Class WebUtils
Used by various framework classes.
- Author:
- Rod Johnson, Juergen Hoeller, Sebastien Deleuze, Sam Brannen
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
Prefix of the charset clause in a content type String: ";charset=".static final String
Default character encoding to use whenrequest.getCharacterEncoding
returnsnull
, according to the Servlet spec.static final String
Default web app root key: "webapp.root".static final String
Standard Servlet 2.3+ spec request attribute for error page exception.static final String
Standard Servlet 2.3+ spec request attribute for error page exception type.static final String
Standard Servlet 2.3+ spec request attribute for error page message.static final String
Standard Servlet 2.3+ spec request attribute for error page request URI.static final String
Standard Servlet 2.3+ spec request attribute for error page servlet name.static final String
Standard Servlet 2.3+ spec request attribute for error page status code.static final String
Standard Servlet 2.4+ spec request attribute for forward context path.static final String
Standard Servlet 2.4+ spec request attribute for forward path info.static final String
Standard Servlet 2.4+ spec request attribute for forward query string.static final String
Standard Servlet 2.4+ spec request attribute for forward request URI.static final String
Standard Servlet 2.4+ spec request attribute for forward servlet path.static final String
HTML escape parameter at the servlet context level (i.e.static final String
Standard Servlet 2.3+ spec request attribute for include context path.static final String
Standard Servlet 2.3+ spec request attribute for include path info.static final String
Standard Servlet 2.3+ spec request attribute for include query string.static final String
Standard Servlet 2.3+ spec request attribute for include request URI.static final String
Standard Servlet 2.3+ spec request attribute for include servlet path.static final String
Use of response encoding for HTML escaping parameter at the servlet context level (i.e.static final String
Key for the mutex session attribute.static final String[]
Name suffixes in case of image buttons.static final String
Standard Servlet spec context attribute that specifies a temporary directory for the current web application, of typejava.io.File
.static final String
Web app root key parameter at the servlet context level (i.e. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionstatic void
Clear the Servlet spec's error attributes asHttpServletRequest
attributes under the keys defined in the Servlet 2.3 specification:jakarta.servlet.error.status_code
,jakarta.servlet.error.exception_type
,jakarta.servlet.error.message
,jakarta.servlet.error.exception
,jakarta.servlet.error.request_uri
,jakarta.servlet.error.servlet_name
.static void
exposeErrorRequestAttributes
(HttpServletRequest request, Throwable ex, String servletName) Expose the Servlet spec's error attributes asHttpServletRequest
attributes under the keys defined in the Servlet 2.3 specification, for error pages that are rendered directly rather than through the Servlet container's error page resolution:jakarta.servlet.error.status_code
,jakarta.servlet.error.exception_type
,jakarta.servlet.error.message
,jakarta.servlet.error.exception
,jakarta.servlet.error.request_uri
,jakarta.servlet.error.servlet_name
.static String
findParameterValue
(ServletRequest request, String name) Obtain a named parameter from the given request parameters.static String
findParameterValue
(Map<String, ?> parameters, String name) Obtain a named parameter from the given request parameters.static Cookie
getCookie
(HttpServletRequest request, String name) Retrieve the first cookie with the given name.static Boolean
getDefaultHtmlEscape
(ServletContext servletContext) Return whether default HTML escaping is enabled for the web application, i.e.static <T> T
getNativeRequest
(ServletRequest request, Class<T> requiredType) Return an appropriate request object of the specified type, if available, unwrapping the given request as far as necessary.static <T> T
getNativeResponse
(ServletResponse response, Class<T> requiredType) Return an appropriate response object of the specified type, if available, unwrapping the given response as far as necessary.getParametersStartingWith
(ServletRequest request, String prefix) Return a map containing all parameters with the given prefix.static String
getRealPath
(ServletContext servletContext, String path) Return the real path of the given path within the web application, as provided by the servlet container.static Object
getRequiredSessionAttribute
(HttpServletRequest request, String name) Check the given request for a session attribute of the given name.static Boolean
getResponseEncodedHtmlEscape
(ServletContext servletContext) Return whether response encoding should be used when HTML escaping characters, thus only escaping XML markup significant characters with UTF-* encodings.static Object
getSessionAttribute
(HttpServletRequest request, String name) Check the given request for a session attribute of the given name.static String
getSessionId
(HttpServletRequest request) Determine the session id of the given request, if any.static Object
getSessionMutex
