I do not know how to use Session on Google app engine.
Please tell me.
Thanks.
Are you talking about request.getSession() in the Java Servlet API? You have to enable sessions before that will work. See this question for more info on using HttpSession. By the way, you should probably tag your questions with the App Engine variant you're using (java or python).
App Engine includes an implementation of sessions, using the servlet session interface. The implementation stores session data in the App Engine datastore for persistence, and also uses memcache for speed. As with most other servlet containers, the session attributes that are set with session.setAttribute() during the request are persisted at the end of the request.
This feature is off by default. To turn it on, add the following to appengine-web.xml:
<sessions-enabled>true</sessions-enabled>
Related
I am developing a web application with two major division, one is the Wicket side of the application and the Restlet side of the application which are quite decoupled. Although the code resides in the same project, I want to decouple it, so the Wicket part calls on the REST services exposed by the Restlet backend.
Now the issue is with the Session, in the Restlet part, there is a Shiro component which does the authentication et. al. when /login is accessed and the correct username & password pair is supplied.
The question is, what is the approach such that Wicket part of the app would know about the session user currently logged-in in the Restlet part with Shiro?
If your Restlet server part shares same web session provided by the container with your Wicket app, you can access it in Wicket with:
((HttpServletRequest) RequestCycle.get().getRequest().getContainerRequest()).getSession()
Which gives you javax.servlet.http.HttpSession provided by Servlet api. Your Wicket's session which extends org.apache.wicket.protocol.http.WebSession is stored in this session under wicket:wicket.yourapp:session key along with other data set by you, or libraries you use outside Wicket.
I don't know Restlet and how you propagate session there, but I assume you will a need dependency to Servlets in your Restlet / Shiro part, which stores data in session.
Edit: Checking Shiros Session interface javadoc:
//A Session is intended to be managed by the business tier and accessible via other tiers without being tied to any given client technology. This is a great benefit to Java systems, since until now, the only viable session mechanisms were the javax.servlet.http.HttpSession or Stateful Session EJB's, which many times unnecessarily coupled applications to web or ejb technologies
Considering this the above proposal will not work, but it sounds you should be able to easily access Shiros Session object, if you add Shiro dependency to your Wicket part.
You create a new HttpServletRequest to your Restlet back-end, so it will create a session between your front-end and back-end and not use the current session between the users browser and the front-end.
Only way this will work if you try to perform session hijacking in your application to be able to get the user session in both components.
Federated Login on Google App Engine (both Java and Python) does not transition across application versions. CreateLoginURL ignores attributes such as openid.realm (which would allow me to set a wildcard on the domain). A version's sub-domain results in a different session than the main application (or a different version's session). Is this a flaw in Google's session tracking? Or is this a flaw in the Federated login? Or am I doing something wrong (or not doing something right)?
It sounds like I need to handle sessions and OpenID interactions myself to overcome this limitation, but I wanted to ping the Stackoverflow folks before I reinvented the wheel.
Examples in Python or Java are welcome.
Default GAE sessions are based on cookies (in GAE production its named ACSID or SACSID) which are NOT subdomain cookies.
About subdomain cookies: https://serverfault.com/questions/153409/can-subdomain-example-com-set-a-cookie-that-can-be-read-by-example-com
To make this work you should write your own custom session handler.
If want to store my web application session to different storage, because one every new request user might use different node, is it possible to override default container session storage?
You do not need to overrride anything. It should come with the server you are using. You need to look at "Session replication". In clustering environments, the app server can be configured to replicate session across nodes.
You will need to check documentation of the app server you are using to figure out how this can be enabled.
Please checkout the memcached-session-manager. It stores the session in external memcached server and works for both sticky-session and non-sticky-session(which is your case) scenario.
We need to enable java servlet sessions support for one Google App Engine project, but session will be used only in one servlet (small isolated part of application).
Would we get some increased latency impact (because of session memcache/datastore object) in other servlets although session object would not be used in any other servlets?
Is there a way to disable sessions support for some servlets ?
There is no way to enable sessions on a per servlet basis.
Also sessions consume a read from memcache and a write to datastore for every request. So this can get costly.
Additionally if your client does not handle cookies (usually devices via REST), then every request will create a new session entity in datastore. And this will grow indefinitely.
The solution is to roll your own sessions - create servlet filter that gets/sets cookies only for certain path/servlet.
Building a JSF application with Spring on Tomcat. The target is a web farm, and the client has requested that we design our application so that it can be load balanced without relying on "sticky sessions" in the LB.
In .NET, you can configure the session store to be SQL Server or the ASP.NET State Service. What alternatives are there in the Java world? Is there a standard way to plug in a different session state store that points to a MySQL database for example? Does Spring provide any hooks?
This is servletcontainer specific which in this case is Tomcat. The servletcontainer is the one which manages and provides the sessions. So JSF and Spring have nothing to do here. They just transparently gets it from the servletcontainer by request.getSession() and so on.
In Tomcat, you can provide a custom session manager implementation in the webapp's Context:
<Context ...>
<Manager className="com.example.SessionManager">
..where com.example.SessionManager implements org.apache.catalina.Manager as per its contract. Therein you can write code to back the sessions by a database.
However, there are alternatives for your particular requirement, you can choose for Tomcat's builtin clustering/session-replication capabilities instead of reinventing it with a custommade manager/database. Read more about it at the Tomcat Clustering/Session Replication HOW-TO.