7.3 URL Rewriting

Java Servlet Programming, 2nd Edition > 7. Session Tracking > 7.3 URL Rewriting

7.3 URL Rewriting

URL rewriting is another way to support anonymous session tracking. With URL rewriting, every local URL the user might click on is dynamically modified, or rewritten, to include extra information. The extra information can be in the form of extra path information, added parameters, or some custom, server-specific URL change. Due to the limited space available in rewriting a URL, the extra information is usually limited to a unique session ID. For example, the following URLs have been rewritten to pass the session ID 123:^[2]

^[2] Remember, session ID values should be difficult to guess or forge. 123 does not qualify as a good session ID, except in a simple book example.

http://server:port/servlet/Rewritten                 original http://server:port/servlet/Rewritten/123             extra path information http://server:port/servlet/Rewritten?sessionid=123   added parameter http://server:port/servlet/Rewritten;jsessionid=123  custom change

Each rewriting technique has its advantages and disadvantages. Using extra path information works on all servers, but it doesn't work well if a servlet has to use the extra path information as true path information. Using an added parameter works on all servers too, but it can cause parameter naming collisions. Using a custom, server-specific change works under all conditions for servers that support the change. Unfortunately, it doesn't work at all for servers that don't support the change.

Example 7-2 shows a revised version of our shopping cart viewer that uses URL rewriting in the form of extra path information to anonymously track a shopping cart.

Example 7-2. Session Tracking Using URL Rewriting

import java.io.*; import javax.servlet.*; import javax.servlet.http.*; public class ShoppingCartViewerRewrite extends HttpServlet {   public void doGet(HttpServletRequest req, HttpServletResponse res)                                throws ServletException, IOException {     res.setContentType("text/html");     PrintWriter out = res.getWriter();     out.println("<HEAD><TITLE>Current Shopping Cart Items</TITLE></HEAD>");     out.println("<BODY>");     // Get the current session ID, or generate one if necessary     String sessionid = req.getPathInfo();     if (sessionid == null) {       sessionid = generateSessionId();     }     // Cart items are associated with the session ID     String[] items = getItemsFromCart(sessionid);     // Print the current cart items.     out.println("You currently have the following items in your cart:<BR>");     if (items == null) {       out.println("<B>None</B>");     }     else {       out.println("<UL>");       for (int i = 0; i < items.length; i++) {         out.println("<LI>" + items[i]);       }       out.println("</UL>");     }     // Ask if the user wants to add more items or check out.     // Include the session ID in the action URL.     out.println("<FORM ACTION=\"/servlet/ShoppingCart/" + sessionid +                 "\" METHOD=POST>");     out.println("Would you like to<BR>");     out.println("<INPUT TYPE=SUBMIT VALUE=\" Add More Items \">");     out.println("<INPUT TYPE=SUBMIT VALUE=\" Check Out \">");     out.println("</FORM>");     // Offer a help page. Include the session ID in the URL.     out.println("For help, click <A HREF=\"/servlet/Help/" + sessionid +                 "?topic=ShoppingCartViewerRewrite\">here</A>");     out.println("</BODY></HTML>");   }   private static String generateSessionId() {     String uid = new java.rmi.server.UID().toString();  // guaranteed unique     return java.net.URLEncoder.encode(uid);  // encode any special chars   }   private static String[] getItemsFromCart(String sessionid) {     // Not implemented   } }

This servlet first tries to retrieve the current session ID using getPathInfo( ). If a session ID is not specified, it calls generateSessionId( ) to generate a new unique session ID using an RMI class designed specifically for this. The session ID is used to fetch and display the current items in the cart. The ID is then added to the form's ACTION attribute, so it can be retrieved by the ShoppingCart servlet. The session ID is also added to a new help URL that invokes the Help servlet. This wasn't possible with hidden form fields because the Help servlet isn't the target of a form submission.

The advantages and disadvantages of URL rewriting closely match those of hidden form fields. Both work with all browsers, allow anonymous access, and can be used to implement authentication with logout. The major difference is that URL rewriting works for all dynamically created documents, such as the Help servlet, not just forms. Plus, with the right server support, custom URL rewriting can even work for static documents. Unfortunately, actually performing the URL rewriting can be tedious.