This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
The following is a question from Enthuware Mock Exam:
The correct answer is "It will print Hello and will set the count attribute in the session."
I answered: "It will throw a NullPointerException at request time."
The explanation the tool gives for the correct answer is:
Had this code been in a regular servlet like this:
It would have thrown an NullPointerException as request.getSession(false) would have returned null (since this is a first ever request to the servlet container.)
However, in case of JSP pages, the session is automatically created by default. I.e. <%@ page session="true" %>
I wasn't convinced with the explanation and hence I tried creating a JSP and it worked as per the given comments. I also observed the servlet code resulting from translating the JSP (which said HttpSession session = pageCotext.getSession()). For the session attribute of page directive, the spec says:
If true then the implicit script language variable named session of type javax.servlet.http.HttpSession references the current/new session for the page.
But I fail to understand why a JSP is given a session object when it has not been explicitly "requested" by a developer; and what does it mean to have a new session just for the page? And given that, does a request to any JSP automatically associate a session with the client, even when there is no need to have a notion of "state"?
This is given in the spec itself, I think you missed it
JSP Spec wrote:page directive session attribute If true then the implicit script language variable named session of type javax.servlet.http.HttpSession references the current/new session for the page.
If false then the page does not participate in a session; the session implicit variable is unavailable, and any reference to it within the body of the JSP page is illegal and shall result in a fatal translation error.
Default is true.
So if you don't specify the session attribute in a JSP page, it will automatically create a session object. To stop the JSP from doing so, you'll have to explicitly set the session attribute of the page directive to false...
I did go through the spec, and I am convinced why that answer is what it is, but I don't see, from a design viewpoint, why a "new" session object is automatically available to all JSP pages with no existing session AND default value of "true" for the session attribute in the page directive.
Does it mean the JSP page which encounters this kind of code for the first time from a new user is the initiator of a new session for the user? or rather put another way - Is this session available to other resources for further requests from the same user?
If not, what use is a new session meant just for a JSP page, if its really not involved in any state maintenance and which ultimately is going to get destroyed at the end of _jspService method?
but I don't see, from a design viewpoint, why a "new" session object is automatically available to all JSP pages with no existing session AND default value of "true" for the session attribute in the page directive.
You should look at it as a convenience to the developer. The JSP (view) is normally where you show the results of the request being made. Often you want to show values of attributes which are stored in the Session object so you would have repeating code in the JSPs to get hold of the Session object.