(HttpSession session) Return the best available mutex for the given session: that is, an object to synchronize on for the given session.static File
getTempDir
(ServletContext servletContext) Return the temporary directory for the current web application, as provided by the servlet container.static boolean
hasSubmitParameter
(ServletRequest request, String name) Check if a specific input type="submit" parameter was sent in the request, either via a button (directly with name) or via an image (name + ".x" or name + ".y").static boolean
isIncludeRequest
(ServletRequest request) Determine whether the given request is an include request, that is, not a top-level HTTP request coming in from the outside.static boolean
isSameOrigin
(HttpRequest request) Check if the request is a same-origin one, based onOrigin
,Host
,Forwarded
,X-Forwarded-Proto
,X-Forwarded-Host
andX-Forwarded-Port
headers.static boolean
isValidOrigin
(HttpRequest request, Collection<String> allowedOrigins) Check the given request origin against a list of allowed origins.static MultiValueMap<String,
String> parseMatrixVariables
(String matrixVariables) Parse the given string with matrix variables.static void
removeWebAppRootSystemProperty
(ServletContext servletContext) Remove the system property that points to the web app root directory.static void
setSessionAttribute
(HttpServletRequest request, String name, Object value) Set the session attribute with the given name to the given value.static void
setWebAppRootSystemProperty
(ServletContext servletContext) Set a system property to the web application root directory.
-
Field Details
-
INCLUDE_REQUEST_URI_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for include request URI.If included via a
RequestDispatcher
, the current resource will see the originating request. Its own request URI is exposed as a request attribute.- See Also:
-
INCLUDE_CONTEXT_PATH_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for include context path.If included via a
RequestDispatcher
, the current resource will see the originating context path. Its own context path is exposed as a request attribute.- See Also:
-
INCLUDE_SERVLET_PATH_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for include servlet path.If included via a
RequestDispatcher
, the current resource will see the originating servlet path. Its own servlet path is exposed as a request attribute.- See Also:
-
INCLUDE_PATH_INFO_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for include path info.If included via a
RequestDispatcher
, the current resource will see the originating path info. Its own path info is exposed as a request attribute.- See Also:
-
INCLUDE_QUERY_STRING_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for include query string.If included via a
RequestDispatcher
, the current resource will see the originating query string. Its own query string is exposed as a request attribute.- See Also:
-
FORWARD_REQUEST_URI_ATTRIBUTE
Standard Servlet 2.4+ spec request attribute for forward request URI.If forwarded to via a RequestDispatcher, the current resource will see its own request URI. The originating request URI is exposed as a request attribute.
- See Also:
-
FORWARD_CONTEXT_PATH_ATTRIBUTE
Standard Servlet 2.4+ spec request attribute for forward context path.If forwarded to via a RequestDispatcher, the current resource will see its own context path. The originating context path is exposed as a request attribute.
- See Also:
-
FORWARD_SERVLET_PATH_ATTRIBUTE
Standard Servlet 2.4+ spec request attribute for forward servlet path.If forwarded to via a RequestDispatcher, the current resource will see its own servlet path. The originating servlet path is exposed as a request attribute.
- See Also:
-
FORWARD_PATH_INFO_ATTRIBUTE
Standard Servlet 2.4+ spec request attribute for forward path info.If forwarded to via a RequestDispatcher, the current resource will see its own path ingo. The originating path info is exposed as a request attribute.
- See Also:
-
FORWARD_QUERY_STRING_ATTRIBUTE
Standard Servlet 2.4+ spec request attribute for forward query string.If forwarded to via a RequestDispatcher, the current resource will see its own query string. The originating query string is exposed as a request attribute.
- See Also:
-
ERROR_STATUS_CODE_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page status code.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
ERROR_EXCEPTION_TYPE_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page exception type.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
ERROR_MESSAGE_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page message.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
ERROR_EXCEPTION_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page exception.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
ERROR_REQUEST_URI_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page request URI.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
ERROR_SERVLET_NAME_ATTRIBUTE
Standard Servlet 2.3+ spec request attribute for error page servlet name.To be exposed to JSPs that are marked as error pages, when forwarding to them directly rather than through the servlet container's error page resolution mechanism.
