Using Action inheritance to enhance Struts applications

Previously, the web application I work with had all Action classes inherit from the Strut’s Action class.  We noticed that on each request, all our actions had to do some user authentication and error catching and EJB session facade creating.  Many new actions that were created neglected proper checking.  We decided to create our own base abstract action classes for our action classes to inherit from.  The base abstract action classes inherit from the Strut’s Action class and implement the ‘execute’ method.  Within the execute method we put the authentication checking code and set variables to hold the request, response, and frequently used session facades.  The execute method also declares an abstract method called either getJSON or getMapping to perform the action and return the forwarding location to the view/jsp or else a JSON object to be returned to an AJAX call.

We implemented the new abstract base classes and changed all our action classes to inherit from them.  Not only did we enhance the security and consistency of the system, but we reduced the code base by hundreds of lines of code.

Note: Only one instance of each Action class is generated by Struts, so you cannot use member variables in these classes.  All variables setup need to be local and passed to the getJSON and getMapping methods via parameters.

Advertisements

Generate HTML elements with Java

I was looking for a ASP.NET equivalent in Java for generating HTML elements.  I found a nice Apache package to do this.  It is called the Element Construction Set.  http://jakarta.apache.org/ecs/index.html

Javadocs for the package can be found here: http://www.docjar.org/docs/api/org/apache/ecs/html/

This will greatly simplify generating HTML, particularly in a struts tag library or anywhere not in a jsp.

Example usage from http://jakarta.apache.org/ecs/index.html:

Document doc = (Document) new Document()
              .appendTitle("Demo")
              .appendBody(new H1("Demo Header"))
              .appendBody(new H3("Sub Header:"))
              .appendBody(new Font().setSize("+1")
                         .setColor(HtmlColor.WHITE)
                         .setFace("Times")
                         .addElement("The big dog & the little cat chased each other."));
out.println(doc.toString());
// or write to the outputstream directly
output(out);

Generates the equivalent to:

out.println("<HTML>");
out.println("<HEAD><TITLE>Demo<TITLE><HEAD>");
out.println("<BODY>");
out.println("<H1>Demo Header<H1>");
out.println("<H3>Sub Header:<H3>");
out.println("<FONT SIZE=\"+1\" FACE=\"Times\" COLOR=\"#FFFFFF">);
out.println("The big dog &amp; the little cat chased each other.");
out.println("<FONT>");
out.println("<BODY>");
out.println("<HTML>");

How to escape Java HTML strings

Injection attacks are one of the easiest attacks that can be performed on a website.  Escaping input before printing it to an HTML page is important to avoid this.

StringEscapeUtils is a utility class available from the Apache commons packages.

How to use it in a jsp:

<%@ page import=”org.apache.commons.lang.StringEscapeUtils” %>

<%

String unsafeString = request.getParameter(“userInput”);

out.println(StringEscapeUtils.escapeHtml(unsafeString));

%>