Raible Designs

Proposed Tomcat Enhancement: Add flag to escape JSP's EL by default

I posted the following to the Tomcat Developers mailing list. Unfortunately, it didn't get any responses, which means (to me) that no one cares about this feature. I guess the good thing is they didn't veto it.

Hello all,

I'm working for a client that's using a proprietary Servlet/JSP-based framework that runs on Tomcat. They have their own custom JSP compiler and they're looking to move to a standard JSP compiler. One of the things their compiler supports is automatic escaping of XML in expressions. For example, ${foo} would be escaped so <body> -> &lt;body&gt;. JSP EL does not do this. It *doesn't* escape by default and instead requires you to wrap your expressions with <c:out/> if you want escaping.

I'd like to ask what developers think about adding a flag (similar to trimSpaces in conf/web.xml) that allows users to change the escaping behavior from false to true?

I think this is a good option to have as it allows security-conscious organizations to paranoid and escape all content by default.

Thanks,

Matt

Related: http://raibledesigns.com/rd/entry/java_web_frameworks_and_xss

What do you think? Is there anything wrong with adding this (optional) feature to Tomcat? Enhancing security is a good thing - right?

Update: I've entered an enhancement request for this feature and attached a patch.

Does Struts 2 suck?

As far as I can tell, Struts 2 sucks. To be fair, so does Stripes. Why? Because there's no developer feedback for invalid properties or OGNL Expressions. What does this mean? It means if you fat-finger a property name, nothing happens. The OGNL exception is swallowed and you never know you did anything wrong. Furthermore, no one seems to care. The XWork folks will help you build, but not solve the problem. This seems like a major deal-breaker to me, However, I also believe it can be fixed - so maybe there's hope.

To demonstrate the problem, I did an experiment. I used the "user details" page in AppFuse Light to fat-finger a property name for the following frameworks: Struts 1, WebWork, Struts 2, JSF, Spring MVC, Stripes, Tapestry and Wicket. First, I tried changing the "lastName" property to "LastName" to see if the framework's property evaluation was case-sensitive. I found that with WebWork/Struts 2, Stripes and Tapestry, the property is not case-sensitive. I prefer case-sensitivity, but maybe that's because I prefer Unix over Windows.

The 2nd thing I tried was changing "lastName" to "pastName" to see if I'd get an error. An error occurred for all the frameworks mentioned, except for WebWork/Struts 2 and Stripes. This makes me believe these frameworks suck. The both use OGNL, so they could blame it on that, but Tapestry uses OGNL and it presents an error message. After this small experiment, my conclusion is the following frameworks have the best developer feedback:

• Struts 1
• JSF
• Spring MVC
• Tapestry
• Wicket*

* Wicket seems like it needs some work as all it presents is "Internal Error" and makes you dig through your log files to find the problem.

Without good developer feedback, how can you have good productivity?

Dear Struts 2 and Stripes Developers,

What do you think about improving your error messages for invalid properties and expressions? Is this a feature you think you could add? We'd love it if you did.

Sincerely,

Your Users

Click here for some screenshots of how a fat-fingered property looks in various frameworks:

JSF

Struts 1

WebWork

Struts 2

Spring MVC

Tapestry

Stripes

Wicket

Update: Stripes doesn't suck and Wicket has excellent error reporting. See my comment below for more details.

Update 2: I've created a patch to (hopefully) solve this issue in XWork. If you have any feedback on ways to improve this patch, I'd love to hear about it.

Jetty 6.x versus Tomcat 6.x

An AppFuse user asks:

Has anyone done any performance benchmarking between Jetty 6.x and Tomcat 6.x to see which one is better for production use in terms of scalability, performance and ease-of-use? I'm gearing towards Jetty 6.1 but want to hear other's opinions first.

I admit, I completely changed the wording in this quote to make it more readable.

Most of the companies I've worked with in recent years have been using Tomcat (very successfully) in production. However, I also know the Contegix and JavaLobby guys continue to swear by Resin for the most part. What's your opinion?

IMHO, I don't think it really matters - they're all good enough for production use.

Trim Spaces in your JSP's HTML Redux

Since my last post on trimming whitespace in JSPs seems to be a popular topic, I figured it appropriate to note that JSP 2.1 supports a new trimWhitespace directive.

