In my Struts application once an user login I need to invalidate the current session and create a new session. I invalidate the session with
getHttpServletRequest().getSession().invalidate();
And I create a new session as
getHttpServletRequest().getSession(true);
The problem here is after above I try to access getSession() it gives the state invalid exception; HttpSession is invalid.
getSession() returns a map where in my action class I implements SessionAware which has the setSession(Map session).
EDIT: Below is the exception
Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: HttpSession is invalid
java.lang.IllegalStateException: HttpSession is invalid
So, what I assume the problem is the Struts getSession() still reference the session which I've invalidated.
How to make the Struts getSession() to reference the new session which I've created?
If you want to access the struts session after you invalidated the servlet session you should update or renew the struts session. For example
SessionMap session = (SessionMap) ActionContext.getContext().getSession();
//invalidate
session.invalidate();
//renew servlet session
session.put("renewServletSession", null);
session.remove("renewServletSession");
//populate the struts session
session.entrySet();
now struts session is ready to use the new servlet session and you ready to reuse the struts session.
Related
In my Spring MVC project I have a jsp page , registration page , in which there is a form. In this form the user inserts his data (name, surname and so on).I created a bean User and I bound the form with this bean.But now I have a problem.How can i put the user object into a session in a method of a controller?
Can I use #SessionAttributes,httpsession or I set the scope of the bean to session? How can i solve it?Sorry for my English. Thanks
You can use HttpSession so just need to set your user object in your session and access anywhere into the system.
Refer this httpsession documentation for setting session value.
As Hibernate sessions are not thread-safe, I am not able to get currnet hibernate session through sessionFactory.getCurrentSession();
If I choose sessionFactory.openSession(); it works fine for thread itself but for nested classes[called from the thread] it wont allow me to access same newly opened session[Throws "No Session found for current thread" exception].
I am using Spring 3.1.1 and Hibernate 4.1.3
Is there any way to get the current session in thread?
Or is there any way to access newly opened session to nested classes which are called from the thread?
As you are using Spring and hibernate, you will get current session using sessionFactory.getCurrentSession(); if you are using it in transaction. Otherwise you will get exception with message : No Session found for current thread.
e.g. :
void someDBOperation() {
Session session = sessionFactory.getCurrentSession(); // if not in transaction, exception : No Session found for current thread
// some code
}
#Transactional // use either annotated approach or xml approach for transaction
void someDBOperation() {
Session session = sessionFactory.getCurrentSession(); // you will get session here
// some code
}
I'm using Spring 3.1.1.Release, Security 3.1.0.Release.
I've added login/logout to my web app, however a session scoped bean is not functioning the way it was. The bean is used to connect to a CMS called CMSConnector.
To authenticate users, I implemented an AuthenticationProvider, and in the authenticate() call, I get the session-scoped CMSConnector and call the CMSConnector.login(). If the CMS login fails, it fails the login.
THE PROBLEM -
If the login is success, #predestroy logout() is called immediately after the successful login. I then found it was the SessionFixationProtectionStrategy is invoking the invalidate the previous session and assign it a new session.
session.invalidate();
session = request.getSession(true); // we now have a new session
The invalidate() is calling the #predestroy method on the session-scoped bean.
So I have temporarily removed the the #predestroy annotation leaving the connection not closed. (VERY BAD PRACTICE.)
What is a work around to resolve the issue?
I tried to create a #PostConstruct and put the login process there, but the #PostConstruct doesn't get called when request.getSession(true) is called.
Thanks!
Jason
I think its not the SessionFixationProtectionStrategy but the ConcurrentSessionControlStrategy.
Set max-sessions="-1" for this code snippet
I did not solve my original question, but I implemented a workaround - expire session in the session expire object instead of attached with #predestroy.
I'm new to Tomcat, servlets and Spring Web. I'm coming from a PHP background so I'm a little disoriented to say the least. I want a controller to create a session cookie for me.
I've been told that I can get the session like this in a standard servlet:
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
// Somewhere inside the method...
HttpSession session = request.getSession(true);
// Set a cookie
session.setAttribute("hello", "world");
// More stuff...
}
How does this translate into the Spring Web MVC way of doing things? Can I create session cookies inside a controller?
What you are doing in your example have nothing to do with cookies.
session.setAttribute("key", valueObject);
Sets a java-object in the session. The session is kept at the server. The sessionid is the only thing communicated back to the client. It can be a cookie or it can be in the URL. The attributes in the session is not serialized to strings.
Cookies on the other hand are strings that are sent back to the client. It is the clients responsibility to store their cookies (and some people turn them off) and return them to the server.
Setting a cookie value from a complex object-graph will require serialization and deserialization. A session attribute will not.
If you want to read a cookie, use this:
#CookieValue("key") String cookie
In the controller parameter list. The cookie variable will be populated with the value from the cookie named "key".
To set a cookie, call:
response.addCookie(cookie);
In Java Servlets (and Spring MVC in particular) you don't interact with session cookie directly, actually properly written servlet based application should work without cookies enabled, automatically falling back to URL based session id.
The way you provided is correct, although Spring is giving you much better (higher level) approaches like session-scoped beans. This way you never interact with the session itself.
You can get access to the HttpSession object by including it as a parameter in your controller's method(s):
public String get(Long id, HttpSession session) {
}
Spring will inject the current HttpSession object for you, and from there you can set attributes (like you did in your question).
I'm trying to create a service bean that when referenced will be initialized with HttpSession based attributes.
Let's say for sake of argument that my webapp would do the following:
Establish a session
Request login & password
When service is requested (it is scope="session" and has init-method="init()") a new instance is created for the session.
In the init method, can I reference the HttpSession either through passing it in as a parameter and referencing it by EL?
Any ideas on this would be appreciated.
You can access a thread-bound HttpSession as follows:
HttpSession session =
(HttpSession) RequestContextHolder.getRequestAttributes()
.resolveReference(RequestAttributes.REFERENCE_SESSION);