- See Also:
-
CONTENT_TYPE_CHARSET_PREFIX
Prefix of the charset clause in a content type String: ";charset=".- See Also:
-
DEFAULT_CHARACTER_ENCODING
Default character encoding to use whenrequest.getCharacterEncoding
returnsnull
, according to the Servlet spec. -
TEMP_DIR_CONTEXT_ATTRIBUTE
Standard Servlet spec context attribute that specifies a temporary directory for the current web application, of typejava.io.File
.- See Also:
-
HTML_ESCAPE_CONTEXT_PARAM
HTML escape parameter at the servlet context level (i.e. a context-param inweb.xml
): "defaultHtmlEscape".- See Also:
-
RESPONSE_ENCODED_HTML_ESCAPE_CONTEXT_PARAM
Use of response encoding for HTML escaping parameter at the servlet context level (i.e. a context-param inweb.xml
): "responseEncodedHtmlEscape".- Since:
- 4.1.2
- See Also:
-
WEB_APP_ROOT_KEY_PARAM
Web app root key parameter at the servlet context level (i.e. a context-param inweb.xml
): "webAppRootKey".- See Also:
-
DEFAULT_WEB_APP_ROOT_KEY
Default web app root key: "webapp.root".- See Also:
-
SUBMIT_IMAGE_SUFFIXES
Name suffixes in case of image buttons. -
SESSION_MUTEX_ATTRIBUTE
Key for the mutex session attribute.
-
-
Constructor Details
-
WebUtils
public WebUtils()
-
-
Method Details
-
setWebAppRootSystemProperty
public static void setWebAppRootSystemProperty(ServletContext servletContext) throws IllegalStateException Set a system property to the web application root directory. The key of the system property can be defined with the "webAppRootKey" context-param inweb.xml
. Default is "webapp.root".Can be used for tools that support substitution with
System.getProperty
values, like log4j's "${key}" syntax within log file locations.- Parameters:
servletContext
- the servlet context of the web application- Throws:
IllegalStateException
- if the system property is already set, or if the WAR file is not expanded- See Also:
-
removeWebAppRootSystemProperty
Remove the system property that points to the web app root directory. To be called on shutdown of the web application.- Parameters:
servletContext
- the servlet context of the web application- See Also:
-
getDefaultHtmlEscape
Return whether default HTML escaping is enabled for the web application, i.e. the value of the "defaultHtmlEscape" context-param inweb.xml
(if any).This method differentiates between no param specified at all and an actual boolean value specified, allowing to have a context-specific default in case of no setting at the global level.
- Parameters:
servletContext
- the servlet context of the web application- Returns:
- whether default HTML escaping is enabled for the given application
(
null
= no explicit default)
-
getResponseEncodedHtmlEscape
@Nullable public static Boolean getResponseEncodedHtmlEscape(@Nullable ServletContext servletContext) Return whether response encoding should be used when HTML escaping characters, thus only escaping XML markup significant characters with UTF-* encodings. This option is enabled for the web application with a ServletContext param, i.e. the value of the "responseEncodedHtmlEscape" context-param inweb.xml
(if any).This method differentiates between no param specified at all and an actual boolean value specified, allowing to have a context-specific default in case of no setting at the global level.
