As long as I know the duration of the default session is 30 mins and I
wanna change this for my specific flow that I created using Spring
Webflow? My question is How can i achieve this?
I have researched and found some interesting articles and solutions but none of them seems to work for me and also their solution not straightforward
To change a single request's session we should set HttpSession's setMaxInactiveInterval right? So if it is, How and Where I should set it? IN SPRING WEBFLOW?
HttpSession session = request.getSession();
session.setMaxInactiveInterval(10*60);
To get to the raw HttpSession in Web Flow, you need to use the ExternalContext. Like this:
((HttpServletRequest)
RequestContextHolder.getRequestContext().getExternalContext()
.getNativeRequest())
.getSession())
https://docs.spring.io/spring-webflow/docs/current/api/org/springframework/webflow/context/ExternalContext.html#getNativeRequest--
Related
You can either set the session timeout (say 60 minutes) for all sessions in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
or on a per-session basis using
session.setMaxInactiveInterval(60*60);
the latter you might want to do in a authorizationSuccessHandler.
<form-login authentication-success-handler-ref="authenticationSuccessHandler"/>
My questions:
Are the two approaches mentioned above same ?
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
What is the ideal approach to set set session timeout in spring
framework?
Are the two approaches mentioned above same ?
Yes, only difference is in former case session timeout is set by servlet container e.g tomcat and in later case its done by Spring.
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
You have to write custom filter to set session timeout, as far as my knowledge goes there nothing where you can set session time out in Spring XML
What is the ideal approach to set set session timeout in spring
framework?
Let the session timeout handle by container like one you define in web.xml, if you are changing session time a lot in running app, then you can consider Spring managed session timeout by using interceptor.
Can these properties used to disable the session mechanism completely?
server.session.persistent=false
server.session.timeout=0
If not, how to do this?
had success with setting it to an empty set: server.servlet.session.tracking-modes=
#see https://docs.spring.io/spring-boot/docs/2.2.0.RELEASE/reference/htmlsingle/#server-properties
#see https://docs.spring.io/spring-boot/2.2.0.RELEASE/current/api/org/springframework/boot/web/servlet/server/Session.html#setTrackingModes-java.util.Set-
try type in application.properties:
spring.session.store-type=none
...to disable spring session
See: https://docs.spring.io/spring-boot/docs/2.2.0.RELEASE/reference/htmlsingle/#boot-features-session
A couple of notes for posterity:
Persistent sessions are sessions that survive server restarts, thus, when you enable that, Spring will serialize and store your session somewhere to load it later.
For a complete discussion on how to reliably disable sessions, please see this post: Can I turn off the HttpSession in web.xml?
Some one please me to find out the spring mvc examples,
Because usually, once we log in into the application we will create a session and put some objects into session . we will access later point of time , request scope as well. but spring MVC3 is difficult to understand even documentation also confusing, but every one giving example is basic examples only.
You can access these objects in a JSP/JSTL:
applicationScope
cookie
header
headerValues
initParam
pageContext
pageScope
param
paramValues
requestScope
sessionScope
As well as any request attributes that you add, including model attributes (who's default name is command).
More info here: http://www.informit.com/articles/article.aspx?p=30946&seqNum=7
If you want to access HttpRequest, HttpResponse, HttpSession, add them as arguments to a Spring Controller Handler Method . Spring will pass them in for you.
I am new with spring ,I have a doubt about spring session management and spring security session ,whether both concept are same or different ? If different what are that ? Any suggestion ?
May you be a little bit more specific in your question?
In Spring:
session can refer to one of the scopes that a bean belongs to. For example, if you define an instance (bean) of a class a org.something.Counter with scope session, whenever you will access that bean during a web session you will have the same instance of the object. Web session does not require Spring Security in order to exists. You can start from here to understand a little bit more about the session scope in Spring.
session may refer to HttpSession as speciffied by the Servlet API. This is not really related to Spring, even if you can use the standard HttpSession from within Spring, is more in general related to the Servlet API.
In Spring Security:
If you are talking of Spring Security, instead of session I would talk of SecurityContext. The SecurityContext is actually stored as an HttpSession and restored to the SecurityContextHolder at every request. Here is were all security-related infos are stored for the current session. See here for more details. In general a SecurityContext (at least at a very basic level) exists from the moment you login to the moment you logout. Because it is stored as an HttpSession it expires when the HttpSession expires (again, see the Servlet API specifications for more details)
Luca
I have difficult understand the proper usage of #SessionAttribute annotation.
I wonder does the #SessionAttribute is used to store user authentication object or use to store the form object that exist within the session only.
I want to check whether a use has been login before invoke the handler.
I really confuse between these three class object.
Session scope bean
#SessionAttribute
HttpSession
Please give a proper example of #SessionAttribute usage and pron/cons of each of this
Thanks.
#SessionAttribute is for temporarily storing model objects in the session. Examples include storing a set of search criteria or storing data for a multi-page wizard.
If you're after checking for authentication status, while in theory you could probably hack something together with #SessionAttribute, you're much better off using Spring Security. There are many other authentication and authorization concerns that you aren't addressing if you don't have a security solution in place.