Cheat Sheet

The human mind is an iterative processor. It never does anything precisely right the first time. What it does consummately well is to make a slight improvement to a flawed product.
- Tom DeMarco
Quick answers to common questions.

Which IDE should I use?
What database can I use with WEB4J?
Is Tomcat adequate for production?
How do I restart my application?
What books can you recommend for newbies?
What coding conventions do you recommend?
Where are the log files?
What log level should I use?
Should I be using Cascading Style Sheets?
How do I ensure a page can be printed nicely?
What font should my web pages use?
How do I ensure weird characters are displayed correctly?
What should I know about security?
How can I protect myself against Cross-Site Scripting attacks?
Should I use GET or POST?
Should I use Expression Language Or <c:out>?
How should my app emit links?
Should I use properties files for translations?
Should I bother validating my HTML and CSS?
Can I use JavaBeans?
Should my classes be public or package-private?
Should my classes be final?
My DAO is really small. Can I refactor its methods into the Action?
If I ever need to port to a new database, how can I minimize my pain?
Why aren't my SQL statements being precompiled at startup?
Should the getSignificantFields() method include the primary key?
What are these @sql and @view tags I see in the example code?
I like the WEB4J data layer. Can I use it in a GUI application?
How do I allow POSTing without requiring user login?

Which IDE should I use?
The modern Java IDEs are all good tools: IntelliJ, Eclipse, NetBeans, JBuilder, and so on. They have many advantages over typical text editors. Those starting out will likely use Eclipse or NetBeans, which are free.

What database can I use with WEB4J?
WEB4J works with any relational database having a JDBC driver.

Is Tomcat adequate for production?
Yes. Many organizations use Tomcat in production.

How do I restart my application?
When developing, it's helpful to minimize the time it takes to restart your application. (The Fish & Chips Club example app typically starts in about 1 second.) It's always best to restart the application instead of the server, if possible, since restarting the server will always take longer.

The Tomcat server can be configured to automatically restart your app when it detects changes. See the Getting Started Guide for an example. With such configuration, Tomcat will automatically detect when your application has changed, and restart the app.

In addition, Tomcat provides the Manager application, which can reload your application upon request.

What books can you recommend for newbies?
Some excellent texts:

In addition, javapractices.com has a lot of useful information.

What coding conventions do you recommend?
Here are some coding conventions you can start with:

For examples of such coding conventions in use, see the Fish & Chips Club javadoc. Note that each class name links to the underlying source code. For example, this page links to this source code, by clicking on the class name and method names.

Where are the log files?
The Tomcat log files are located in [TOMCAT_HOME]\logs\. Tomcat emits several log files, not just one, to this directory. Usually the one named 'localhostXXX' contains the most useful information.

For your WEB4J application, its logging directory is defined by the LoggingDirectory setting in web.xml.

What log level should I use?
When developing, log level should usually be FINE. For production, you should likely change this to a less verbose level, such as INFO.

This is controlled by the LoggingLevels setting in web.xml.

Should I be using Cascading Style Sheets?
Yes. CSS is an excellent tool, and should be used throughout your application, to eliminate repetition of formatting decisions.

See Also - Use Cascading Style Sheets

How do I ensure a page can be printed nicely?
The format of a printed page is controlled using Cascading Style Sheets. There shouldn't be any need to create a page just for printing.

By default, the styles you define in a style sheet will apply to all media. To define styles which apply only to printing, use @media print. Here is an example, which suppresses the printing of some sections of the web page (a common requirement): 

@media print {
 * {
  color: black !important;
  background: white !important;
 }
 .menu-bar {
  display: none;
 }
 .title-bar {
  display: none;
 }
 div.sidebar {
  display: none;
 }
 .legalese {
  display: none;
 }
 body {
  font-family: "Times New Roman", serif;
  font-size: 12pt;
 }
 a {
  text-decoration: none;
 }
 table.report {
  page-break-before: always;
 }
}
Note the font is specified. Printing usually looks best with a serif font, while web pages usually look best with a sans-serif font.

What font should my web pages use?
Verdana and Arial are good choices. These are fonts designed explicitly for the web. You should avoid serif fonts, such as Times New Roman.

How do I ensure weird characters are displayed correctly?
By using the proper encoding in all places. The best default is UTF-8. You will need to ensure that UTF-8 is set for the database (see your database documentation), and for the pages you serve. For WEB4J apps, the encoding is set in web.xml with the CharacterEncoding setting.

See Also - Prefer UTF-8 in all layers.

What should I know about security?
Your should be familiar with the Open Web App Security Project, and its recommendations. Its Top Ten security risks are particularly important.

Security is critical on the web. If you don't pay attention to security issues, then it's very likely that your web app is insecure, and open to attack.

How can I protect myself against Cross-Site Scripting attacks?
By modeling free-form text with SafeText instead of String.

See Also - User Guide

Should I use GET or POST?
If the operation changes something, or has a side-effect, then use POST. Otherwise, use GET.

Example of POST operations:

Example of GET operations, which don't change anything on the server:

See Also - W3C, Forward Versus Redirect

Should I use Expression Language Or <c:out>?
For rendering data in a JSP, you should likley use Expression Language as default. Its syntax is more compact and legible than the older <c:out> style.

Example comparing the two styles: 

Number of galaxies: ${numGalaxies}
Number of galaxies: <c:out value='numGalaxies'/>

How should my app emit links?
You should emit links using <c:url>, defined by JSTL. Avoid the temptation of emitting the link directly.

With <c:url>, you receive:

Should I use properties files for translations?
No. You should use the database instead, to avoid a number of nuisances associated with properties files.

See Also - Try alternatives to ResourceBundle, Multilingual Apps

Should I bother validating my HTML and CSS?
Yes. You will almost always find some issues. Validation only takes a moment, and increases your confidence in the quality of your site.

Links:

Can I use JavaBeans?
Yes, but they are not recommended. Instead, you should likely design your Model Objects as immutable objects.

See Also - Avoid JavaBeans style of construction.

Should my classes be public or package-private?
Typically, the following will be needed:

Model Objects usually need to be public in order to be constructed by the framework (using reflection on public members), and rendered in JSPs.

Model Objects for search operations are a special case:

In addition, some DAOs occasionally need to be accessed from other packages. In that case, it is often possible to have some DAO methods public, and some package-private.

Should my classes be final?
Usually, yes. Making a class non-final requires extra, non-trivial effort, in order to get it right. For typical applications, the need for non-final classes should be relatively rare. Using final makes a class a bit safer and more conservative (especially for less experienced programmers).

One exception might be that you need to create a new template Action. In that case, you will need to use the Template Method design pattern, which uses a non-final Abstract Base Class.

My DAO is really small. Can I refactor its methods into the Action?
Yes. Each class should do a significant amount of work. If a DAO is small, moving its methods into the single Action that uses it is a good idea.

If I ever need to port to a new database, how can I minimize my pain?
You can minimize your pain by using standard SQL whenever possible, instead of items particular to a specific database. Here, use of an SQL validator is very helpful.

If you follow this guideline, most of the porting pain will be confined to CREATE TABLE statements.

Why aren't my SQL statements being precompiled at startup?
It's true that WEB4J tries to precompile SQL statements upon startup, in order to detect errors as quickly as possible. However, this is an attempt to precompile: the actual precompilation is only executed if it is supported by the database and its JDBC driver.

Should the getSignificantFields() method include the primary key?
Assuming that the primary key is an internal database identifier, and isn't used directly by end users as a business identifier, then the answer is 'probably not'.

The usual intent of using equals is to compare state, not identity. For a database record, however, the primary key seems to hold identity information, not state. (Some would consider this a weak argument. In the end, it likely doesn't matter much either way.)

What are these @sql and @view tags I see in the example code?
They are not annotations. They are taglets, used to extend the javadoc tool. They generate links in javadoc to the underlying .sql file and JSP file associated with a feature.

These taglets are available from the WEB4J Development Tools.

I like the WEB4J data layer. Can I use it in a GUI application?
Maybe. The Controller.init() method is called during unit testing and initializes WEB4J's data layer outside of the usual environment. It may be possible to use the same technique in a GUI application. (See the example app's TESTAll class.)

However, there seems to be a fundamental difference in how data is handled in a web app versus a desktop app. In a web app, data is more or less disconnected: data is fetched, placed in a Model Object, and presented to the user in markup. Usually, the Model Object exists only for the request, isn't long lived, and isn't directly manipulated.

In a desktop environment, however, it seems that the opposite is the case: the ResultSet is sometimes long-lived, updateable, and edited directly by the end user. So, according to how you need to edit data, you may or may not be able to use WEB4J's data layer in a desktop app.

How do I allow POSTing without requiring user login?
Allowing users to POST without requiring login is a security risk, but it can be done if needed.

If you need to allow POST operations without login, then you will run into issues with the CsrfFilter, which assumes a logged in user is always present. As a workaround, change the filter mapping for CsrfFilter to match only a subset of your application's URLs. (Remember that filter mapping can be by servlet name, or by URL matching.)

For example, you might split your application's URLs into two distinct areas, such as :

Then, the CsrfFilter is mapped to /private/*, instead of to the entire application. In addition, any POSTed forms under /public/ will need some ad hoc mechanism to prevent spamming and CSRF attacks. (For example, asking the user to answer a question of some sort.)