We have a web-based application with tech stack -
1. Java Struts based
2. Hibernate
3. DB - Oracle
4. App server - JBoss server
We are facing an issue related to concurrent usage of the application by two or more users. When I am doing an operation and I submit the changes, the next page or success message that comes up is of a different operation that another user is performing at the same time.
Users are logged in as different users and so are using different sessions.
We have no clue of where the problem is, so I am not sure what other details I can provide.
Has anyone else faced such an issue or any pointers?
Are you using application context instead of session context? Moreover, as Eed3si9n said, beware of Singletons, that might be causing this.
"In addition check for the use of static fields. One app I was brought in to fix used a static string for error message. As soon as any user received an error they all did. Worked fine until there wasmore than one concurrent user." – Michael Rutherfurd (posted it as a comment)
I am not familiar with specific libraries you are using, but let me try.
How stateless are your application code? Do you have any sort of global state like singleton with member fields? If the service is stateful and are using singleton, you could have such mixups.
Check if the form is defined as application scope and the message you showing on the screen is coming from that form.
Related
I have deployed my spring boot application on GAE, Java 11, Standard Environment. As per the documentation for Java11 we need to use app.yaml for configuring the instances.
I wanted to know as to how I can enable sharing of sessions between instances. As per my research, Earlier we could simply solve this problem by setting sessions-enabled and async-session-persistence in appengine-web.xml. With appengine-web.xml gone, what is the equivalent way of doing this in app.yaml.
Use case that i am trying to achieve is :
Using spring security (Unfortunately i get logged out when according to me the request of the same user goes to another instance.)
Storing the user retrieved from DB in a #SessionScoped variable so as to avoid multiple DB calls.
Any help here would be really appreciated. Thanks!
I went through a lot of documentation, but I believe that this is not inside the app.yaml configuration reference.
Alternatively, I could find that you could use session affinity in order to use a instance to reply always the requests of a same user, this can be enabled in your app you can use the next tag in your app.yaml according to this documentation.
network:
session_affinity: true
Hope this works for you.
I am trying to implement row level security so our application can enforce more stringent access control.
One of the technologies we are looking into is Oracle's Virtual Private Database, which allows row level security by basically augmenting all queries against specific tables with a where clause predicate. Since we are in a web environment, we need to set up a special context within Oracle, inside a single request's thread. We use connection pooling with a service account.
I started to look into Eclipse Link and Hibernate. Eclipse Link seems to have events that fit perfectly into this model.
This would involve us migrating from hibernate, which is not a problem, but we would then be bound to EL for these events.
Oracle seems to imply that they implement at the data source level in Web Logic product.
The context is set and cleared by the WebLogic data source code.
Question: Is it more appropriate to do this at the DataSource level with some series of events. What are the events or methods that I should pay the most attention too?
Added Question: How would I extend a connection pool to safely initialize an oracle context with some custom data? I am digging around in Apache, and it seems like extending BasicDataSource doesn't give me access to anything that would allow me to clean up the connection when Spring is done with it.
I need to set up a connection, and clean up a connection as the exit / enter the connection pool. I am hoping for an implementation that is so simple, no one can mess it up by breaking some delicate balance of products.
- Specifically we are currently using Apache Commons DBCP Basic Data Source
This would allow us to use various ways to connect to the database and still have our security enforced. But I don't see a great example or set of events to work with, and rolling my own security life cycle is never a good idea.
I eventually solved my problem by extending some of the Apache components.
First I extended org.apache.commons.pool.impl.GenericObjectPool and overrode both borrowObject() and returnObject(). I knew the type of the objects in the pool (java.sql.Connection) so I could safely cast and work with them.
Since for my case I was using Oracle VPD, I was able to set information in the Application context. I recommend you read about that in more depth. It is a little complicated and there are a lot of different options to hide or share data at various contexts level, and across RAC nodes. Start
In essence what I did was generate a nonce and use it to instantiate a session within oracle, and then set the access level of the user to a variable in that session, that the Oracle VPD policy would then read and use to do the row level filtering.
I instantiated and destroyed that information in my overridden borrowObject() and returnObject() The SQL I ran was something like this:
CallableStatement callStat =
conn.prepareCall("{call namespace.cust_ctx_pkg.set_session_id(" + Math.random() + ")}");
callStat.execute();
Note math.random() isn't a good nonce.
Next was to simply extend org.apache.commons.dbcp.BasicDataSource and set my object pool by overriding createConnectionPool(). Note that the way I did this disabled some functionality I did not need, so you may need to rewrite more or less than I did.
You can try any object level security mechanism for simplicity, like Spring Security ACL.
You will want to do this at the application layer. You will want a pre-commit hook and a post read hook.
The pre-commit hook is used to ensure that data from the client is being presented by a user authorized to modify that data. This prevents an unauthorized user from overwriting data that they shouldn't be able to access.
