Please let me help to understand when to use session instead of RequestDispatcher.
So far I have seen I can pass data from servlet to servlet and jsp forwarding the request and It can pretty much distinguish two different request. So when and why should I use Session? Please help me to understand that.
HTTP is stateless protocol following request/response pattern. It means that you get request from client and send back response. There is no conversational state between client and server.
So if you need to keep conversational state (example : shopping card, wizard, etc.) - you need to recognize your client (understand which request comes from which client). This is what is session used for.
I'm developing an app heavly based on HTTP GET request to retreive user' data and choice, so i've decided to use Volley.
I've created a common RequestQueue for all the whole application and when I need a request I add a stringRequest to that queue.
The problem of mine is that some requests will be sended but other will not, I think that I've reached a max number of request or something similar, beacuse the stringRequest's URL is correct and writing it in my browser URL's bar I get data I want.
How can I solve this situation?
It seems creating and handling anti-CSRF tokens for Ajax calls in an Angular application is non-trivial and some are getting around the problem by applying a single token to every Ajax call. For example here.
The solution is quite neat. We just generate the token on the server and send it along with the first loaded page after sign-in. Then we ensure it goes out with all future requests like this:
$http.defaults.headers.common['RequestVerificationToken'] = 'token should go here';
But I am concerned this may simplify the job of an attacker. They need only get hold of $http in order to make any valid request. Is this the case? Is this method safe? Is there a 'best practice' regarding Ajax requests and CSRF?
Angular automatically does this for you.
Read Cross Site Request Forgery (XSRF) Protection section.
DOCS
I also suggest you read up CSRF, and what it is, if malicious script is already in your page it does not need to do cross-site requests to pose as the victim.
Most of my Spring application uses regular spring security. However, there is a (non-negotiable) requirement for certain pages to be accessed by an embedded system that communicates exclusively via XML inside a POST body. That is to say, it's not capable of passing 'JSESSIONID=xxx' or receiving cookies, but instead it expects to receive a sessionid via xml on login, which it then repeats back in future requests.
So, on login (I've simplified here), it sends
<username>user</username><password>password</password>
in a post body to http://example.com/xml_login and expects
<sessionid>xxxxxx</sessionid>
in reponse. Then all subsequent requests will repeat back the <sessionid> tag's contents as part of its body.
Any ideas how to go about getting spring security to use this?
My first attempt was to try writing a filter to extract the sessionid and crowbar a JSESSION= into the body, but it turned out to be too late (by the time I had a request object to get the body from, spring security had already established the session, and I can't see any way of doing anything like 'request.setSession(id)'). The only other thing I can think of is to write my own session handling outside of spring security, but it'd be nice if I didn't have to do that.
thanks
I'm been reading up on Ajax and would like to see from the stackoverflow community if I'm understanding everything correctly.
So the normal client server interaction is a user pulls up a web browser types in a url and a HTTP request is sent to the server requesting the page and resources( css, pics ) from the web server. The web server responds to the client via HTTP the page/resources requested and the browser renders the html/JavaScript for the user to view the page.
1) So would it be safe to say that XMLHttpRequest( XHR ) object is doing the same process as the browser except your not requesting html from the server, your requesting text in some type of format?
2) Is it true that a XHR object is much like a regular object that can be manipulated by the program creating the object( like a normal object ), but also sends and receives data with another program( web server ) via HTTP?
3) So in my mind when a XHR is created it is loaded into memory and we setup some of the objects arguments when we do the request.open(“GET”, url, true). Once we do a request.send(null) the object basically attempts to “GET” the url via HTTP and once we get the data back from the server it is put in the responseText argument. Am I understanding this correctly?
4) Also synchronous vs asynchronous. When I think of synchronous I think of steps having to be followed in order. For example, I push a button, data gets sent to server, and I have to wait for data to come back before I can do anything else. With asynchronous connections I would push button, data gets sent to server, I do what ever I want while data gets sent back. Is this a good analogy?
1) Nope. The XMLHttpRequest object does exactly what its name implies -- it initiates an HTTP request. This request can be in XML, or HTML, or PHP. At the end of the day, the browser doesn't care, because in an AJAX request, it doesn't parse the request -- you have to do it yourself. So it doesn't automatically render the HTML from an AJAX request.
2) I'm not sure about manipulation (the XHR object may be immutable) but possibly. Would you ever need to extend it or manipulate it?
Yes, you can change properties of the object and so on. I apologize. I didn't understand you at first :)
3) Yep.
4) That's a great analogy. It's exactly what happens. Another analogy is a 4 lane highway is to asynchronous as a one-way street is to synchronous. If one car breaks down on the 4 lane highway, the rest can keep moving at their normal speed -- but if one breaks down on the one-way road, everything freezes. :)
Here I leave you a good graphic to see clearly the behavior differences between the synchronous and asynchronous application models:
(source: adaptivepath.com)
It would appear that you have a job grasp of how AJAX works. I can't see much to disagree with in your summary of the plumbing of an AJAX application.
I would say however that with the XMLHttpRequest object you aren't restricted to GET. You can also use POST and other HTTP verbs.
With async calls you register a callback function, the XMLHttpRequest object calls your method when the async request completes.
Seems ok to me.
Your first point though is not entirely correct, you can request html from the server using ajax is doesn't have to text, json or xml like most examples show.