LDSTechForumProjects

Intermediate JSP

In this LDS Java Stack training we will build on the Introduction to JSP training, and discuss some more advanced concepts and best practices. Some of the main topics will include the Expression Language (EL), Taglibs, and templating. This is going to be a party you will not want to miss!

Prerequisites

  • Basic knowledge of Java language.
  • Basic knowledge of XML syntax and structure.
  • Must have previously completed the Introduction to JSP training.
  • A workstation running Windows, Linux, or Mac OS.

Slide Deck

Media:IntermediateJSP.pptx‎

Outline

Review

Expression Language (EL)

  • Value and method expressions
  • Operators
  • ...

Taglibs

  • Goals
  • Usage
  • Common taglibs (core, spring, ...)

Custom Taglibs

  • Creation
  • Functions
  • Taglets (tag files)
  • Templating


Expression Language (EL) Presentation

Get Adobe Flash player

Lab 1 Expression Language (EL)

Demonstrate use of implicit objects, arithmetic operators, and ternary conditional

  • Download and install the following application: Media:jsp-labs.zip‎
    • Unzip the file into your workspace
    • In the LDSTech IDE go to File -> Import... -> Maven (expand) -> Existing Maven Projects -> Next
    • Browse to the unzipped project and press Finish
    • Test that the application runs
      • Right click on project and select Run As -> Run on server
      • Select or manually define a new Tomcat 6.0 Server (not an LDSTech server)
        • This will be found in Apache (expand) Tomcat v6.0 Server
  • Now, for the lab, when you access the application append an age request parameter on the url
    • Such as http://localhost: 8080/jsp-labs/?age=20
  • Then in the index.jsp page
    • Use EL and param implicit object to get the age parameter
    • Using a ternary operator, check if it is less than 40 (i.e. non-protected class :)
    • If so, print out that they were not supposed to enter their age in dog years, otherwise print some sort of welcome
  • This will look something like the following:
     ${param['age'] < 40 ? "Don't enter your age in dog years." : "Welcome youngster"}

Lab 1 Solution

Get Adobe Flash player

Taglibs Presentation

Get Adobe Flash player

Lab 2 Taglibs

For the lab, use the encoding functions in the Stack to fix the vulnerability

  • Currently there is a Cross-site scripting vulnerability in encoding.jsp
  • NOTE: Some of these will not work in Google Chrome, so use Firefox or IE
  • Open encoding.jsp and look at the code and then attempt to exploit the XSS vulnerabilities with something like following:
    • Exploit the XSS vulnerability in the JavaScript with something like -

http://localhost: 8080/jsp-labs/encoding.jsp?js='billy';})();(function(){alert('I own you!')

      • Note this ends the current JavaScript function and begins a new one that can do anything the original page author could do
    • Exploit the XSS vulnerability in the Html with something like -

http://localhost: 8080/jsp-labs/encoding.jsp?html=<script>alert('You are lucky I am nice.');</script>

    • Try to exploit the XSS vulnerability in the attribute -

http://localhost: 8080/jsp-labs/encoding.jsp?attribute=500" width="500" onmouseover="alert(document.cookie);" src="http://lds.org/bc/content/shared/content/english/images/logo/logo_white.png

  • Modify the page to negate this vulnerability
    • Define this repository:
	<repositories>
		<repository>
			<id>lds-main</id>
			<name>Main Approved LDS Repo</name>
			<url>http://code.lds.org/nexus/content/groups/main-repo</url>
			<snapshots>
				<enabled>true</enabled>
			</snapshots>
			<releases>
				<enabled>true</enabled>
			</releases>
		</repository>
	</repositories>
    • Add the security web dependency to pom.xml
            <dependency>
	        <artifactId>stack-security-web</artifactId>
	        <groupId>org.lds.stack.security.web</groupId>
	        <version>1.0.3</version>
            </dependency>
    • Add the appropriate namespace
    • Utilize the proper encoding function for the given usage with something like the following:
            <%@taglib prefix="ssw" uri="http://code.lds.org/security/web" %>

            //utilize
            ${ssw:encodeHtml(param.html)}
            ${ssw:encodeJS(param.js)}
            ${ssw:encodeAttribute(param.attribute)}


Lab 2 Solution

Get Adobe Flash player

Custom Taglibs Presentation

Get Adobe Flash player

Lab 3 Custom Taglibs

Utilize taglet templating

  • Create a tag file in WEB-INF/tags named template.tag
    • Add the following content to the tag
          	<!DOCTYPE html>
		<%@tag description="Base Template Tag" pageEncoding="UTF-8"%>
		<%@attribute name="title" required="false" rtexprvalue="true"%>
		<%@attribute name="header" required="false" fragment="true"%>
		<%@attribute name="footer" required="false" fragment="true"%>
		
		<html xmlns="http://www.w3.org/1999/xhtml">
			<head>
				<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
				<title>${title}</title>
			</head>
			<body>
				Pre header:
				<jsp:invoke fragment="header" />
				<div class="ixf-panels">
					Pre body:
					<jsp:doBody />
				</div>
				Pre footer:
				<jsp:invoke fragment="footer" />
			</body>
		</html>
  • Create a jsp file that utilizes the template tag with something like the following:
	<%@taglib prefix="tags" tagdir="/WEB-INF/tags" %>
	<tags:template>
		<jsp:body>
		</jsp:body>
	</tags:template>
    • Override everything possible from the template


Lab 3 Solution

Get Adobe Flash player

Credits

Get Adobe Flash player
This page was last modified on 11 August 2011, at 08:36.

Note: Content found in this wiki may not always reflect official Church information. See Terms of Use.