It's not intuitive, but the post read hook is used to keep the client from accessing data the user shouldn't be allowed to view. This happens post-view because this is being enforced at the application layer, not at the data layer. The application has no way to know if the caller is allowed to access the data until it's been retrieved from the data layer. In the post read hook you evaluate the credential on each row returned against the credential of the logged in user in order to determine whether or not access is allowed. If access is denied on any row then an exception would be raised and the data would not be returned to the client.
Application level security done in this way requires that you have a way to connect each row in a table to a permission/role required to access it and a way to evaluate a user's permissions on the server at runtime.
Hope that helps.
You will get better control by using one of the other Commons DBCP Datasources.
The Basic one is just that: basic :)
The ones in org.apache.commons.dbcp.datasources package gives you more fine-grained control.
I have a Java App Engine app and whenever we modify any classes that are serialized as part of the session anyone that had a pre-existing session is broken (since the object persisted or in memcache is no longer compatible with the new object). I've done a bunch of searching and it seems as though there's no way to get those users working again unless they clear their cookies or we clear every entry in _ah_SESSION. The error happens so high up that the browser is sent a blank page, so we can't even do something like returning a page that can delete the cookies with javascript. I've tried creating a servlet filter, but the error happens before any filters are processed.
This appears to be a pretty wide-spread problem - I can't believe there's no way to handle this.
Thanks,
Stephen
I would like to totally disable session creation and management in my web app to eradicate the memory (and other resource) usage currently associated with Tomcat's standard session manager. This includes disabling sesison cookies and/or url rewriting as, if I'm succesful, there will be no sessions to track.
My web application has a single servlet that passes the xml it receives to an API/engine. This engine can run inside or outside a servlet container and it creates, tracks and manages sessions in its own way. I have zero need for the sessions in Tomcat and I'd like to reduce to the barest minimum the resources Tomcat uses for session management.
I ran some searches on the topic. The searches came up with some topics, including some on this website. It appears that the tightest way to address this issue is to create your own Manager implementation that, bascially, provides an 'empty' implementation that does the barest minimum. (There were some alternative suggestions but I found them to be relatively weak. These suggestions included "just don't call getSession()", and "set the 'cookies' attribute of a context to false". I think implementing a session manager that does what I want is better than these suggestions and it is the path I have elected to go down.)
Given this information, that rolling your own session manager is a good way to go, I then downloaded the Tomcat source code to take a look at code related to a Manager implementation. It all looks doable but it looks like a few hours work for me to come up with my attempt at a sesssion manager. Before committing to that path and the work involved, I thought I'd put it out there - Does anyone have a minimal session manager implementation for Tomcat they can share? One that does nothing would be best, but I'll take anything including tips and battle stories from anyone who has written their own session manager. I am working with Tomcat 6.
I am using MySql 5
Hi I am using/start learing JDBC. Well I got stuck here: After an user authenticated, I would like to start/generate the session for the user. How do I do that?
In php, I know, we can start by using the "start_session()" function. Is there any similar function in JDBC?
If there is no such kind of functions, how do we create/start session? I am really new to JDBC, so this question may sound stupid to you all, but I really cant find the answer over the internet and thats why I ask this question here. (My best resource)
Oh ya, btw, if its possible, can you include in the answer about the session destroy/delete as well? Thanks in millions
EDIT
Okay, looks like this question abit too easy(or too tough??). Maybe could try this one, is there any other way that java can unique identify an logged in user beside using session??
start_session in php creates a user session if it does not exist.
In the jave web app we have a HttpSession class whose instance is created by doing:
request.getSession(boolean)
This call : Gets the current valid session associated with this request, if create is false or, if necessary, creates a new session for the request, if create is true.
This has nothing to do with JDBC calls - that are mainly related to connection establishment and execution of queries.
Assuming you are talking in the context of web application. There is a session provided by the Servlet container. You authenticate the user and set the credentials in the session of that user, to re-use whenever necessary, for example to know the privileges of the user etc..
Regarding JDBC, we usually go with connection pooling mechanism. So, it has nothing to do with the HTTP session of the user. We get the connection from the pool, and place it back once done. If you need to manage transaction or something you can look into JTA.
[Edited]
Try to look at the code of this Simple Login application. I am sure it will help.
Maybe the JDBC programming modl doesn't look quite the same as php.
Have you tried turorials auch as this, note the use use of Statements and ResultSets. You don't see a "Session"
JDBC is only about interacting with databases (and things that look like them); the concept of a user session doesn't have anything to do with interacting with a database.
As the user Vinegar has suggested, if you are doing Java web development, there is a session implementation available.
I suggest you provide more info on what you are doing and if that includes some sort of web development (I'm assuming yes, since you come from a PHP background).