- Parameters:
servletContext
- the servlet context of the web application- Returns:
- whether response encoding is to be used for HTML escaping
(
null
= no explicit default) - Since:
- 4.1.2
-
getTempDir
Return the temporary directory for the current web application, as provided by the servlet container.- Parameters:
servletContext
- the servlet context of the web application- Returns:
- the File representing the temporary directory
-
getRealPath
public static String getRealPath(ServletContext servletContext, String path) throws FileNotFoundException Return the real path of the given path within the web application, as provided by the servlet container.Prepends a slash if the path does not already start with a slash, and throws a FileNotFoundException if the path cannot be resolved to a resource (in contrast to ServletContext's
getRealPath
, which returns null).- Parameters:
servletContext
- the servlet context of the web applicationpath
- the path within the web application- Returns:
- the corresponding real path
- Throws:
FileNotFoundException
- if the path cannot be resolved to a resource- See Also:
-
getSessionId
Determine the session id of the given request, if any.- Parameters:
request
- current HTTP request- Returns:
- the session id, or
null
if none
-
getSessionAttribute
Check the given request for a session attribute of the given name. Returns null if there is no session or if the session has no such attribute. Does not create a new session if none has existed before!- Parameters:
request
- current HTTP requestname
- the name of the session attribute- Returns:
- the value of the session attribute, or
null
if not found
-
getRequiredSessionAttribute
public static Object getRequiredSessionAttribute(HttpServletRequest request, String name) throws IllegalStateException Check the given request for a session attribute of the given name. Throws an exception if there is no session or if the session has no such attribute. Does not create a new session if none has existed before!- Parameters:
request
- current HTTP requestname
- the name of the session attribute- Returns:
- the value of the session attribute, or
null
if not found - Throws:
IllegalStateException
- if the session attribute could not be found
-
setSessionAttribute
public static void setSessionAttribute(HttpServletRequest request, String name, @Nullable Object value) Set the session attribute with the given name to the given value. Removes the session attribute if value is null, if a session existed at all. Does not create a new session if not necessary!- Parameters:
request
- current HTTP requestname
- the name of the session attributevalue
- the value of the session attribute
-
getSessionMutex
Return the best available mutex for the given session: that is, an object to synchronize on for the given session.Returns the session mutex attribute if available; usually, this means that the HttpSessionMutexListener needs to be defined in
web.xml
. Falls back to the HttpSession itself if no mutex attribute found.The session mutex is guaranteed to be the same object during the entire lifetime of the session, available under the key defined by the
SESSION_MUTEX_ATTRIBUTE
constant. It serves as a safe reference to synchronize on for locking on the current session.In many cases, the HttpSession reference itself is a safe mutex as well, since it will always be the same object reference for the same active logical session. However, this is not guaranteed across different servlet containers; the only 100% safe way is a session mutex.
- Parameters:
session
- the HttpSession to find a mutex for- Returns:
- the mutex object (never
null
) - See Also:
-
getNativeRequest
@Nullable public static <T> T getNativeRequest(ServletRequest request, @Nullable Class<T> requiredType) Return an appropriate request object of the specified type, if available, unwrapping the given request as far as necessary.- Parameters:
request
- the servlet request to introspectrequiredType
- the desired type of request object- Returns:
- the matching request object, or
null
if none of that type is available
-
getNativeResponse
@Nullable public static <T> T getNativeResponse(ServletResponse response, @Nullable Class<T> requiredType) Return an appropriate response object of the specified type, if available, unwrapping the given response as far as necessary.- Parameters:
response
- the servlet response to introspectrequiredType
- the desired type of response object- Returns:
- the matching response object, or
null
if none of that type is available
-
isIncludeRequest
Determine whether the given request is an include request, that is, not a top-level HTTP request coming in from the outside.Checks the presence of the "jakarta.servlet.include.request_uri" request attribute. Could check any request attribute that is only present in an include request.
- Parameters:
request
- current servlet request- Returns:
- whether the given request is an include request
-
exposeErrorRequestAttributes
public static void exposeErrorRequestAttributes(HttpServletRequest request, Throwable ex, @Nullable String servletName) Expose the Servlet spec's error attributes asHttpServletRequest
attributes under the keys defined in the Servlet 2.3 specification, for error pages that are rendered directly rather than through the Servlet container's error page resolution:jakarta.servlet.error.status_code
,jakarta.servlet.error.exception_type
,jakarta.servlet.error.message
,jakarta.servlet.error.exception
,jakarta.servlet.error.request_uri
,jakarta.servlet.error.servlet_name
.Does not override values if already present, to respect attribute values that have been exposed explicitly before.
Exposes status code 200 by default. Set the "jakarta.servlet.error.status_code" attribute explicitly (before or after) in order to expose a different status code.
