• Post Reply Bookmark Topic Watch Topic
  • New Topic

Why Scope(page,Session,request,application) are used in jsp?  RSS feed

 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi there

I know about how to set different scope of variable using <c:set />and how to use them using EL.My Question is in which seneraio I need to consider defining scope of a variable ?

And what are security risk if I have not defined scope of some variable?


Thanks
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Page scope, when you want to limit the scope of the variable to the current JSP page.

Request scope, when you want to sure the variable with all resources used to process a request (servlet and JSP).

Session scope, when you want to retain values across requests for a single user and browser.

Application scope, when you want all resources in the application to be able to access the variable for the lifetime of the web app.

There are no security implications -- scope is all about what the variable is shared with and how long it lives.
 
Dave Tolls
Ranch Hand
Posts: 2835
30
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Also, I would double check any <c:set/> calls that set variables for anything other than page scope.
It's not really a JSPs responsibility to be setting stuff in higher scopes.

There may be exceptions (can't think of any yet, but that's no guarantee of anything), but it's probably a sign of your JSP doing more than simply organising stuff to display.
 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Bear

What are real life web application seneraio where these scope concept is considered?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Every single web app I've ever written.

Examples:

The loop counters and meta data for <c:for> loops are kept in page scope.

Data being passed from a controller to its JSP is carried in request scope.

User-specific information, authorization and permissions are kept in session.

Application-wide settings are placed in application scope so all resource have access.

 
Kishor Joshi
Ranch Hand
Posts: 674
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
@Bear

Thanks
 
Rob Wehrstein
Ranch Hand
Posts: 40
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I haven't set the scope of a variable in JSP, but I have run across potential security issues in working with web apps. There is always the possibility that a web application could have some sort of vulnerability in it.

Using the wrong scope, can allow variables to be set in an unintended manner. It could give a user the capability to bypass conditions, such as form errors, that were intended to produce and error message. Using the wrong scope could give a user the capability to gain access to another user's private information. It could cause a user's private information to persist after a user has logged out of a web service. The next person using the same computer, might be able to log into the same web service using a different username/password, and be able to access the previous user's private information.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Rob Wehrstein wrote:
Using the wrong scope, can allow variables to be set in an unintended manner.

How?

It could give a user the capability to bypass conditions, such as form errors, that were intended to produce and error message.

How?

Using the wrong scope could give a user the capability to gain access to another user's private information.

How?

It could cause a user's private information to persist after a user has logged out of a web service.

How?

The next person using the same computer, might be able to log into the same web service using a different username/password, and be able to access the previous user's private information.

How?

Without citations, your post is not very helpful.
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 66144
144
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One way: putting information in application scope makes it available to all resources in the web app. So data intended to be used for a particular logged-in user, for example, should never be placed there.

This, of course, in no way means not to use application scope; just be sure to use it for information that needs to be shade arose the application.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!