• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Why Scope(page,Session,request,application) are used in jsp?

 
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there

I know about how to set different scope of variable using <c:set />and how to use them using EL.My Question is in which seneraio I need to consider defining scope of a variable ?

And what are security risk if I have not defined scope of some variable?


Thanks
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Page scope, when you want to limit the scope of the variable to the current JSP page.

Request scope, when you want to sure the variable with all resources used to process a request (servlet and JSP).

Session scope, when you want to retain values across requests for a single user and browser.

Application scope, when you want all resources in the application to be able to access the variable for the lifetime of the web app.

There are no security implications -- scope is all about what the variable is shared with and how long it lives.
 
Rancher
Posts: 4801
50
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also, I would double check any <c:set/> calls that set variables for anything other than page scope.
It's not really a JSPs responsibility to be setting stuff in higher scopes.

There may be exceptions (can't think of any yet, but that's no guarantee of anything), but it's probably a sign of your JSP doing more than simply organising stuff to display.
 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Bear

What are real life web application seneraio where these scope concept is considered?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Every single web app I've ever written.

Examples:

The loop counters and meta data for <c:for> loops are kept in page scope.

Data being passed from a controller to its JSP is carried in request scope.

User-specific information, authorization and permissions are kept in session.

Application-wide settings are placed in application scope so all resource have access.

 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Bear

Thanks
 
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I haven't set the scope of a variable in JSP, but I have run across potential security issues in working with web apps. There is always the possibility that a web application could have some sort of vulnerability in it.

Using the wrong scope, can allow variables to be set in an unintended manner. It could give a user the capability to bypass conditions, such as form errors, that were intended to produce and error message. Using the wrong scope could give a user the capability to gain access to another user's private information. It could cause a user's private information to persist after a user has logged out of a web service. The next person using the same computer, might be able to log into the same web service using a different username/password, and be able to access the previous user's private information.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Rob Wehrstein wrote:
Using the wrong scope, can allow variables to be set in an unintended manner.


How?

It could give a user the capability to bypass conditions, such as form errors, that were intended to produce and error message.


How?

Using the wrong scope could give a user the capability to gain access to another user's private information.


How?

It could cause a user's private information to persist after a user has logged out of a web service.


How?

The next person using the same computer, might be able to log into the same web service using a different username/password, and be able to access the previous user's private information.


How?

Without citations, your post is not very helpful.
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One way: putting information in application scope makes it available to all resources in the web app. So data intended to be used for a particular logged-in user, for example, should never be placed there.

This, of course, in no way means not to use application scope; just be sure to use it for information that needs to be shade arose the application.
 
30 seconds to difuse a loaf of bread ... here, use this tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic