115

I have always wondered why so many Java developers use ".do" as the extension for their web controller (MVC) resources. Example: http://example.com/register.do

It doesn't even seem to be framework specific as I have seen it in Spring MVC and Struts projects. Where did this ".do" extension practice come from. Why was this done instead of no extension? I feel like I missed the Java world memo on this.

Personally I prefer no extension.

L0j1k
  • 10,933
  • 7
  • 48
  • 64
Adam Gent
  • 44,449
  • 20
  • 142
  • 191
  • 5
    Friendly note for people that want to migrate from ".do" and have friendly URLS. Use the servlet path instead of the extension ie /do/login and then use Tuckey Filter URL rewritting to make /do/login ==> /login. – Adam Gent Aug 30 '10 at 03:21
  • True, URL rewriting (be it through mod_rewrite or Tuckey's filter) would do the trick. – Pascal Thivent Aug 30 '10 at 03:28
  • 1
    it's pretty idiotic, and there is no excuse for that. – irreputable Aug 30 '10 at 05:49

3 Answers3

76

To my knowledge, this convention has been spread by Struts1. The user guide puts it like this:

5.4.2 Configure the ActionServlet Mapping

Note: The material in this section is not specific to Struts. The configuration of servlet mappings is defined in the Java Servlet Specification. This section describes the most common means of configuring a application.

There are two common approaches to defining the URLs that will be processed by the controller servlet -- prefix matching and extension matching. An appropriate mapping entry for each approach will be described below.

Prefix matching means that you want all URLs that start (after the context path part) with a particular value to be passed to this servlet. Such an entry might look like this:

<servlet-mapping>
    <servlet-name>action</servlet-name>
    <url-pattern>/do/*</url-pattern>
</servlet-mapping>

which means that a request URI to match the /logon path described earlier might look like this:

http://www.mycompany.com/myapplication/do/logon

where /myapplication is the context path under which your application is deployed.

Extension mapping, on the other hand, matches request URIs to the action servlet based on the fact that the URI ends with a period followed by a defined set of characters. For example, the JSP processing servlet is mapped to the *.jsp pattern so that it is called to process every JSP page that is requested. To use the *.do extension (which implies "do something"), the mapping entry would look like this:

<servlet-mapping>
    <servlet-name>action</servlet-name>
    <url-pattern>*.do</url-pattern>
</servlet-mapping>

and a request URI to match the /logon path described earlier might look like this:

http://www.mycompany.com/myapplication/logon.do

WARNING - The framework will not operate correctly if you define more than one <servlet-mapping> element for the controller servlet.

WARNING - If you are using the new module support since version 1.1, you should be aware that only extension mapping is supported.

And I think this convention has been kept (sometimes to not change URLs even after replacing Struts1, sometimes just because people were happy with it).

Philip Rego
  • 534
  • 3
  • 16
  • 29
Pascal Thivent
  • 535,937
  • 127
  • 1,027
  • 1,106
9

It was common practice to map your struts servlet to *.do in web.xml to pass URLs to the struts servlet. For example:

<!-- Standard Action Servlet Mapping -->
<servlet-mapping>
    <servlet-name>action</servlet-name>
    <url-pattern>*.do</url-pattern>
</servlet-mapping>

There is really no reason except convention for this. If you use no extension you need to do some magic to handle images and other static content in a way that doesn't send them to your sevlet. Often this gets done at a load balancer of a fronting web server.

silverjam
  • 400
  • 1
  • 7
leonm
  • 6,319
  • 27
  • 35
  • 2
    I don't know about it being magic. All it is having a master dispatching servlet and maybe doing some URL rewriting to avoid having the /myservlet/ prefix. See Tuckey URL rewritting. – Adam Gent Aug 30 '10 at 03:14
-2

Just a security tip!

It is good practice to use some unusual extension for your controller, in this way the intruders will need to spend more time to find some info about the site.

So if you change the default extension, plus some few statics in your framework which may reveal your hand, your MVC framework can be completely unknown.

Even change extension to php or aspx could be good idea.

Well indeed this is security by obfuscation, but this isn't the opposite of good security. Layering security by obscurity on top of an already secure system might help. There are interesting pros and cons of security by obfuscation and when they can be both used in the internet.

Alireza Fattahi
  • 33,509
  • 12
  • 96
  • 140
  • 5
    That's security by obscurity. – TGO May 21 '16 at 15:46
  • Really this is obfuscation – Brandon G Jan 26 '17 at 22:36
  • 4
    Obscurity isn't the opposite of good security. Refusing to divulge information that clients have zero need-to-know is a good practice. At my company we scrubbed all webserver and app server headers out and replaced it with a made-up string. The amount of vulnerability scans even obscure sites get is nuts, anything you can do to make yourself less of a target is a positive. – XP84 Mar 03 '17 at 19:52
  • By default, the response headers would be enough to figure out the things. – Kannan Ramamoorthy Jun 17 '17 at 14:44