Session not available for first request to an external webpage - session

From my JSF page, I am redirecting to an external URL (another server) through a POST request using this: JSF commandButton - passing POST params to an external site.
The external URL is a JSF webpage of another JSF webapp being called for the first time. At the receiving end inside request filter doFilter() method I see that session is invalid for the incoming request. Is it because request is coming from a different server and request is bound to an old session id which is not in the scope of current server? I do need a valid session at this point. Do I need to recreate session? Or why JSF is not creating session automatically on the first request at this web page on second server? Is it because the first request is a POST instead of GET on the second server web page?
I would also like to tell that this problem is happening for only the first request on the second server.

Related

Scraping a website made with ICEfaces (session expired on consecutive ajax POST requests)

I'm trying to scrape a website created with the ICEfaces web framework via a node.js script. I've managed to handle the login just fine, and then get some data from the main page (namely ice.session and ice.view, along with the JSESSIONID cookie returned by the login response).
The problem I've run into is when I try to do an AJAX POST request to the /block/ URLs. If I do the request by itself, it returns some data (just not the data I need), but if I do it after any other request, I get <session-expired/> as a result. It doesn't even matter which of the ICEfaces /block/ URLs I send the request to (I've tried with /send-receive-updates, /dispose-views, and even /ping). I've even tried the same request twice in a row just for kicks, and I always get a <session-expired/> response in return on the second one. I've monitored the requests when I browse the page with Chrome, and as far as I know I'm sending all the correct form data (as well as the correct headers). The page works just fine when I load it in the browser, so there must be something I'm not doing right.
Apparently, the order in which you do the requests matters in ICEfaces (i.e. it's not stateless, which kind of makes sense I guess). I just moved the requests around and finally got the response I desired.
IceWindow, IceView and ViewState
Need to be passed as a parameter whenever you do an ajax submit.
Managed bean takes the previous instance of the current view view using ViewState value.

Spring MVC: Reject request coming from other domain/web pages

I have a spring web application. I have some GET & POST request mapper in spring controller. How can i restrict my appliation to accept request making from my site pages only.
i.e if it gets request /insert from example.com pages it should accept this but if it get any request other than www.example.com it should reject. e.g any request from www.xyz.com localhost:8084 should be rejected.
I want to restrict anyone from making GET POST request to my app except if it is from my own domain page.
You can make use of org.springframework.web.servlet.HandlerInterceptor. Implement the logic to check the domain of request in preHandle method via getRequestURL API.

Redirect AJAX request to another page/View using server Transfer ASP.Net MVC

Is there a way that a MVC Action, initiated by an AJAX request, can redirect the response directly to another page/View without sending a JavaScript “window.location=…” to the client first? In other words, directly transferring the response on the server side and avoiding the roundtrip to the client.
This is a more general question about the possibility to transfer directly an AJAX call, but here is a more specific scenario:
The browser sends an AJAX request to the server and based on the request data the controller's logic performs some operations.
For the majority of the cases, the controller needs to return back a result (JSON) to the same page. However, for few cases it needs to redirect to another page and it returns back a script to redirect the page, but this causes another roundtrip to the browser. The flow is: Page – Server – Page – Server – New Page, and the question is if this can be optimized to Page – Server – New Page .
This isn't really possible, no.
The browser has two options to choose between:
Go to a page
Make an AJAX call to a page
It can't make an AJAX call and automatically redirect based on what the server decides because the client (browser) doesn't know what the server has decided on before the response is even received by the browser.
The traditional approach (which you're avoiding) is:
The browser makes an asynchronous request to the server
The server responds with data informing the client to redirect
The client makes a new request to the server via window.location
The server responds with the new page
However you want to skip a step by doing:
The browser makes an asynchronous request to the server
The client makes a new request to the server via window.location
The server responds with the new page
But the client doesn't know that it needs to redirect and/or it doesn't know how to.
One (ugly) possibility
One idea that comes to mind to pseudo-achieve what you want is to have MVC render the required view and send the whole thing back to the client via JSON rather than a redirection approach. Let me explain.
The browser makes an asynchronous request to the server
The server determines which page needs to be displayed and renders the view (Generating a view without a controller in MVC)
The server serialises the resulting HTML as JSON
The client receives the JSON, and re-renders the entire page with the new markup (i.e. completely replace)
You can also alter the URL and history of the browser to make it "feel" like a redirect by manipulating the browser history.
However I would like to point out that this "solution" is more of an amusing/interesting approach. This isn't really a good way to go about the problem.

Request and session in Servlet

I have very simple question with request and session in web. When I requested a same page page for multiple time from same browser with different tabs or through new window, session ID and session creation time was same.
This I have done from internet explorer. But when in use a different browser like google chrome and access the same page then different session id and session creation time was there. As far as my understanding says http request is stateless.
So, in my case it does not seem to be stateless within same browser as for different http request new thread is created by creating new servlet by container. So I have come to following conclusion:
If request is send from same browser with different tabs opened or through another new window at that time, the request always use the same thread for servlet operation with same session Id. If request is send from different browser then new http request is sent with new session ID.So,my question is then when it is stateless? If the request is send concurrently from different browser? If i declare scope="request"> and scope="session"> in spring then it also follows the same case ? If I am wrong in my understanding please correct me.
Spring
scope="request"
Creates new instance of bean per request.
scope="session"
Creates new instance of bean per session.And maintains instance of bean throughout the session life-cycle
Refer this for better understanding
Irrespective of browsers, Http protocol is stateless. State-fullness is implemented via cookies and session.
When request is sent from the browser, servers creates session and sends back a unique id to the client. And the client uses this id(Cookie) in subsequent request so that server could identify request and associate it with the session.
As far as requests are concerned, server creates separate thread to handle each request irrespective of window, tab or browser. However there will be only one session created per browser.
Note: Latest browsers share the session and the request made from tab, or new window will use the same session. Ex latest IE releases IE7, IE8 and IE9 are well know as Loosely-Coupled IE (LCIE). check this for more details LCIE
When your server application starts a new session, the servlet container sends a Set-Cookie header with a JSESSIONID back to the browser. The browser saves that cookie, and sends it back to the server with each request regardless of what tab you are making the request from. Obvoiusly other browsers don't have access to that cookie, so they will receive another one from the server.
When your server receives a request with a JSESSIONID cookie, it can correlate that request with requests with the same id made earlier. The serlvet container is able to associate different attributes with that id, and persist these attributes between requests. The http session object is basically a container for these attributes, to which your server application has a read/write access. Basically this is how statefullness is implemented with http sessions on top of the otherwise stateless http protocol.
As for the threads: each request can be processed by any random thread, because the session data is not bound to a particular thread. It is the servlet container that maintains the mapping from session id to the session object containing the different attributes. Consequently any random thread can access the session object belonging to the current request based on its session id.
In Spring, request scope means that a bean instance gets newly created for each request, while the lifecycle of the session scoped beans is bound to that of the http session.

Ajax Status/Response Data from Primefaces

We are using Primefaces 2.x and Mojarra. We are trying to handle one particular case where you log into our site and then delete all of the cookies. Then click on a menu option. What we would like to have happen is for the user to be redirected to our login screen. The problem is that we are not using the "url" attribute, so Primefaces does a partial-page ajax call. Which returns an empty response.
At this point, without a Session Id there is no session. So, on the server we are in the midst of an Ajax call without a session. If I try and do a sendRedirect it sends a 302 to the browser, but either Primefaces or the browser is ignoring it because it is part of an Ajax call.
So, what I would like to do is to put a listener on the Ajax response and look for a 302 or a change in the location. However, I can't find a way to use the jsf.ajax.addOnEvent. It seems that Primefaces is not using the standard JSF Ajax calls. I looked at the AjaxStatus but all it gives me is events, no DATA and no access to the data.
I thought I could look for the JSESSIONID cookie, which the user has deleted, but when I use Javascript to print the cookies, the session id isn't printed.
So, I don't seem to be able to do a response.sendRedirect in a Session Filter because I am in the midst of an Ajax call. And I can't detect on the client that I need to redirect the user, which I could do if I knew it was required. And I can't seem to get any info out of Primefaces Ajax response.
By menu you mean the p:menuItem component, right? Assuming you're using the action attribute to call a method in your managed, try using the attribute ajax="false". I use that and it works well for me.

Resources