this one has been bugging me for a few days
what i would like to do is on one of my views i would like to get a list of Locations (Entity) and submit the selected location to a session variable so i can show relative data according to the location
i'm unsure how to go about setting this up
any response would be appreciated
Since you tagged this with Spring, you can get direct access to the HttpSession object and just shove the data right in there. Your controller method signature would look something like this in Spring 3.0:
public ModelAndView someMeaningfulName(#ModelAttribute Location location, HttpSession httpSession) {
httpSession.setAttribute("location", location);
// Other method code
}
You you have access to the HttpServletRequest object, you can also gain access to the HttpSession from that object as well (request.getSession()). Just be aware, that the HttpSession object may not be thread safe and that the scope of this object is now tied to the User's session.
Related
I use Spring 4.1.1. And I must make service of user session. What's the best way of storing session related data of a user? I read so many way's , but I don't understand which way is proper?
it's example that I need
#Controller
#SessionAttributes("user")
public class PagesController {
#RequestMapping(value="/sign_in", method = RequestMethod.POST)
public String getSignIn(#RequestParam(value="user")String user ,
#RequestParam(value="pass")String password,
Model model) {
UserDAO dao = new UserDao();
if(dao.isUserValid(user,password) && !model.containsAttribute("user")){
User user = new User();
model.addAttribute("user",user);
return USER_PAGE;
}
return LOGIN_PAGE;
}
}
First of all, Session Attribute is not a good option to store your user object. It is spring who decides when to clear a session attribute data. As per spring documentation, spring removes a session attribute when it understands that a 'conversation' is completed. You only use session attribute when you are in a controller scope and the data is temporarily needed to be stored in the session.
As far as user login object goes, the thing you need to do is to use http sesison. When you login/sign in to your application you actually post the login credential to your controller. Once validated, you put the user object (with your necessary info-as less as possible- in to an object and store in to your session). This object will remain as long as it doesn't expire or you clear it when the user trigger logout.
Moreover if you still want to use SessionAttribute to store your user Object. Then there can be further problem when you deploy your application to a clustered environment. Your session will have to be copied to each instance of your server unless you implement sticky session. Copying httpsession is the simplest of task whereas copying the same instance of a sessionAttribute is not.
#RequestMapping(value = "login.html", method = RequestMethod.POST)
public ModelAndView post(#ModelAttribute("login") LoginEntity login, HttpServletRequest req) {
... process the data ...
if passed put it into session:
HttpSession session = req.getSession(true);
UserObject userObject=new UserObject();
userObject.setName(login.getUserName());
...
session.setAttribute("user",userObject);
It is OK that you put your user object in session, and then use it in your project everywhere. However, if you get a lot of users, that means you have many user object in the memory of your server. The memory might run out.
Another way to do it is to put some user information in cookies with some encryption and validation, but just remember not to put too much info in cookies because cookies will be sent every time a request or a response is made. If there to much information to send, it will slow the response time.
And just a reminder, you should call status.setComplete() to clean the attributes inside a session when they are not needed.
Does SessionStatus object.setComplete() clears all the session attributes or just work for the controller in which it is used?
and if you don't know how to use it, you can see the article below
http://vard-lokkur.blogspot.tw/2011/01/spring-mvc-session-attributes-handling.html
I have an Spring-mvc application and in each controller I add a form to SessionAttributes to preserve properties when save, delete or do another get request. Main problem becomes when I try to open some link in another browser tab and try to submit the first one. I tried this solution but when I do a redirect (in controller I only have 1 return for view and the other methods do a redirect) it creates a new conversation and can't find previous one.
I have another question about this triying to use spring-session, question It's here but I don't know if this will work too.
Did you look into Spring's RedirectAttributes? I haven't used it myself but it sounds like it should do what you would like. RedirectAttributes is typically used for GET/redirect/POST patterns and at least one user seems to think passing session attributes this way is bad practice, however they go on to mention there doesn't seem to be a better solution. Anyway, the example shown in the documentation:
#RequestMapping(value = "/accounts", method = RequestMethod.POST)
public String handle(Account account, BindingResult result, RedirectAttributes redirectAttrs) {
if (result.hasErrors()) {
return "accounts/new";
}
// Save account ...
redirectAttrs.addAttribute("id", account.getId()).addFlashAttribute("message", "Account created!");
return "redirect:/accounts/{id}";
}
would add the "message" attribute to a RedirectModel, and if your controller redirects, then whatever method handles the redirect can access that data like so:
#RequestMapping(value = "/accounts", method = RequestMethod.POST)
public String handleRedirect(Model model) {
String message = (String) model.asMap().get("message");
return new ModelAndView();
}
So adding session attributes should be possible in the same way. Another reference here.
EDIT
I was looking through the Spring documentation and they also mention this annotation #SessionAttributes. From the documentation:
The type-level #SessionAttributes annotation declares session attributes used by a specific handler. This will typically list the names of model attributes or types of model attributes which should be transparently stored in the session or some conversational storage, serving as form-backing beans between subsequent requests.
Could this be what you need?
And also a link to documentation on flash attributes.
This is the solution we have come up with, nothing to do with Spring:
On each html form of your application you will have to include a hidden field. Let's name this field CSRF_TOKEN. This field should have a randomly generated value. This value is placed both in the session and the hidden field. The name of the session attribute is SESSION_CSRF_TOKEN
When the form is submitted to the server, you check whether the value in the session (SESSION_CSRF_TOKEN) equals the value sent in the HTTP request parameter CSRF_TOKEN. If not, you show some kind of error message and you stop processing. If they are equal, proceed.
