Java Database Connectivity (JDBC) session handling? - java

I am using MySql 5
Hi I am using/start learing JDBC. Well I got stuck here: After an user authenticated, I would like to start/generate the session for the user. How do I do that?
In php, I know, we can start by using the "start_session()" function. Is there any similar function in JDBC?
If there is no such kind of functions, how do we create/start session? I am really new to JDBC, so this question may sound stupid to you all, but I really cant find the answer over the internet and thats why I ask this question here. (My best resource)
Oh ya, btw, if its possible, can you include in the answer about the session destroy/delete as well? Thanks in millions
EDIT
Okay, looks like this question abit too easy(or too tough??). Maybe could try this one, is there any other way that java can unique identify an logged in user beside using session??

start_session in php creates a user session if it does not exist.
In the jave web app we have a HttpSession class whose instance is created by doing:
request.getSession(boolean)
This call : Gets the current valid session associated with this request, if create is false or, if necessary, creates a new session for the request, if create is true.
This has nothing to do with JDBC calls - that are mainly related to connection establishment and execution of queries.

Assuming you are talking in the context of web application. There is a session provided by the Servlet container. You authenticate the user and set the credentials in the session of that user, to re-use whenever necessary, for example to know the privileges of the user etc..
Regarding JDBC, we usually go with connection pooling mechanism. So, it has nothing to do with the HTTP session of the user. We get the connection from the pool, and place it back once done. If you need to manage transaction or something you can look into JTA.
[Edited]
Try to look at the code of this Simple Login application. I am sure it will help.

Maybe the JDBC programming modl doesn't look quite the same as php.
Have you tried turorials auch as this, note the use use of Statements and ResultSets. You don't see a "Session"

JDBC is only about interacting with databases (and things that look like them); the concept of a user session doesn't have anything to do with interacting with a database.
As the user Vinegar has suggested, if you are doing Java web development, there is a session implementation available.
I suggest you provide more info on what you are doing and if that includes some sort of web development (I'm assuming yes, since you come from a PHP background).

Related

Safely Wrapping a Connection Pool

I am trying to implement row level security so our application can enforce more stringent access control.
One of the technologies we are looking into is Oracle's Virtual Private Database, which allows row level security by basically augmenting all queries against specific tables with a where clause predicate. Since we are in a web environment, we need to set up a special context within Oracle, inside a single request's thread. We use connection pooling with a service account.
I started to look into Eclipse Link and Hibernate. Eclipse Link seems to have events that fit perfectly into this model.
This would involve us migrating from hibernate, which is not a problem, but we would then be bound to EL for these events.
Oracle seems to imply that they implement at the data source level in Web Logic product.
The context is set and cleared by the WebLogic data source code.
Question: Is it more appropriate to do this at the DataSource level with some series of events. What are the events or methods that I should pay the most attention too?
Added Question: How would I extend a connection pool to safely initialize an oracle context with some custom data? I am digging around in Apache, and it seems like extending BasicDataSource doesn't give me access to anything that would allow me to clean up the connection when Spring is done with it.
I need to set up a connection, and clean up a connection as the exit / enter the connection pool. I am hoping for an implementation that is so simple, no one can mess it up by breaking some delicate balance of products.
- Specifically we are currently using Apache Commons DBCP Basic Data Source
This would allow us to use various ways to connect to the database and still have our security enforced. But I don't see a great example or set of events to work with, and rolling my own security life cycle is never a good idea.
I eventually solved my problem by extending some of the Apache components.
First I extended org.apache.commons.pool.impl.GenericObjectPool and overrode both borrowObject() and returnObject(). I knew the type of the objects in the pool (java.sql.Connection) so I could safely cast and work with them.
Since for my case I was using Oracle VPD, I was able to set information in the Application context. I recommend you read about that in more depth. It is a little complicated and there are a lot of different options to hide or share data at various contexts level, and across RAC nodes. Start
In essence what I did was generate a nonce and use it to instantiate a session within oracle, and then set the access level of the user to a variable in that session, that the Oracle VPD policy would then read and use to do the row level filtering.
I instantiated and destroyed that information in my overridden borrowObject() and returnObject() The SQL I ran was something like this:
CallableStatement callStat =
conn.prepareCall("{call namespace.cust_ctx_pkg.set_session_id(" + Math.random() + ")}");
callStat.execute();
Note math.random() isn't a good nonce.
Next was to simply extend org.apache.commons.dbcp.BasicDataSource and set my object pool by overriding createConnectionPool(). Note that the way I did this disabled some functionality I did not need, so you may need to rewrite more or less than I did.
You can try any object level security mechanism for simplicity, like Spring Security ACL.
You will want to do this at the application layer. You will want a pre-commit hook and a post read hook.
The pre-commit hook is used to ensure that data from the client is being presented by a user authorized to modify that data. This prevents an unauthorized user from overwriting data that they shouldn't be able to access.
It's not intuitive, but the post read hook is used to keep the client from accessing data the user shouldn't be allowed to view. This happens post-view because this is being enforced at the application layer, not at the data layer. The application has no way to know if the caller is allowed to access the data until it's been retrieved from the data layer. In the post read hook you evaluate the credential on each row returned against the credential of the logged in user in order to determine whether or not access is allowed. If access is denied on any row then an exception would be raised and the data would not be returned to the client.
Application level security done in this way requires that you have a way to connect each row in a table to a permission/role required to access it and a way to evaluate a user's permissions on the server at runtime.
Hope that helps.
You will get better control by using one of the other Commons DBCP Datasources.
The Basic one is just that: basic :)
The ones in org.apache.commons.dbcp.datasources package gives you more fine-grained control.

