
Using HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that allows a web server to be configured so that web browsers, or other user agents, can access the server using only secure connections, such as HTTPS. Web servers declare this policy using the Strict-Transport-Security HTTP response header field.
The HSTS policy Strict-Transport-Security HTTP response header directs browsers to communicate with the web server only over secure transport such as TLS/SSL, for a specified expiration time. The HSTS policy may also specify whether the policy applies to subdomains of the host's domain name. When a browser receives and processes the HSTS header, it remembers the web server and automatically uses HTTPS for all future access to the server. Any attempts to access the web server using HTTP are automatically converted to HTTPS requests instead.
Note:
If an application uses a mix of both HTTP and HTTPS, or some resources in an application can only be accessed using HTTP, then the application will be broken after you enable HSTS on WebLogic Server. To ensure that your applications continue to work after enabling HSTS, ensure that all pages in the application can be accessed using HTTPS. If any pages are hard-coded to be accessible only using HTTP, then they should be updated to be accessible using HTTPS.WebLogic Server provides system properties to enable HSTS, and to customize the response header:
-
-Dweblogic.http.headers.enableHSTS={true|false}
- enables HSTS. The default isfalse
. -
-Dweblogic.http.headers.hsts.maxage=max-age-seconds
- sets the policy expiration time. The default is31536000
seconds (one year). -
-Dweblogic.http.headers.hsts.includesubdomains={true|false}
- specifies whether the HSTS policy applies to the subdomains of the host domain. The default istrue
. -
-Dweblogic.http.headers.hsts.preload={true|false}
- specifies whether the domain is requesting inclusion in the HSTS preload list maintained by Google. The default istrue
. All sites approved for inclusion are hardcoded into this list and can only be accessed using HTTPS in Chrome and other browsers.
For details about these system properties, see HTTP Strict Transport Security in Command Reference for Oracle WebLogic Server.
-
HTTP Strict Transport Security (HSTS) standard at
https://tools.ietf.org/html/rfc6797
-
Strict-Transport-Security on MDN Web Docs at
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security