<%@ page trimDirectiveWhitespaces="true" %>

If you're using a Servlet 2.5 XSD, you can also do this in your web.xml:

    <jsp-config>
      <jsp-property-group>
        <url-pattern>*.jsp</url-pattern>
        <trim-directive-whitespaces>true</trim-directive-whitespaces>
      </jsp-property-group>
    </jsp-config>

A Servlet 2.5 XSD seems to be the following:

<web-app
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
    metadata-complete="false"
    version="2.5">

To learn more about this feature, view Summary of New Features in JSP 2.1 Technology and search for "TrimWhiteSpace". It'd be nice if there was anchors in this article for a direct link, but I couldn't find any.

Now I just wish JSP's EL had an xmlEscape="true" flag to escape XML in printed variables. Freemarker supports this.

Hat tip to Kerem and Krishna's Unified Expression Language for JSP and JSF article.

Thoughts on MyFaces 1.2 vs. JSF RI

Yesterday, MyFaces 1.2 was released. I took the opportunity to upgrade AppFuse Light and found it surprisingly easy to do so. The only issue I ran into is my testing logic no longer works. I haven't had a chance to dive deeper into trying to fix the problem, but I did check the code in.

Since I'm using Facelets with MyFaces, I figured it should be possible to run my app on Tomcat 5.x. No dice. I tried replacing MyFaces with Sun's RI (version 1.2_04) and voila! - it works.

From what I learned yesterday, it appears that MyFaces 1.2 will only run on a container that supports JSP 2.1. Sun's RI, on the other hand, will run on a Servlet 2.4/JSP 2.0 container. I don't know if Sun's RI is doing things properly, but it doesn't seem like Servlet 2.5 is required (which is kinda nice IMO).

You might ask why I care about JSP 2.0 vs. JSP 2.1? In reality, I don't. However, if I were to mix and match Struts 2 and JSF in the same application (using the Struts 2 JSF Plugin), I'd like to do it on a JSP 2.0 container. Why? Because OGNL (the EL in Struts 2) uses the pound sign (#) for expressions and JSP 2.1 hijacked that. Until the Struts team fixes that, I'm stuck on JSP 2.0. The workaround (disabling EL for all JSPs) doesn't seem like a good option to me.

Configuring Tomcat for Production

From The Atlassian Developer Blog:

You appear to be running Tomcat in development mode. (http://tomcat.apache.org/tomcat-5.5-doc/jasper-howto.html)

This means that source of every JSP is held in memory to provide detailed messages in the event of an error. If you have large JSPs this will hurt. It looks like this accounts for 50MB+

From Tomcat's Production Configuration documentation:

Seems like good information to know.

JSF still sucks?

Granted, this post about how painful JSF is is almost 6 months old, but I think it's still mostly true.

Want to compare times? More than three man-weeks have been spent fixing silly JSF navigation problems. A full CRUD AJAX interface with Spring MVC and prototype in the same project took four days, and there was no previous experience with Spring MVC.

If you're going to use JSF, I highly recommend Facelets or Shale/Seam. However, those are mentioned as well:

The default view technology is JSP, even when no one in the real world would recommend it; instead, use Facelets, or Clay, or some other non-standard framework. Not trying to be sarcastic here, since Facelets is pretty good, but this complicates the hiring and education of the team and in fact invalidates the selling point of Faces 'being a standard'.

IMO, Facelets is very easy to learn. If you know how to program JSPs with JSF, you should be able to use Facelets in under an hour. When we converted AppFuse's JSF flavor from JSP to Facelets, rarely did the body have to change - we just had to change from taglibs to XML namespaces.

When you are not working with persistent data (if you are living in a cave or developing wizard interfaces) there are two scopes to store model state: the session context, which raises concurrency issues and is not recommended by the Faces community, and the conversation/process/whatever context, which is not standard and imply installing shale or seam to put even more lipstick on the pig.

There's two problems with Shale and Facelets - the activity on these projects is very low. Shale still has its creators around, so even while its seldom used, you can probably still get your questions answered. However, Facelets seems to be suffering from "developer abandonment".

Conclusion: don't use JSF simply because it's a "standard". Use other frameworks that are more actively developed and designed for the web. For component-based frameworks, the most popular are Tapestry and Wicket. Less popular ones are RIFE and Click.

If you still want to use JSF, you should probably use Seam, but don't simply use JSF because it's a standard. If it was a de-facto standard, that'd be another story.