A 'do nothing' session manager for Tomcat 6+

I would like to totally disable session creation and management in my web app to eradicate the memory (and other resource) usage currently associated with Tomcat's standard session manager. This includes disabling sesison cookies and/or url rewriting as, if I'm succesful, there will be no sessions to track.
My web application has a single servlet that passes the xml it receives to an API/engine. This engine can run inside or outside a servlet container and it creates, tracks and manages sessions in its own way. I have zero need for the sessions in Tomcat and I'd like to reduce to the barest minimum the resources Tomcat uses for session management.
I ran some searches on the topic. The searches came up with some topics, including some on this website. It appears that the tightest way to address this issue is to create your own Manager implementation that, bascially, provides an 'empty' implementation that does the barest minimum. (There were some alternative suggestions but I found them to be relatively weak. These suggestions included "just don't call getSession()", and "set the 'cookies' attribute of a context to false". I think implementing a session manager that does what I want is better than these suggestions and it is the path I have elected to go down.)
Given this information, that rolling your own session manager is a good way to go, I then downloaded the Tomcat source code to take a look at code related to a Manager implementation. It all looks doable but it looks like a few hours work for me to come up with my attempt at a sesssion manager. Before committing to that path and the work involved, I thought I'd put it out there - Does anyone have a minimal session manager implementation for Tomcat they can share? One that does nothing would be best, but I'll take anything including tips and battle stories from anyone who has written their own session manager. I am working with Tomcat 6.

Checking database availability with Spring MVC to force a redirect

I'm implementing Spring MVC but would like to redirect if one of my database goes offline. Is there any easy way to check this? The application uses several databases (one for authentication etc.) so I need a graceful way of handling database issues.
Thanks,
For every dataSource run something like:
new JdbcTemplate(dataSource).queryForInt("SELECT 1").
Your dataSource might be configured to test connection before returning it, so in some cases it won't even reach query when database is down. To make the code simple, wrap this code in aspect around all your controllers.
More clean but a bit less flexible solution is to use some custom exception mapper that will catch database exceptions (Spring provides nice JDBC exceptions abstraction layer) and redirect appropriately.
Try to connect to the database, and if you can't, then redirect.

