Validation and Exception Handling techniques
Download
Report
Transcript Validation and Exception Handling techniques
Java for enterprise networks
JSP Validation and Exception handling
•
•
•
•
•
•
•
•
Why validate?
Client side validation
Server side validation
Why catch exceptions?
Exception handling in JSP
Examples
Context for the assignment
Summary
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Input validation
• Why? Security!
– We wish to stop users accessing the system who are not
recognised
• Input validation needs to be “airtight”
– Use of regular expressions (http://www.regexlib.com/)
– DIY validation routines
– Input validation libraries
•
•
•
•
•
Assume all input is malicious
Constrain the possible inputs e.g. length
If necessary tidy up the input i.e. strip off unwanted characters
Reject all input that does not meet your criteria
Form validation - article (http://www.elated.com/articles/formvalidation-with-javascript/)
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Input: When to do the validation?
• Two choices: Client side (i.e. the browser)
• Reduces the work on the server
• However, can be disabled, avoided or interfered with
•
Server side
– Has the advantage of being processed by the server before sent on for
further processing or storage, e.g. to database
• If you give this some thought for web applications...
• They are using the request/response model
– Industry tends to use JavaScript on the client – universal* to all
browsers
– PHP, Ruby, JSP or VBScript etc on the server side
– Why use this model?
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Client side validation
• Either use HTML (to restrict) or JavaScript (to actively
check) input format
• See the example .zip file on the schedule for this
week
• Read the readme file for instructions of how to use it
– unzip to your C:\ drive on your home PC
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Server side validation
• Example with user input for a password
• Code checks for length and format of password
• If appropriate permits user to continue otherwise
sends user back to entry form to try again
• http://fcet11:8080/nas1/examples/login.html
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Exceptions
• Exceptions are by definition exceptional events that
occur during program execution
• Typical exceptional events (errors) are:
–
–
–
–
–
–
Database server is down
File is locked by another user
Mathematical errors (division by zero etc.)
No more memory available
Device or service not responding (e.g. DoS attack)
Alas, there are many others...
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Exception Handling
• Unfortunately, it is not usually possible to know in
advance that an exception is about to occur
• How do we tell our program what to do in case an
exception does happen?
• Fortunately for object oriented coders, this problem
has a generic solution
• Since JSP is based on Java we can use this solution
in our web applications
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Try…Catch
• In Java (and JSP) we can use a try…catch block
around any piece of code that may cause an
exception. [Same idea used in VB.net, PHP and others]
<%
try
{
// Code which can throw can exception
}
catch(Exception e)
{
// Exception handler code here
}
%>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Exceptions
• For very practical reasons, Java enforces the use of
try…catch blocks around any piece of code that can
cause an exception to be thrown.
• By ‘thrown’, it is meant that the exception has
occurred. (Used in vernacular English too - “toys
thrown out of pram”, “throw a tantrum”)
• When an exception is thrown, one of several things
can happen depending on what you want your web
application to do at that point.
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Exception Handling
• Do nothing… let your program fall over and read the
error message that Java produces on the server
– Not nice, as you may have experienced!
• You could handle the exception locally (i.e. in your
code at the point where the exception occurred)
within your catch block.
• Or, you could redirect the user to an error page and
do something there
– Nicer in finished websites, simplifies handler
• Examples follow
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Form.htm
<html>
<head></head>
<body>
<form action="FormHandler.jsp" method="post">
Enter your age ( in years ) : <input type="text" name="age" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
FormHandler.jsp
<html>
<head></head>
<body>
<%
int age;
age = Integer.parseInt(request.getParameter("age"));
%>
<p>Your age is : <%= age %> years.</p>
<p><a href="Form.htm">Back</a>.</p>
</body>
</html>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
But……..
• This code works fine until a user enters something
other than an integer via the form.
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Simple Fix - Local Try…Catch
<%
int age;
try {
age = Integer.parseInt(request.getParameter("age"));
%>
<p>Your age is : <%= age %> years.</p>
<%
}
catch(NumberFormatException e) {
%>
<p>You must enter a number!</p>
<%
}
%>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
User-Defined Error Page
<%@ page errorPage="ExceptionHandler.jsp" %>
<html>
<head></head>
<body>
<%
int age;
age = Integer.parseInt(request.getParameter("age"));
%>
<p>Your age is : <%= age %> years.</p>
<p><a href="Form.html">Back</a>.</p>
</body>
</html>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
User-Defined Error Page
<%@ page isErrorPage="true" import="java.io.*" %>
<html><head></head>
<body>
<p style=“color: red;"><%= exception.toString() %></p>
<%
out.println("<!--");
StringWriter sw = new StringWriter();
PrintWriter pw = new PrintWriter(sw);
exception.printStackTrace(pw);
out.print(sw);
sw.close();
pw.close();
out.println("-->");
%>
</body>
</html>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Ok, Good, Better!
• This works well but we can do better!
• Currently, the error message that is displayed is a
standard Java message.
• These can be difficult to understand so instead we’ll
pass our own message to our error page for it to
display…
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Combined Version
<%
int age;
try
{
age = Integer.parseInt(request.getParameter("age"));
}
catch (NumberFormatException e)
{
throw new JspException("Please enter a valid integer value!");
}
%>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Combined Version
• This time we catch the NumberFormatException
locally and throw a new JspException with our own
exception message.
• JspException is a JSP special exception class which
extends java.lang.Exception.
• We need to change the error page code to this:
<p style=“color: red;">
<%= exception.getMessage() %>
</p>
Version 2.3 Feb
2008
[email protected]
Java for enterprise networks
Summary
• JSP errors at run time and can be a combination of
<% or } problems
– Handling these gracefully improves the web application
• Validation to catch errors from say user input can be
improved by the use of exception JSPs
– Validation can also include checking input
• All the exception examples are in a zip file on the
week 6 part of the Java WWW schedule
Version 2.3 Feb
2008
[email protected]