很久以前的笔记了,翻出来整理下。
有用的资源
在Tomcat的webapps/examples/ 目录下有很多实用详细的jsp代码例子。
JSP的本质
首先,JSP本质上是一个Servlet,jsp编绎器会把jsp文件编绎成一个对应的java类,而这个java类是实际上是一个servlet,从继承层次就可以看出来。
比如home.jsp,在tomcat下会生成一个home_jsp的类:
class home_jsp extends org.apache.jasper.runtime.HttpJspBase
class HttpJspBase extends javax.servlet.http.HttpServlet
Tomcat7生成为jsp对应的java代码在work目录下。如果是在eclipse里跑的tomcat,那么在eclipse的workspace/.metadata/.plugins/org.eclipse.wst.server.core/tmp1/work/Catalina/ 目录下。
一些JSP指令实际生成的代码
jsp:include指令:
<jsp:include page="xxx.jsp">
<jsp:param name="age" value="20"/>
</jsp:include>
实际生成的Java代码:
org.apache.jasper.runtime.JspRuntimeLibrary.include(request, response, "xxx.jsp" + (("xxx.jsp").indexOf('?')>0? '&': '?') + org.apache.jasper.runtime.JspRuntimeLibrary.URLEncode("age", request.getCharacterEncoding())+ "=" + org.apache.jasper.runtime.JspRuntimeLibrary.URLEncode("20", request.getCharacterEncoding()), out, false);
可以看出jsp:include指令和include编译指令是完全不同的,jsp:include是每次都动态加载,而include编绎指令是把两个jsp文件合起来,编绎成一个servlet。
jsp:useBean,jsp:setProperty,jsp:getProperty 三个指令的本质:
<jsp:useBean id="s1" class="com.test.Student" scope="application"></jsp:useBean> <jsp:setProperty name="s1" property="name" value="hello"/>
实际生成的Java代码:
pageContext = _jspxFactory.getPageContext(this, request, response,
null, true, 8192, true);
application = pageContext.getServletContext();
synchronized (application) {
s1 = (com.test.Student) _jspx_page_context.getAttribute("s1", PageContext.APPLICATION_SCOPE);
if (s1 == null){
s1 = new com.test.Student();
_jspx_page_context.setAttribute("s1", s1, PageContext.APPLICATION_SCOPE);
}
}
org.apache.jasper.runtime.JspRuntimeLibrary.introspecthelper(_jspx_page_context.findAttribute("s1"), "name", "hello", null, null, false);
可见jsp:useBean实际上得到一个对象,并调用setAttribute函数设置为scope的一个属性。比如scope="application",则实际和下面的代码差不多:
com.test.Student s1 = application.getAttribute("s1");
synchronized (application) {
if(s1 == null){
s1 = new com.test.Student();
application.setAttribute("s1", s1);
}
}
值得注意的是PageContext,即application对象在setAttribute时,要加上sync同步,因为servlet不是线程安全的。但是实际上有很多人手写的代码都没有注意到这点。
Tomcat7中session的实现
Tomcat7中session是通过cookie来实现的。实际上只有当调用request.getSession()函数时,才会设置cookie来支持session。如:
HttpSession session = req.getSession();
resp.getWriter().println("session id:" + session.getId());
当设置浏览器禁止cookie时,可以发现每一次请求,打印的session id都是不一样的,即都会有一个新的cookie值。并且这时如果调用session.setAttribute函数设置一些属性,则会发现属性设置是无效的。
实际上通过查看Tomcat7的源代码可以发现,是用一个HashMap来保存session id和session的关系。如果请求中没有session id,则当调用getSession()函数时,会生成一个新的id和一个新的session。
Tomcat7源代码中相关部分如下:
//ManagerBase.java
protected Map<String, Session> sessions = new ConcurrentHashMap<String, Session>();
//Request.java
protected Session doGetSession(boolean create) {
// There cannot be a session if no context has been assigned yet
if (context == null) {
return (null);
}
// Return the current session if it exists and is valid
if ((session != null) && !session.isValid()) {
session = null;
}
if (session != null) {
return (session);
}
// Return the requested session if it exists and is valid
Manager manager = null;
if (context != null) {
manager = context.getManager();
}
if (manager == null)
{
return (null); // Sessions are not supported
}
if (requestedSessionId != null) {
try {
session = manager.findSession(requestedSessionId);
} catch (IOException e) {
session = null;
}
if ((session != null) && !session.isValid()) {
session = null;
}
if (session != null) {
session.access();
return (session);
}
}
// Create a new session if requested and the response is not committed
if (!create) {
return (null);
}
if ((context != null) && (response != null) &&
context.getServletContext().getEffectiveSessionTrackingModes().
contains(SessionTrackingMode.COOKIE) &&
response.getResponse().isCommitted()) {
throw new IllegalStateException
(sm.getString("coyoteRequest.sessionCreateCommitted"));
}
// Attempt to reuse session id if one was submitted in a cookie
// Do not reuse the session id if it is from a URL, to prevent possible
// phishing attacks
// Use the SSL session ID if one is present.
if (("/".equals(context.getSessionCookiePath())
&& isRequestedSessionIdFromCookie()) || requestedSessionSSL ) {
session = manager.createSession(getRequestedSessionId());
} else {
session = manager.createSession(null);
}
// Creating a new session cookie based on that session
if ((session != null) && (getContext() != null)
&& getContext().getServletContext().
getEffectiveSessionTrackingModes().contains(
SessionTrackingMode.COOKIE)) {
Cookie cookie =
ApplicationSessionCookieConfig.createSessionCookie(
context, session.getIdInternal(), isSecure());
response.addSessionCookieInternal(cookie);
}
if (session == null) {
return null;
}
session.access();
return session;
}
Tomcat7的生成session id的算法
另外,还有一点很有意思的地方,Tomcat7的生成session id的算法:
可以看到里面的随机数用了SecureRandom。这个很多人都没有注意到这个,实际上很多安全相关的随机数生成器应该用SecureRandom,如果用Random,有可能会遭到攻击。
private void getRandomBytes(byte bytes[]) {
SecureRandom random = randoms.poll();
if (random == null) {
random = createSecureRandom();
}
random.nextBytes(bytes);
randoms.add(random);
}
/**
* Generate and return a new session identifier.
*/
public String generateSessionId() {
byte random[] = new byte[16];
// Render the result as a String of hexadecimal digits
StringBuilder buffer = new StringBuilder();
int resultLenBytes = 0;
while (resultLenBytes < sessionIdLength) {
getRandomBytes(random);
for (int j = 0;
j < random.length && resultLenBytes < sessionIdLength;
j++) {
byte b1 = (byte) ((random[j] & 0xf0) >> 4);
byte b2 = (byte) (random[j] & 0x0f);
if (b1 < 10)
buffer.append((char) ('0' + b1));
else
buffer.append((char) ('A' + (b1 - 10)));
if (b2 < 10)
buffer.append((char) ('0' + b2));
else
buffer.append((char) ('A' + (b2 - 10)));
resultLenBytes++;
}
}
if (jvmRoute != null && jvmRoute.length() > 0) {
buffer.append('.').append(jvmRoute);
}
return buffer.toString();
}