Multi-user Datasources - Spring + Hibernate

I'm writing a web app that supports multiple users. Each user has their own database - using H2. all database schemas are the same.
I wish to use Spring + Hibernate for this application.
So I'm stuck at how to associate a user's database with that user - maybe associated it in the HTTPSession, and extend spring's AbstractRoutingDataSource? but wouldn't this effect Hibernate's cache? Another way is to have a SessionFactory with each datasource, even though every datasource's schema is the same... so I see that as a waste.
Anyways selecting the datasource needs to be dynamic - they can't be pre-configured in context files, as each new user will have its own database created. Is there any existing frameworks/solutions?
I don't know too much about Hibernate Shards, maybe that works?
I might be wrong about the (strict) need to have one SessionFactory per database, as suggested by some resources:
Dynamic DataSource Routing
I'll take some time to re-read everything tomorrow (I didn't get all the details to be honest) and to fully understand the implications of such a setup (although it seems clear that it will break the second-level cache). I'll come back on this later.
I'm writing a web app that supports multiple users. Each user has their own database - using H2. all database schemas are the same.
I wonder how this will scale... How many users do you have? How do you run H2, what mode?
So I'm stuck at how to associate a user's database with that user - maybe associated it in the HTTPSession, and extend spring's AbstractRoutingDataSource?
You'll have to build a SessionFactory per user and associate it to the logged user (in a Map, using the login as key) and then obtain a Session from a given SessionFactory. Binding the lifecycle of the SessionFactory to the HTTP session seems to be a good idea (to save some memory) but I am not sure Spring will be very helpful here. I might be wrong but a variation of the HibernateUtil class and a fully programmatic approach looks easier. I'm not sure you'll need multiple connections per user by the way.
but wouldn't this effect Hibernate's cache?
What cache?
Another way is to have a SessionFactory with each datasource, even though every datasource's schema is the same... so I see that as a waste.
Oh, it's a waste, but that's what you want to do (one database per user). And you don't have the choice (you need one SessionFactory per datadabase). Why do you need one database per user actually? Are you sure this is a wise decision? As already hinted, this means much troubles, won't scale well, adds complexity, etc. Why not using a single database and associating data to the user?
Anyways selecting the datasource needs to be dynamic - they can't be pre-configured in context files, as each new user will have its own database created. Is there any existing frameworks/solutions?
Not to my knowledge. Which is also why I think you'll have to do everything programatically.
I don't know too much about Hibernate Shards, maybe that works?
Given the dynamic needs of your application, I don't see how it could help.
This may help you:
Dynamic Datasource via Spring using HotSwappableTargetSource
Hibernate + Spring using multiple datasources?
Thanks to the help from the 2 people (Pascal and org.life.java)!
It is possible, but with some problems: e.g. the hibernate 2nd level cache/query cache.
This link supplied by Pascal is a very good resource:
http://www.jroller.com/kenwdelong/entry/horizontal_database_partitioning_with_spring.
My main motivation for giving each user a separate database is because the data is likely to grow rapidly, thus horizontal partitioning is required.

Exchanging of screens between two users

We have a web-based application with tech stack -
1. Java Struts based
2. Hibernate
3. DB - Oracle
4. App server - JBoss server
We are facing an issue related to concurrent usage of the application by two or more users. When I am doing an operation and I submit the changes, the next page or success message that comes up is of a different operation that another user is performing at the same time.
Users are logged in as different users and so are using different sessions.
We have no clue of where the problem is, so I am not sure what other details I can provide.
Has anyone else faced such an issue or any pointers?
Are you using application context instead of session context? Moreover, as Eed3si9n said, beware of Singletons, that might be causing this.
"In addition check for the use of static fields. One app I was brought in to fix used a static string for error message. As soon as any user received an error they all did. Worked fine until there wasmore than one concurrent user." – Michael Rutherfurd (posted it as a comment)
I am not familiar with specific libraries you are using, but let me try.
How stateless are your application code? Do you have any sort of global state like singleton with member fields? If the service is stateful and are using singleton, you could have such mixups.
Check if the form is defined as application scope and the message you showing on the screen is coming from that form.

Categories