- Parameters:
request
- current servlet requestex
- the exception encounteredservletName
- the name of the offending servlet
-
clearErrorRequestAttributes
Clear the Servlet spec's error attributes asHttpServletRequest
attributes under the keys defined in the Servlet 2.3 specification:jakarta.servlet.error.status_code
,jakarta.servlet.error.exception_type
,jakarta.servlet.error.message
,jakarta.servlet.error.exception
,jakarta.servlet.error.request_uri
,jakarta.servlet.error.servlet_name
.- Parameters:
request
- current servlet request
-
getCookie
Retrieve the first cookie with the given name. Note that multiple cookies can have the same name but different paths or domains.- Parameters:
request
- current servlet requestname
- cookie name- Returns:
- the first cookie with the given name, or
null
if none is found
-
hasSubmitParameter
Check if a specific input type="submit" parameter was sent in the request, either via a button (directly with name) or via an image (name + ".x" or name + ".y").- Parameters:
request
- current HTTP requestname
- the name of the parameter- Returns:
- if the parameter was sent
- See Also:
-
findParameterValue
Obtain a named parameter from the given request parameters.See
findParameterValue(java.util.Map, String)
for a description of the lookup algorithm.- Parameters:
request
- current HTTP requestname
- the logical name of the request parameter- Returns:
- the value of the parameter, or
null
if the parameter does not exist in given request
-
findParameterValue
Obtain a named parameter from the given request parameters.This method will try to obtain a parameter value using the following algorithm:
- Try to get the parameter value using just the given logical name.
This handles parameters of the form
logicalName = value
. For normal parameters, for example, submitted using a hidden HTML form field, this will return the requested value. - Try to obtain the parameter value from the parameter name, where the
parameter name in the request is of the form
logicalName_value = xyz
with "_" being the configured delimiter. This deals with parameter values submitted using an HTML form submit button. - If the value obtained in the previous step has a ".x" or ".y" suffix,
remove that. This handles cases where the value was submitted using an
HTML form image button. In this case the parameter in the request would
actually be of the form
logicalName_value.x = 123
.
- Parameters:
parameters
- the available parameter mapname
- the logical name of the request parameter- Returns:
- the value of the parameter, or
null
if the parameter does not exist in given request
- Try to get the parameter value using just the given logical name.
This handles parameters of the form
-
getParametersStartingWith
public static Map<String,Object> getParametersStartingWith(ServletRequest request, @Nullable String prefix) Return a map containing all parameters with the given prefix. Maps single values to String and multiple values to String array.For example, with a prefix of "spring_", "spring_param1" and "spring_param2" result in a Map with "param1" and "param2" as keys.
- Parameters:
request
- the HTTP request in which to look for parametersprefix
- the beginning of parameter names (if this is null or the empty string, all parameters will match)- Returns:
- map containing request parameters without the prefix, containing either a String or a String array as values
- See Also:
-
parseMatrixVariables
Parse the given string with matrix variables. An example string would look like this"q1=a;q1=b;q2=a,b,c"
. The resulting map would contain keys"q1"
and"q2"
with values["a","b"]
and["a","b","c"]
respectively.- Parameters:
matrixVariables
- the unparsed matrix variables string- Returns:
- a map with matrix variable names and values (never
null
) - Since:
- 3.2
-
isValidOrigin
Check the given request origin against a list of allowed origins. A list containing "*" means that all origins are allowed. An empty list means only same origin is allowed.Note: as of 5.1 this method ignores
"Forwarded"
and"X-Forwarded-*"
headers that specify the client-originated address. Consider using theForwardedHeaderFilter
to extract and use, or to discard such headers.- Returns:
true
if the request origin is valid,false
otherwise- Since:
- 4.1.5
- See Also:
-
isSameOrigin
Check if the request is a same-origin one, based onOrigin
,Host
,Forwarded
,X-Forwarded-Proto
,X-Forwarded-Host
andX-Forwarded-Port
headers.Note: as of 5.1 this method ignores
"Forwarded"
and"X-Forwarded-*"
headers that specify the client-originated address. Consider using theForwardedHeaderFilter
to extract and use, or to discard such headers.- Returns:
true
if the request is a same-origin one,false
in case of cross-origin request- Since:
- 4.2
-