If the user opens a new tab or duplicates a tab, the server will re-render the page and a new CSRF_TOKEN will be generated. So the user will only be able to submit the form from the newly opened tab , and not from the original.
This solution offers an additional bonus: It protects from CSRF attacks.
I came across a code where the session object is obtained in two different ways (or rather wrote in two different ways).
using HttpServletRequest
someMethod(HttpServletRequest request){
HttpSession session = request.getSession();
//getAttribute from session
}
And using HttpSession
anotherMethod(HttpSession session){
//getAttribute from session
}
I went through this article and a question on SO. But i am still have some doubts.
Can someone help me understand what is the difference between these?
UPDATE
Both of these are methods in a spring controller and these are mapped to different ajax calls. I understand that there is a session associated with every request object but when you pass an HttpSession object where does it find the current session object(load all the attributes) or how is it obtained? When I call the method from javascript, I don't pass anything at all.
someMethod(HttpServletRequest request)
In this you are passing the current request object, from which you can obtain your current session and then you can get attributes from it.. You can get the current session object from your request object by using : -
request.getSession(false)
*NOTE: - We pass false as a parameter to getSession(false) to get any existing session.. If no session exist it will return null..
whereas, request.getSession() will always create a new session, so you won't get any prevoius attribute store in other session..
anotherMethod(HttpSession session)
Here you are passing the session object itself from somewhere.. Might be because, your session object contains many attributes, and you don't want to many parameters in the method..
But you should do all this session related task in your Servlet and pass the attribute to the methods of other class..
There is no huge difference between these two, the second method may be used if called multiple times to eliminate one extra method call request.getSession() by keeping session as somewhat like a local cache (with ignorable performance improvement unless called 100s of times).
eg,.
HttpSession session=request.getSession();
getFirstAttr(session);
getSecondAttr(session);
....
getHundredthAttr(session);
If you use the first method, then all the times that method is called one extra request.getSession() is called.
You don't need to float session objects if you have single attribute. Just simply access it using session object.
HttpSession session = request.getSession(true);
session.getAttribute(name);
Now only sensible case where you can float session objects is you have large number of attributes and you want each method to access its own set of attributes. In any case the method depends on session passed to it so it should not care how it was obtained.
Hey guys i'm working on admin module for my project. When a person logs-in, a request is sent to login servlet. When it further ask for some other report by clicking other options a request for the report is sent to other servlet which gives the result on the page which is shown at the time of user which is of normal type. The session is lost between two servlets.
I am trying to navigate the generated report on some other page but for that i need to know user type in second servlet. This can be done by fetching value of user_type from login module bean class.
How to handle this situation? thanks
My login servlet is :
LoginService user = new LoginService();
user.setUserName(request.getParameter("username"));
user.setPassword(request.getParameter("password"));
user = UserDAO.login(user);
if (user.isValid())
{
HttpSession session = request.getSession(true);
session.setAttribute("currentSessionUser",user);
if(user.getUser_type().equalsIgnoreCase("admin")){
response.sendRedirect("administrator/homepage.jsp");
}else{
response.sendRedirect("homepage.jsp"); //logged-in page
}
}
else
response.sendRedirect("invalidlogin.jsp"); //error page
}
i tried using this in second servlet:-
LoginService session = (LoginService)request.getAttribute("currentSessionUser");
String drake = session.getUser_type();
System.out.println("usertype = " +drake);
Here LoginService is the bean class of login module. i'm get a nullpointer exception here.
I think you're trying to do stuff that your web container should handle for you... A session should automatically be maintained over the course of multiple servlet calls from the same client session. Methods from HttpServlet are given a HttpServletRequest. You can obtain the corresponding HttpSession using one of the getSession methods of that class.
You can bind stuff to the HttpSession using setAttribute and getAttribute.
EDIT: I'm taking this from the Servlet spec 2.5:
A servlet can bind an object attribute into an HttpSession implementation by name.
Any object bound into a session is available to any other servlet that belongs to the
same ServletContext and handles a request identified as being a part of the same
session.
I think you're better off getting the HttpSession object from the HttpServletRequest (at least assuming it's a HttpServlet) and setting/getting attributes through that. If you choose a proper name (it follows the same convention as Java package naming) for your attribute, you can be sure the returned object, as long as it's not null, can be cast to whatever type you put in there. Setting and getting attributes on the request itself isn't gonna help, I don't think stuff will get carried over from one servlet call to the next unless you call one servlet from the other with a RequestDispatcher, but that's not what you're after here.
So in your second code sample, do (LoginService)request.getSession().getAttribute("currentSessionUser");, that ought to work. Make sure to check for nulls and maybe choose an attribute name that uses your project's package name convention (like com.mycompany...).
I wouldn't mind a second opinion here since I'm not much of an EE/web developer.
I plan to create a Handler interceptor that will fire before the controller gets called (or I'll do this pre-action firing).
I will then check the user's cookie, and load the user object based on the sessionid in the cookie.
I will then add the user object to the request attributes.
Now if I want to retrieve the user object in my controllers action, do I cast it to (User) ?
I believe in my freemarker template I can just do ${user.name} correct? or is it user.getUsername ?
First, you'd better place the user in the session, so that the cookie > user conversion does not happen on each request.
Second, you can just get it from there (session/request) by calling
User user = (User) session.getAttribute(USER_KEY); // this is s String constant
Alternatively, you can make a class UserHolder, where you pass an HttpSession and it gives you the user, thus sparing the casts in your controller cote.
The same approach can be used with HttpServletRequest.