Recipe 11.7 Using URL Rewriting in a JSP

Problem

You want to make sure that URL rewriting is used in a JSP, in case any users disable cookies in their browsers.

Solution

Use the url custom action in the JSTL to create URLs that automatically include the session ID as a parameter.

Discussion

It is possible that some users of a web application will configure their browsers to disable cookies. Since cookies are the default basis for session tracking with JSPs, how will disabling cookies affect these users' experience with the web application? I recommend designing all session-tracking JSPs to accommodate URL rewriting, so that the cookie-averse users do not crash and burn in your web application.

One solution to this problem is to use the url custom action that is part of the JSTL.

The url element automatically inserts the session ID as a parameter with URLs that will be used in href, form, and frameset tags, for instance. This allows the pages that these links point to, such as servlets or JSPs, to track sessions without using cookies.

One of the nice things about using the url element like this is that it adds the session ID as a parameter to the URL when necessary, without the JSP author's intervention. Example 11-11 shows how to use url.

Example 11-11. Using the url core tag to rewrite URLs

<%@page contentType="text/html"%>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>

<html>
  <head><title>URL Rewriter</title></head>
  <body>
    <h1>This page will use URL rewriting if necessary</h2>

    <c:url value="/default.jsp" var="goToDefault" escapeXml="false"/>

    Go to the default.jsp page <a href="<c:out value="${goToDefault}"/>">here</a>.

  </body>
</html>

This example uses a taglib directive to make the JSTL's core tag library available. This directive looks like this:

<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>

The url element of this tag library creates a URL representing the web component default.jsp located on the top level of the web application. The URL is stored in a goToDefault variable using the url element's var attribute. The escapeXml attribute is set to false (it is true by default) to prevent characters such as ampersands and angle brackets from being converted to their character entity codes in the URL. The url element looks like this:

<c:url value="/default.jsp" var="goToDefault" escapeXml="false"/>

The URL created by the custom action is then used as the value for an href attribute in the following manner:

<a href="<c:out value="${goToDefault}"/>">here</a>

This code uses the out custom action and an EL expression (${goToDefault}) to create the hyperlink. After the page is requested, the returned HTML looks like this if cookies are disabled in the browser:

<a href="/home/default.jsp;jsessionid=3CAF7CD0A0BFF5076B390CCD24FD8F0D">here</a>

You may notice two differences between the URL that was created here:

<c:url value="/default.jsp" var="goToDefault" escapeXml="false"/>

and the URL that was generated from the out custom action:

/home/default.jsp;jsessionid=3CAF7CD0A0BFF5076B390CCD24FD8F0D

First, the url custom action has automatically added the context path (/home in the example) as a prefix to /default.jsp. Second, the session ID was added to the URL as a path parameter named jsessionid, so that the link destination can access the session ID associated with this user and undertake session tracking.

A path parameter begins with a semicolon and a name/value pair, as in ;jsessionid=3CAF7CD0A0B.

The URL that the JSP creates by using the out element may also have additional parameters. Example 11-12 is the same as the first recipe example, except that parameters have been added to the URL inside the url custom action.

Example 11-12. Adding parameters using the url custom action

<%@page contentType="text/html"%>
<%@ taglib uri="http://java.sun.com/jstl/core" prefix="c" %>

<html>
  <head><title>JSP Page</title></head>
  <body>
    <h1>This page will use URL rewriting if necessary</h2>

    <c:url value="/default.jsp?n=${param.first}&l=${param.last}" 
           var="goToDefault" />

     Go to the default.jsp page <a href="<c:out value="${goToDefault}" 
           escapeXml="false" />">here</a>.

  </body>
</html>

The URL now looks like this:

/default.jsp?n=${param.first}&l=${param.last}

This URL uses embedded EL syntax to access two request parameters, called first and last. If code uses the EL to access a parameter named first, for instance, then it uses the param EL implicit object, followed by the dot operator, and the name of the parameter, as in ${param.first}. Suppose the example JSP is requested in the following manner:

http://localhost:8080/home/url_rewrite.jsp?first=Bruce&last=Perry

The url element's value attribute resolves to this code:

<c:url value="/default.jsp?n=Bruce&l=Perry" var="goToDefault" />

The out custom action further along in the example JSP has its escapeXml attribute set to false. If escapeXml is left with its default value (true) and the ampersand character (&) is replaced with its character entity code (&), the query string in the URL looks like this when the JSP is executed:

<a href="/home/default.jsp;jsessionid=D37AF592DACABD?n=Bruce&amp;l=Perry">
here</a>

To prevent this outcome when generating linked URLs with the out element, make sure to set out's escapeXml attribute to false.

Table 11-1. Special characters and entity codes

Character	Entity code
<	&lt;
>	&gt;
&	&amp;
'	&#039;
"	&#034;

Make sure to use relative URLs of the form /default.jsp when using URL rewriting with the url element. URL rewriting will not take place if an absolute URL is used in url's value attribute, as in http://www.mysite.com/home/default.jsp.

See Also

Recipe 11.6 on tracking session activity in JSPs; Recipe 11.8 on using URL rewriting in a servlet; the JSP Configuration section of the JSP v2.0 specification; Chapter 23 on the JSTL; the session-tracking sections of JavaServer Pages by Hans Bergsten (O'Reilly).