How to avoid Java Code in JSP-Files

The use of scriptlets (those <% %> things) is indeed highly discouraged since the birth of taglibs (like JSTL) and EL (Expression Language, those ${} things) over a decade ago. The major disadvantages of scriptlets are:

  1.     Reusability: you can’t reuse scriptlets.
  2.     Replaceability: you can’t make scriptlets abstract.
  3.     OO-ability: you can’t make use of inheritance/composition.
  4.     Debuggability: if scriptlet throws an exception halfway, all you get is a blank page.
  5.     Testability: scriptlets are not unit-testable.
  6.     Maintainability: per saldo more time is needed to maintain mingled/cluttered/duplicated code logic.

Oracle itself also recommends in the JSP coding conventions to avoid use of scriptlets whenever the same functionality is possible by (tag) classes. Here are several cites of relevance:

In the spirit of adopting the model-view-controller (MVC) design pattern to reduce coupling between the presentation tier from the business logic, JSP scriptlets should not be used for writing business logic. Rather, JSP scriptlets are used if necessary to transform data (also called “value objects”) returned from processing the client’s requests into a proper client-ready format. Even then, this would be better done with a front controller servlet or a custom tag.
How to replace scriptlets entirely depends on the sole purpose of the code/logic. More than often this code is to be placed in a fullworthy Java class.

#If you want to invoke the same Java code on every request, less-or-more regardless of the requested page, e.g. checking if an user is logged in, then implement a Filter and write code accordingly in doFilter() method. E.g.:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws ServletException, IOException {
if (((HttpServletRequest) request).getSession().getAttribute(“user”) == null) {
((HttpServletResponse) response).sendRedirect(“login”); // Not logged in, redirect to login page.
} else {
chain.doFilter(request, response); // Logged in, just continue request.
When mapped on an appropriate url-pattern covering the JSP pages of interest, then you don’t need to copypaste the same piece of code over all JSP pages.

#If you want to invoke some Java code to preprocess a request, e.g. preloading some list from a database to display in some table, if necessary based on some query parameters, then implement HttpServlet and write code accordingly in doGet() method. E.g.:
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
try {
List<Product> products = productDAO.list(); // Obtain all products.
request.setAttribute(“products”, products); // Store products in request scope.
request.getRequestDispatcher(“/WEB-INF/products.jsp”).forward(request, response); // Forward to JSP page to display them in a HTML table.
} catch (SQLException e) {
throw new ServletException(“Retrieving products failed!”, e);
This way dealing with exceptions is easier. The DB is not accessed in the midst of JSP rendering, but far before the JSP is been displayed. You still have the possibility to change the response whenever the DB access throws an exception. In the above example, the default error 500 page will be displayed which you can anyway customize by an <error-page> in web.xml.

#If you want to invoke some Java code to postprocess a request, e.g. processing a form submit, then implement HttpServlet and write code accordingly in doPost() method. E.g.:
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String username = request.getParameter(“username”);
String password = request.getParameter(“password”);
User user = userDAO.find(username, password);
if (user != null) {
request.getSession().setAttribute(“user”, user); // Login user.
response.sendRedirect(“home”); // Redirect to home page.
} else {
request.setAttribute(“message”, “Unknown username/password. Please retry.”); // Store error message in request scope.
request.getRequestDispatcher(“/WEB-INF/login.jsp”).forward(request, response); // Forward to JSP page to redisplay login form with error.
This way dealing with different result page destinations is easier: redisplaying the form with validation errors in case of an error (in this particular example you can redisplay it using ${message} in EL), or just taking to the desired target page in case of success.

#If you want to invoke some Java code to control the execution plan and/or the destination of the request and the response, then implement HttpServlet according the MVC’s Front Controller Pattern. E.g.:
protected void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
View view = new View(request, response);
Action action = ActionFactory.getAction(request);
Or just adopt a MVC framework like JSF so that you end up with just a JSP/Facelets page and a Javabean class without the need for a HttpServlet.

If you want to invoke some Java code to control the flow inside a JSP page, then you need to grab an (existing) flow control taglib like JSTL core. E.g. displaying List<Product> in a table:

<%@ taglib uri=”; prefix=”c” %>

<c:forEach items=”${products}” var=”product”>

# If you want to invoke some utility Java code directly in the JSP page (typically public static methods), then you need to define them as EL functions. There’s a standard functions taglib in JSTL, but you can also easily create functions yourself. Here’s an example how JSTL fn:escapeXml is useful to prevent XSS attacks.
<%@ taglib uri=”; prefix=”fn” %>

<input type=”text” name=”foo” value=”${fn:escapeXml(}” />


One thought on “How to avoid Java Code in JSP-Files

  1. Hi,
    yes this technique is very effective. At least as long you want the java programmers keep their hands off templates, which in deed makes sense sometimes, or if you want make java programmers less productive. However, in the hand of a junior and up java developer will always be more efficient with scriptless and a little bit discipline. But if you want really lean and maintainable templates try passive templates. A good ressource is Snippetory or, a little bit more diverse my about page
    Have fun (as I erad you like to have this;-),
    Sir RotN


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s