I'm building several Portlets to deploy on a WebSphere Portal Server, and each Portlet is deployed in it's own WAR. Now, I'm needing to track every Portlet a user visits while it's logged on the Portal. I was trying to get the Session Identifier from a Portlet using this:
HttpServletRequest servletRequest = PortletUtils.getHttpServletRequest(request);
String sessionId = servletRequest.getSession().getId();
But after I logged in, I'm getting different sessionId values from every Portlet/WAR I visited. I guess that makes sense since there's one Session Scope per WAR.
So, how do I get an identifier for the Portal Session (not the Portlet one)? I'm seeing that JSESSIONID cookie is the same in every HTTP Request, but I'm not sure if that's exposed through Servlet or Portlet API.
Users that are not logged into the portal don't have a session like that. You can have Portal keep track of session information for anonymous users by enabling public sessions.
http://www-10.lotus.com/ldd/portalwiki.nsf/xpDocViewer.xsp?lookupName=IBM+WebSphere+Portal+7+Product+Documentation#action=openDocument&res_title=Portal_configuration_services_wp7&content=pdcontent
Look under navigator service for the property to change.
Also, I think this might be more easily accomplished in the theme or a portlet filter. You should still be able to get access to the Portal session in either of these places but you won't need to include code in every portlet.
Here's a link for creating a global portlet filter.
http://wpcertification.blogspot.com/2010/11/applying-global-filter-to-all-portlets.html
UPDATE: Like any big framework there are lots of options. I'll offer a brain dump of what I can think of / find. You may have to experiment and see which method you prefer.
The JSESSIONID cookie should be same for a user throughout the whole session. If the session expires they'll get a new JSESSIONID cookie. Using this you'll be able to track a user through a single session but possibly not across multiple sessions.
You could consider using getUserPrinipal() or getRemoteUser() off of the PortletRequest object. I haven't used those method in a while so you'll have to see what info comes out of them.
There is also request.getAttribute(PortletRequest.USER_INFO). You'll have to do some config in the portlet.xml to make certain attributes available in the Map that returns. There is an example here. We're using ibm-primaryEmail instead of the first and last name like the example on my current project.
Lastly you could look into using the PUMA API thats built into Portal. It'll will be a bit heavier on the coding and is obviously more container specific but should be able to do just about any job you need related to users.
Related
I have two different struts2 Applications, tried implementing SessionAware but still other application is not able to use the session variables set by first application.
If I am doing something wrong or is it not possible the way I am doing. Thanks
application, request, session and page scoped objects are only specific to one application.
Session variable is not the solution for your problem.
Let your Single Sign-On Application send those variables to both the applications as custom attributes. Just like the authenticated user name.
Or use a Database table to share the session info.
Note: You will run into race conditions unless app2 access is initiated from app1.
My solution directory has ASP.Net 4 web-forms project, that at present has all the development of my website.
The plan is migrate some of the existing front-end to ASP.Net5/MVC6 web application. And for that to happen, I have added ASP.NET 5 empty web application to the existing solution directory. The reason I have decided to use blank template is so that I can add all the required capabilities myself, and understand the flow better.
Capabilities like MVC, Session, Caching, Logging etc.
I have added MVC capabilities. And to add Session related capabilities I have followed the steps given in the below documentation,
https://docs.asp.net/en/latest/fundamentals/app-state.html#installing-and-configuring-session
After this, I am able to add the access the Session in my controller class. I can put some values in the session and can access it in view to verify Session is operating fine.
Both of my web applications (ASP.Net 4 and ASP.Net 5) would be running side by side, and I want to enable user to navigate back and forth with a single sign on. That effectively means, they to share same session.
And hence, I am looking for a way to access SessionID from the Session, so that I can check whether the value is same for both the websites, however there is no method that gives me SessionID...
Can someone explain why it is so and how to retrieve unique session identity?
I have two applications running on Tomcat, JSF 2 Mojarra 2. Both applications are mapped to the same domain but each to a different pattern within this domain. One application is used as a front page while the other is used to access protected resources (don't ask why not all in one app, it's been design deliberately to separate the apps as two different entities, each responsible for it's own thing). Now the question is: is it possible, and if it is, how to pass the session state between those two separate apps. To illustrate here are some common situations:
A user does something on the main application running the website and then logs in and whatever he/she was up to doing is being taken to the new session after login to the new app.
(This one is slightly more complex I think) The user registers in the first app and is automatically logged in upon successful registration into the other app. The app where yo have to log in is using j_security_check form login (this would be the hard part)
Several ways:
Store the data in DB which and identify it by a long, unique, hard-to-guess autogenerated key which you in turn also store in a domain-wide cookie. This way the both applications can get the data from the DB based on the key found in the cookie.
Expose the ServletContext of the both applications to each other. In Tomcat, it's a matter of adding crossContext="true" to the <Context> element of the webapplication's context.xml. This way you can get the each other's ServletContext by ServletContext#getContext(). Finally put some Map<String, SomeData> in there which is keyed by some ID which is shared between the both applications, for example the logged-in user ID (you should only ensure that the same user can't have more than one session).
Here's the issue at hand: I have developed an ASP.NET MVC3 application using Razor. I have also implemented a custom membership provider and overridden the ValidateUser() method. Within, I query my db and get a lot of user information in addition to the password auth.
At the moment, I am pushing this information, i.e. companyId, to static properties of a class. This works and I can display/use this information throughout my app. The problem arises when a user closes their browser tab. Upon re-opening the app, the user is authenticated via a cookie, so they don't need to re-login; however, those static variables are blown away.
So guys and girls, how would/do you conquer this issue? Should I append the extra info to the session cookie? Or perhaps a better solution?
Use the ProfileProvider in ASP.NET.
For application level variables, they are going to be subject to application pool recycles and similar "simulated" restarts related to users starting all over. These variables should be completely independent of user usage and should be able to be recreated easily. If you have variables that are user dependent or that can't be restored easily without some sort of outside intervention then you will definitely need a different method of storage.
If the data is user specific, storing it in the session cookie is probably the best idea. If the data is user-related but branches multiple users it should be stored in a database or a flat file somewhere. If the data has nothing to do with users specifically then it should just be in a database or configuration file.
I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.
Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.
I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.
Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).
There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".
Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.
In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.
You could use the Membership.IsOnline property which is based on LastActivityDate:
A user is considered online if the
current date and time minus the
UserIsOnlineTimeWindow property value
is earlier than the LastActivityDate
for the user.