Of course, you could also help improve JSF 2.0. But that's not scheduled for release until late 2008. I'm sure 2 or 3 commentors will claim we'll all be using Rails or Grails by then.

Zero Configuration in Struts 2

Struts 2 has a nifty zero configuration feature. However, it's only useful for registering actions, not for automatically registering results. In other words, you still have to use an @Result annotation to tell your action what page to dispatch to. To use default view names instead of requiring @Result, you can use the Codebehind Plugin. Also, did you know Struts 2 will autowire your Spring dependencies? It's pretty slick.

What does this all mean? It means you can write your Struts 2 application without writing any XML. Of course, you can still use XML to tweak behavior, but with these plugins enabled, you won't have to.

IMO, these plugins should be combined into a single zero configuration feature.

Here's how you can enable Struts 2's Zero Configuration feature in AppFuse 2.0:

1. Add a packageNames parameter to the "struts" filter in your web.xml:
   

   <filter>
       <filter-name>struts</filter-name>
       <filter-class>org.apache.struts2.dispatcher.FilterDispatcher</filter-class>
       <init-param>
           <param-name>actionPackages</param-name>
           <param-value>com.company.newapp.webapp.action</param-value>
       </init-param>
   </filter>
   

2. Add the Codebehind Plugin as a dependency in your pom.xml:

   <dependency>
       <groupId>org.apache.struts</groupId>
       <artifactId>struts2-codebehind-plugin</artifactId>
       <version>2.0.6</version>
   </dependency>
   

3. Add a struts.codebehind.pathPrefix constant in struts.xml for your default pages directory:

   <constant name="struts.codebehind.pathPrefix" value="/WEB-INF/pages/"/>
   

That's it - now you can code away without configuring anything!

How does this compare to other web frameworks in AppFuse? Tapestry has a similar feature, but Spring MVC and JSF don't. Spring MVC still requires you create a bean definition for Controllers and JSF requires you write a chunk of XML for each managed bean. Of course, if you know how to do something similar with Spring MVC or JSF, please let me know.

AppFuse 2.0 M3 Released

The AppFuse team is pleased to announce the release of AppFuse 2.0 M3! This release marks a milestone in our documentation efforts. We've completed all of the web framework tutorials and ensured that all the archetypes work properly. Turkish language support was added and native2ascii was integrated so all i18n bundles should work properly.

The major things missing from this release are code generation (AppGen) and web services (XFire) support. We hope to add both of these before the final release.

AppFuse 2.0 is available as a Maven archetype. For information on creating a new project using this release, please see the QuickStart Guide.

The 2.0 series of AppFuse has a minumum requirement of the following specification versions:

• Java Servlet 2.4 and JavaServer Pages (JSP) 2.0
• Java 2 Standard Platform Edition (J2SE) 5.0

For more information, please see the 2.0 M3 Release Notes.

We appreciate the time and effort everyone has put toward contributing code and documentation, posting to the mailing lists, and logging issues. We also greatly appreciate the help from our sponsors, particularly Atlassian, Cenqua, Contegix, JetBrains, Java.net and KGBInternet. Without them, working on this project wouldn't be nearly as much fun.

AppFuse 2.0 Status

We're working hard on AppFuse 2.0. The good news is things are coming along really nicely. There's quite a few developers working on the project now and they've been a tremendous help. If I knew the move to Maven 2 would've inspired so much help, I would've done it a long time ago! We've got most of the archetypes created and we just need to work on documentation for the 2.0 release M1 release. As far as the roadmap is concerned, we've finished most of the code for an M2 release, but we still need to do documentation. I'm hoping to release 2.0 M1 on Thursday of next week.

If you want to try it, you can checkout the Hello World with AppFuse 2.0 video. After that, feel free to take it for a test drive using the QuickStart Guide.

New features in AppFuse 2.0:

• Maven 2 Integration
• Upgraded WebWork to Struts 2
• JDK 5, Annotations, JSP 2.0, Servlet 2.4
• JPA Support
• Generic CRUD backend
• Full Eclipse, IDEA and NetBeans support
• Fast startup and no deploy with Maven Jetty Plugin
• Testable on multiple appservers with Cargo and profiles

Speaking of goodies, I uploaded a bunch of AppFuse desktop backgrounds to Flickr. Thanks to Max Hays of Timberline Group for creating these.

Only 26 days left until the AppFuse 2.0 Release Party! Location TBD.