I have an Spring-mvc application and in each controller I add a form to SessionAttributes to preserve properties when save, delete or do another get request. Main problem becomes when I try to open some link in another browser tab and try to submit the first one. I tried this solution but when I do a redirect (in controller I only have 1 return for view and the other methods do a redirect) it creates a new conversation and can't find previous one.
I have another question about this triying to use spring-session, question It's here but I don't know if this will work too.
Did you look into Spring's RedirectAttributes? I haven't used it myself but it sounds like it should do what you would like. RedirectAttributes is typically used for GET/redirect/POST patterns and at least one user seems to think passing session attributes this way is bad practice, however they go on to mention there doesn't seem to be a better solution. Anyway, the example shown in the documentation:
#RequestMapping(value = "/accounts", method = RequestMethod.POST)
public String handle(Account account, BindingResult result, RedirectAttributes redirectAttrs) {
if (result.hasErrors()) {
return "accounts/new";
}
// Save account ...
redirectAttrs.addAttribute("id", account.getId()).addFlashAttribute("message", "Account created!");
return "redirect:/accounts/{id}";
}
would add the "message" attribute to a RedirectModel, and if your controller redirects, then whatever method handles the redirect can access that data like so:
#RequestMapping(value = "/accounts", method = RequestMethod.POST)
public String handleRedirect(Model model) {
String message = (String) model.asMap().get("message");
return new ModelAndView();
}
So adding session attributes should be possible in the same way. Another reference here.
EDIT
I was looking through the Spring documentation and they also mention this annotation #SessionAttributes. From the documentation:
The type-level #SessionAttributes annotation declares session attributes used by a specific handler. This will typically list the names of model attributes or types of model attributes which should be transparently stored in the session or some conversational storage, serving as form-backing beans between subsequent requests.
Could this be what you need?
And also a link to documentation on flash attributes.
This is the solution we have come up with, nothing to do with Spring:
On each html form of your application you will have to include a hidden field. Let's name this field CSRF_TOKEN. This field should have a randomly generated value. This value is placed both in the session and the hidden field. The name of the session attribute is SESSION_CSRF_TOKEN
When the form is submitted to the server, you check whether the value in the session (SESSION_CSRF_TOKEN) equals the value sent in the HTTP request parameter CSRF_TOKEN. If not, you show some kind of error message and you stop processing. If they are equal, proceed.
If the user opens a new tab or duplicates a tab, the server will re-render the page and a new CSRF_TOKEN will be generated. So the user will only be able to submit the form from the newly opened tab , and not from the original.
This solution offers an additional bonus: It protects from CSRF attacks.
Related
I use Spring 4.1.1. And I must make service of user session. What's the best way of storing session related data of a user? I read so many way's , but I don't understand which way is proper?
it's example that I need
#Controller
#SessionAttributes("user")
public class PagesController {
#RequestMapping(value="/sign_in", method = RequestMethod.POST)
public String getSignIn(#RequestParam(value="user")String user ,
#RequestParam(value="pass")String password,
Model model) {
UserDAO dao = new UserDao();
if(dao.isUserValid(user,password) && !model.containsAttribute("user")){
User user = new User();
model.addAttribute("user",user);
return USER_PAGE;
}
return LOGIN_PAGE;
}
}
First of all, Session Attribute is not a good option to store your user object. It is spring who decides when to clear a session attribute data. As per spring documentation, spring removes a session attribute when it understands that a 'conversation' is completed. You only use session attribute when you are in a controller scope and the data is temporarily needed to be stored in the session.
As far as user login object goes, the thing you need to do is to use http sesison. When you login/sign in to your application you actually post the login credential to your controller. Once validated, you put the user object (with your necessary info-as less as possible- in to an object and store in to your session). This object will remain as long as it doesn't expire or you clear it when the user trigger logout.
Moreover if you still want to use SessionAttribute to store your user Object. Then there can be further problem when you deploy your application to a clustered environment. Your session will have to be copied to each instance of your server unless you implement sticky session. Copying httpsession is the simplest of task whereas copying the same instance of a sessionAttribute is not.
#RequestMapping(value = "login.html", method = RequestMethod.POST)
public ModelAndView post(#ModelAttribute("login") LoginEntity login, HttpServletRequest req) {
... process the data ...
if passed put it into session:
HttpSession session = req.getSession(true);
UserObject userObject=new UserObject();
userObject.setName(login.getUserName());
...
session.setAttribute("user",userObject);
It is OK that you put your user object in session, and then use it in your project everywhere. However, if you get a lot of users, that means you have many user object in the memory of your server. The memory might run out.
Another way to do it is to put some user information in cookies with some encryption and validation, but just remember not to put too much info in cookies because cookies will be sent every time a request or a response is made. If there to much information to send, it will slow the response time.
And just a reminder, you should call status.setComplete() to clean the attributes inside a session when they are not needed.
Does SessionStatus object.setComplete() clears all the session attributes or just work for the controller in which it is used?
and if you don't know how to use it, you can see the article below
http://vard-lokkur.blogspot.tw/2011/01/spring-mvc-session-attributes-handling.html
I am looking for a way to do a redirect or forward from one Controller request mapping to another.
The situation is that I have a Controller that has three stages: User inputs data -> Preview page -> Submit. In the Preview request mapping I have the Model Attribute and its BindingResult. If I have errors in the binding, I want to push the user back to the New form using a redirect, but when I do that Spring re-evaluates the ModelAttribute, and thusly re-creates the BindingResult.
Some code:
#RequestMapping(value = "\new", method = RequestMethod.GET)
#ApplicationUserCreated
public String formNew(
#ModelAttribute("formBean") FormBean formBean,
BindingResult bindingResults,
Model uiModel) {
// Do some stuff
// Send the "new form" view
return "new.jsp";
}
#RequestMapping("/preview", method = RequestMethod.POST)
#ApplicationUserCreated
public String formPreview(
#ModelAttribute("formBean") FormBean formBean,
BindingResult bindingResults,
Model uiModel) {
// TODO: Validate the form
if(bindingResults.hasErrors()) {
// Redirect them back to the "New" form
return "redirect:" + "/new";
} else {
return "preview.jsp";
}
}
Please excuse any typos, as I had to try to simplify the code some. I tried removing the BindingResults from the formNew() method, but when Preview redirects to New, it still seems to overwrite the BindingResults. I also tried doing a "forward" instead, but same results.
I ended up just calling formNew() from formPreview() when I needed to send the user back to the new.jsp. I don't get the redirect, so the URL in the browser shows as "/preview", but at least it's working and I feel like I am not wasting time duplicating code.
You can store the BindingResult in Session or you can try to send that data with Spring Flash Attributes, if you have at least spring 3.1 .
** if ManagementMovesFormBean extends or implements you're FormBean, you should send that bean in flash attributes.
** by the way, to validate you're form, you should have added #Valid in front of #ModelAttribute(".....
Don't forget that a BindingResult is assign to a single class, in you're example you have 2 methods with different expected objects, so those two BindingObjects are different
I am not sure what the purpose of the preview page is but I would recommend performing validation on the same page and only when input is valid to proceed to preview using a redirect.
Hey guys i'm working on admin module for my project. When a person logs-in, a request is sent to login servlet. When it further ask for some other report by clicking other options a request for the report is sent to other servlet which gives the result on the page which is shown at the time of user which is of normal type. The session is lost between two servlets.
I am trying to navigate the generated report on some other page but for that i need to know user type in second servlet. This can be done by fetching value of user_type from login module bean class.
How to handle this situation? thanks
My login servlet is :
LoginService user = new LoginService();
user.setUserName(request.getParameter("username"));
user.setPassword(request.getParameter("password"));
user = UserDAO.login(user);
if (user.isValid())
{
HttpSession session = request.getSession(true);
session.setAttribute("currentSessionUser",user);
if(user.getUser_type().equalsIgnoreCase("admin")){
response.sendRedirect("administrator/homepage.jsp");
}else{
response.sendRedirect("homepage.jsp"); //logged-in page
}
}
else
response.sendRedirect("invalidlogin.jsp"); //error page
}
i tried using this in second servlet:-
LoginService session = (LoginService)request.getAttribute("currentSessionUser");
String drake = session.getUser_type();
System.out.println("usertype = " +drake);
Here LoginService is the bean class of login module. i'm get a nullpointer exception here.
I think you're trying to do stuff that your web container should handle for you... A session should automatically be maintained over the course of multiple servlet calls from the same client session. Methods from HttpServlet are given a HttpServletRequest. You can obtain the corresponding HttpSession using one of the getSession methods of that class.
You can bind stuff to the HttpSession using setAttribute and getAttribute.
EDIT: I'm taking this from the Servlet spec 2.5:
A servlet can bind an object attribute into an HttpSession implementation by name.
Any object bound into a session is available to any other servlet that belongs to the
same ServletContext and handles a request identified as being a part of the same
session.
I think you're better off getting the HttpSession object from the HttpServletRequest (at least assuming it's a HttpServlet) and setting/getting attributes through that. If you choose a proper name (it follows the same convention as Java package naming) for your attribute, you can be sure the returned object, as long as it's not null, can be cast to whatever type you put in there. Setting and getting attributes on the request itself isn't gonna help, I don't think stuff will get carried over from one servlet call to the next unless you call one servlet from the other with a RequestDispatcher, but that's not what you're after here.
So in your second code sample, do (LoginService)request.getSession().getAttribute("currentSessionUser");, that ought to work. Make sure to check for nulls and maybe choose an attribute name that uses your project's package name convention (like com.mycompany...).
I wouldn't mind a second opinion here since I'm not much of an EE/web developer.
I have a Spring Annonted Controller that is used to capture the information from a form and get a list of search results from the database.
Here is the definition of the method
#RequestMapping(method = RequestMethod.POST, params = {SUBMIT_BTN })
public ModelAndView processForm(#ModelAttribute(COMMAND_NAME){
// 1. Load search results using search parameters from form (Contained in a collection of some sort)
// 2. Create the ModelAndView
// 3. Redirect with RequestView or redirect: to generate a GET.
}
I think I need to redirect with redirect: since i have a list of items in a collection store in the session. Cannot add that as a url request param.
Basically I'm trying to prevent problems whith the back button where it says that the page is expired. I want to implement the PRG pattern in strings.
I'm having a hard time wrapping my head around converting the POST into a GET. Can I just redirect or do I need two methods? Thanks for any help you can provide.
The standard pattern is to have a controller method to handle the GET,and which shows the form (or whatever) to the user, and one to handle the POST, which is the form submission. The POST method sends a redirect after it has finished processing the submission, which comes back in to the GET method.
#RequestMapping(value="/myapp", method=GET)
public String showForm(#ModelAttribute(COMMAND_NAME){
return "form.jsp";
}
#RequestMapping(value="/myapp", method=POST)
public String processForm(#ModelAttribute(COMMAND_NAME){
// do stuff to process for submission
return "redirect:/myapp";
}
Returning a view name with the "redirect:" prefix forces Spring to send an HTTP direct rather than an internal request forward.
This is the same pattern that Spring 2.0 implemented with SimpleFormController, but the new way is far more transparent.
I'm quite sure this has to be in the docs somewhere, but I've looked for days and haven't spotted it. I'm probably staring myself blind when it's right in front of me, so sorry for asking an abvious question, but....
#RequestMapping(method = RequestMethod.POST)
public ModelAndView post(#ModelAttribute("user") User user) {
ModelAndView mav = new ModelAndView(jsonView);
//....
return mav;
}
This is my POST function as part of my controller, and I'd like to try it out. So I fire up Poster, the Firefox REST tester that I use for trying out my functions, and fire a POST to http://localhost:8000/userController with parameters { firstname = "foo", lastname = "bar }. That gives me:
org.springframework.web.HttpSessionRequiredException: Session attribute 'user' required - not found in session
So I try with { user.firstname = "foo", user.lastname = "bar" }, same error. What parameters do I need to send in a POST or PUT request in order to use this mechanism that automatically maps my parameters to an object?
Cheers
Nik
That effect apparnetly occurs if you have #SessionAttributes annotation at your class. This causes Spring to expect the model attribute to be stored in the session from a prior GET web request, that put the object into the model.
This behaviour allows partial binding of request parameters to model objects. The workflow is as follows:
you receive a GET request to populate the model
Spring binds all model objects you configured either by name or type in #SessionAttributes to the session
you receive a POST request with updated data
Spring takes the objects from the session and binds the request data to them
Othwerise Spring would populate an empty new object which is mostly not the desired behaviour.
That annotation will search in the session an attribute named 'user', while the parameters you send in the POST are stored as parameters of the request:
//Get a session attribute:
request.getSession().getAttribute("user");
//Get a request parameter:
request.getParameter("firstname");
More here
No annotation should be necessary on the User method parameter, Spring will recognise it as a command object and bind to it without the annotation.
#ModelAttribute is slightly confusing, I find, its meaning seems to vary from situation to situation.