Will the Freemarker Template support user session similar to JSP?
Can we read and write to user session?
Freemarker itself doesn't care about things like sessions, HTTP requests and the like. It just receives a bunch of objects via the data-model, and then it can access those. So it's up to the web application framework what the templates can do. Modifying a session in an MVC template really smells though. That's the duty of the MVC Controller.
However, if you are using FreemarkerServlet, that creates a data-model that exposes the variables from the request, session and application scopes, and also provides Request, Session, Application variables to read the specific scopes. Though FreemarkerServlet is really just an adapter for legacy or JSP-only apps, otherwise I would avoid it.
Related
The common tasks of web application framework(ex: Django or Laravel or .NET or beego):
request / response abstraction
session state
user authentication & authorisation
page templating
URL mapping
DB access
security
caching
MVC design pattern implement above common tasks, as shown below:
URL mapping is handled by Controller component of MVC. Controller routes requests to handlers. Ex: http.ServeMux is the controller from GOLang package
request / response abstraction is performed by Controller by registering the handlers, written by web developer, as shown below:
sm := http.NewServeMux() // in GoLang
sm.Handle("/", productHandler)
session state is handled by the handler code written by web developer
Page templating is handled by templating engine(view component) of MVC
user authentication & authorisation is handled by the handler code written by web developer
DB access is handled by model component of MVC.
security and caching is handled by handler code written by web developer
Is this the right understanding on MVC design pattern to implement common tasks of web application framework?
There are many definitions of the MVC pattern. It was evolving over time and it was used differently in different frameworks and contexts.
When it was invented, there was no HTTP protocol and the request/response part wasn't present. There were some other ways in which the user request was handled. With time, new template engines were invented and HTTP becomes dominant protocol on the web.
MVC is considered to be a pure presentation pattern since it mainly orchestrates views and model(whatever model is representing). Also, one of the main reasons why MVC is invented is separation of concern. It is important to keep it clean, short and to let other layers take care of logic.
The common task of the web application framework is to serve as IoC container (Inversion of control) and let its component worry about specific responsibilities. So if it is a web framework, it will probably have session, cookie, MVC... components.
Controller methods are just an implementation of HTTP interface. URL Mapping can be considered as an argument to controller method.
Request/response are handled by web component (servlet in Java)
Session state is handled by session component and can be configured by developer e.g. session expire time or session cookie type or even session type (database, in memory)
Correct
Usually, there is a proven auth component in the framework, but it can be written manually (not recommended)
DB access is handled by a persistence layer like JDBC in Java. Model in MVC is responsible for data that should be presented on the screen or submitted by the user.
Same as 5
I understand that a HTTP session is the idea to associate a state of a web application for different users which is done outside the protocol in software as HTTP is stateless.
I didn't notice before today that some articles and manuals in the Spring universe are talking about a web session as well. They make a connection to reactive webapps and streams, however I don't find anything on https://www.reactive-streams.org/ and the reactive manifesto and am thus uncertain that it's a reactive thing.
Since it's differentiated it has to be a thing, but is it a concrete technical concept or just another word for HTTP session? Does it exist outside of the Spring universe?
HttpSession comes from the Java EE servlet specification and is defined as:
[...] a way to identify a user across more than one page request or visit to a Web site and to store information about that user.
A WebSession is essentially the same thing but is used in the context of the Spring WebFlux which provides reactive programming support for web applications.
Note also the existence of the Spring Session project providing transparent integration with these different kind of sessions.
I have a single grails (3.3.5) web server, and I am interested in improving the availability and I'd like to add another server and put a load balancer in front of it.
Rather than share sessions between servers, or use sticky sessions, i'd like to know if there is a good way to have a session-less front-end server. I don't use sessions for anything other than using spring-security to validate the session token that it is using to identify the user.
I'd like to find a token based authentication system suitable for the front-end such that the token is safe and sufficient for identifying the current user.
I've seen the grails-spring-security-rest plugin which looks promising, but it seems like everyone is using it for back-end rest api calls. Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
If you don't use the session objects in your controller then tomcat will not create any sessions for you.
Also you can define your controllers to be
static singleton = true
then they will be instantiated not on per-request basis.
Now, if you still want to use sessions, you can use something like Cookie Sessions and keep your data inside the cookies instead of tomcat's memory.
I haven't used the grails-spring-security-rest, but you should be able to tweak spring-security-core to be session-less. You should set scr.allowSessionCreation to false and use remember-me.
Since Grails is built on Spring Boot, you can access all the features of Spring Session (https://docs.spring.io/spring-session/docs/2.0.x/reference/html5/), which includes the ability to share session data between server instances with some data store instead of keeping it in memory.
In those docs you'll find this pointer to a guide with a Grails 3.1 example that uses Redis as the store. https://github.com/spring-projects/spring-session/tree/2.0.3.RELEASE/samples/misc/grails3
Is it also suitable for front-end authentication when you aren't storing application data in the webapp session?
Yes, you can use JWT tokens in your front-end. You need to properly configure the security filters of your controllers so that they are not using cookie for authentication but they are looking for JWT.
See : http://alvarosanchez.github.io/grails-spring-security-rest/latest/docs/#_plugin_configuration for configuration of endpoints that should validate JWT tokens.
Have a look at https://github.com/hantsy/angularjs-grails-sample/wiki/3-basic-auth for a stateless example with Angular.
SETUP
At present I have a controller heavy spring MVC application. Its components are heavily guarded with spring security. Most of the datamodel fetching, form binding etc... is done within controllers.
I however see great value addition in using spring web flow.
However I would like to use web flow in a specific way.
First of all I would like the web flow to be like traffic police directing web requests to appropriate controllers inside every state (Along with form binding objects, request, session params etc...).
I would like the controller to ultimately determine direction of web flow like successful login or goto registration page. However it is web flow that will consume the decision and facilitate the transition to the next state.
This next state will in turn leverage mvc by invoking appropriate controllers.
This way spring web flow is just like a facilitator and does not contain too much decision making logic & business logic invocation calls.
This is important for me since controllers can get heavy with respect to services it invokes and can potentially invoke them in a multi-threaded approach. All this cannot be done in spring web flow definitions
QUESTION
My question is very simple and basic. Is Spring Web Flow designed to perform like this on top of Spring MVC?
Is it possible to designate just this traffic regulation and state flow functionality to web flow while preserving most of the control and service invocation logic inside the controller?
--Am I understanding anything wrong here? I want to get these questions cleared before
embarking along this path.
This may be a little late for you, but I'm not sure webflow will give you exactly what you want to achieve. You want a router, and that's not really what webflow was designed for. Webflow is used more for multi-page form type flows, and using it for much more risks running into the limitations of the framework. Webflow cannot be used to intercept all web requests -- only those initiated through the flow mechanism, and it has very strong opinions on what state transition is (for example, form/bean validation is the default, although it can be overridden if required).
It's not that it can't be used as a router, it's just that it's not designed for this so you're likely to find impedance from its form based design goals.
I have the following scenario in my application.
There are multiple controllers and views. There is no login/logout functionality and no traditional username/password stuff. The application does some logic on incoming requests directly (no authentication/authorization).
As the user goes through controllers and views, I need to persist the user specific data at some place. This is needed as I need to refer to this until the user is completely out of the application. Basically I need to persist user data without any authentication/authorization functionality.
Shall I go for the traditional HttpSession or Spring's #SessionAttribute to store the required details? Or is there any other better way to do this?
Thanks in advance!