Verifying User Input Using JSP Tag Libraries

Thursday Dec 11th 2003 by Vlad Kofman

Should you go with server-side verification or client-side verification? Both have their advantages and disadvantages. Discover a unique way of using a Java JSP tab library for server-side verification. This may be your answer.

In any Web-based application where program logic requires information submitted by the user to be validated, the creators of the application can check data in two ways. The first method is to do validation on the client side, even before anything is submitted to the server. Usually, this is done using JavaScript running in the client's Internet browser. While the form is being submitted, the script will check all required fields and pop up error messages in case of any discrepancies. The second way is to do validation on the server side, before performing any operation with the data, using the technology that the application server supports.

Server-side verification puts more strain on the server, but gives programmer more control, and guarantees that data will be checked. Client-side verification can easily be circumvented by the user (by disabling JavaScript), therefore allowing unchecked information to be submitted, but could be faster, because users don't have to post and get pages from the server.

Currently, more and more online applications rely on server-side validation, mainly because it guarantees checking and improves application security, but also because server hardware and software performance have significantly improved in recent years, and because it allows for greater flexibility of the program and sometimes is easier to implement.

In this article, I will describe a unique way of using a Java JSP tab library for server-side verification, and briefly describe the creation of JSP tags. The examples will build upon a Web application from my previous article "Applying MVC to web-based applications with JSP views"—a simple project that displays weather information after users submit a ZIP code or city name. The application followed Model-View-Controller (MVC) architecture and used the Tomcat application server.

Validation Process

In an enterprise-level application, data validation is a required part of the security process. Not only do applications have to catch empty or partial fields, but also have to guard against erroneous entries. If data is submitted into a RDBMS store or any other persistent storage and is used in SQL statements, users can accidentally (or purposely) submit bad data that can result in invalid SQL statements. A malicious user can even post escape strings or put specific data in the submit form to perform an operation not originally designed by the Web application developer. For example, they can delete a row or table from the database or get any information they want.

The JSP pages where I've implemented validation are "Views" in the MVC design, part of the online weather program. Each JSP view either submits or displays data. When form with a ZIP code or city name is submitted, information is posted to the server, where a Controller Servlet object performs an action based on a specific action key parameter from the JSP, and redirects to the next View. But, more detail on this later; let's look at the workings of JSP tags.

JSP Tags

You can think of the JSP tag as a custom action that is performed by Java code running on the server. In the JSP, a tag looks like a standard HTML tag except its logic is not executed on the client side, but on the server side as part of the Servlet into which a JSP is converted. Each tag is encapsulated in a separate class and its name and parameter attributes are indicated in a special deployment descriptor file with a tld extension. This file should be placed under the web-app directory WEB-INF in your application server, and indicated for use in JSP with a <%@taglib ... %> directive and in a web.xml file. When a JSP engine encounters a custom tag, it checks to see whether it knows where that the tag class is, and if it does, it executes the corresponding code. The tag classes are usually put into a jar file and placed under the lib directory under WEB-INF.

Ex. ..\WEB-INF\mytags.tld - deployment descriptor file

Ex. ..\WEB-INF\lib\mytags.jar tag library (or a full directory structure)

To show how to use tags for validation, I've created a custom JSP tag to validate the ZIP code field, named notValidZip. Tags, however, can perform any action, such as HTML formatting, field manipulation, or even database queries. For other checks, I use a tag library from Coldbeans Software (, which is free for non-commercial use, and has extremely practical tags for the validation of HTML form fields. If you need to use tags on a commercial site, you can always write your own or purchase them.

Here is a part of the deployment descriptor file validtag.tld that deals with my notValidZip tag: