Spring MVC remove session attribute when wizard pages left - spring

I have a wizard based on Spring MVC. To store the user input i have a RegisterCustomerForm object saved in session.
Everything works fine if i finish the wizard by clicking "finish" or "cancel". But if the user leaves the wizard by just clicking on some other link i want to remove the session attribute too. Something like a conversation scope i guess.
Is there any good way to achieve this behaviour?

If you can use Spring 3.1, you may take advantage of RedirectAttributes which is available as of this version. An example that demonstrates how to use the feature.

Related

Spring/GWT :Permission control on UI side

I am writing a simple web page, which shows some widgets based on user permission. If user has EDIT permission, the page renders EDIT widget else EDIT widget doesn't shows up.
What is the best way to achieve this?
I, first called a service to get logged in user's permission and then set visibility: none or block based on the permission. But, I see that user can "inspect element" on browser and set visibility accordingly. However, on server-side, I am using #PreAuthorize annotation on DAO to control the user actions.
How to control visibility of UI widgets without user being able to make changes, maybe from server side?
Update : I am looking for JSTL equivalent in GWT
AFAIK there is no JSTL equivalent for GWT.
However there are some 3rd party (i.e. ArcIS) libraries that make display/hiding UI elements based on user permissions more convenient.
However no matter whether you do it manually or using a library you should make sure that you properly secure your backend side (as far as I can tell you are doing that by using method level security).
One important thing to remember when dealing with client side permissions/security:
You should never trust input/actions from the client/browser, because you are not in control of it. So you must always do security on the backend
In my opinion, it really does not matter if the user could theoratically inspect the edit button for example using Browser Dev Tools and make it visible, as long as the the edit action on the backend is properly secured. If you are really that concerned you can remove the elements (i.e edit button) from the DOM instead of hiding it, but it won't make it more secure.
I, first called a service to get logged in user's permission and then
set visibility: none or block based on the permission.
Well instead of setting the visibility none or block, assuming you are using JSP, use JSTL tag
<c:if test="${if the user has permission}">Show widget UI code</c:if>
If the page has n widgets for which the user doesn't has permission, why would you load the code for all the n widgets. It's non performant.
write a panel that shows it's contents based on security settings in the client code
add the widgets to be controlled inside the security panel
the panel will now control the appearance of the children based on security in your client code
As has been mentioned before, and has been recognized by you, client security is only visibility control and thus not sufficient to protect the app.

Session in MVC 3 for storing text in a textbox

I am new to programming, especially to MVC. I have designed a blog in MVC 3 ASP.NET for a client. The blog also have user account for admin for content management.
Once logged in, Admin can create new post. Sometimes the post can be long text. Therefore, I want to create a session to temporarily save the content within the text box as the user types it in automatically. Once the user click the submit button, the sessions ends and the text will be permanently saved.
This allows the users to leave the post half way through, come back and carry on from where they left. Also, if the browser close accidently, the user does not loose the text already typed in.
I have been trying find tutorial on this, but was unable to find a useful tutorial so far.
Any help, or point to useful tutorial would be greatly appreciated.
Thanks
It sounds like you need some sort of autosave feature. One option is the Sisyphus.js jQuery Autosave plugin that saves the form state in LocalStorage. No changes to your server side ocde is needed, so it should work for any existing ASP.NET MVC application.
https://github.com/simsalabim/sisyphus

Flowscope and get request

I'm experimenting the new "flow" functionality.
It seems very promising because it lets you have a managed bean which spans across multiple related views.
Unfortunately it works only with post requests.
Is there a way to enter a flow using a get request ? All the few example I found use a starting form outside of the flow. I would like to enter a flow clicking on an item inside a Primefaces menubar and, as far as I know, I can only put a link there...
Suppose then that a user bookmarks a page in the middle of a flow. If a get request for a view in the middle of a flow is sent and the flow is no more active (or flow information are removed from the querystring parameters) the server responds with a bad error page. In such cases is it possible to be redirected to the first node of the flow ?
Navigating through the view nodes of a flow I can see a special parameter in the querystring which most likely is an ID. Is it possible to hide that detail ?
Thanks
Filippo
Yes, just if the flow is named flow1, you can write something like:
<h:link value="Enter Flow" outcome="flow1"/>
That's it.
About the navigation, there is nothing that handles that in a explicit way, but you can override FlowHandler implementation, specifically the method clientWindowTransition(...) and check in that part if the flow is active and do what's necessary. To get out from a flow under a navigation outside of the flow you can override ViewHandler.createView(...) method and add the transition.
The flow state is bound to a client window id, which is what you are seeing as a query param. This detail is necessary because it provides an state that persist across navigation, but that is not as large as session state, which comprise multiple windows or tabs.
I recommend to use Apache MyFaces JSF 2.2 Implementation because the solution there has taken into account cases like multiple nested flows. It works pretty well. Take a look at this JSF 2.2 examples from Michael Kurz JSF Live blog on Github, that could be helpful.

What is the best way to handle a session-persistant search form in a Spring web application?

I am looking for the best way to handle a session-persistant search form in a "shopping cart" like web application using the Spring MVC Framework.
I want to be able to navigate back to this search page, with last filters already set, from any other page in the application. This is not a master detail search results page, only a form with filters on a table of elements displayed underneath.
I can store my search filters in the user session, but what about multi-tabs navigation and browser back button handling ?
I also considered using Spring WebFlow to adress this.
Any suggestions ?
That sounds like a good job for the conversation scope of Spring WebFlow. Objects which are stored in this scope are saved until the current flow is terminated (or by timeout). The usual way to use it in your case would be to create a new flow/conversation when the user starts browsing the webpage and saves the search parameters in the conversation scope. When going back to the search page later, the parameters are retrieved from this scope (if there are available).
The conversation scope solves the multi-tabs problem and avoid to have to send back to the server every time the data (as you would have to do if you only use the request scope).

JSP includes and MVC pattern

I am new to JSP/Servlets/MVC and am writing a JSP page (using Servlets and MVC pattern) that displays information about recipies, and want the ability for users to "comment" on it too.
So for the Servlet, on doGet(), it grabs all the required info into a Model POJO and forwards the request on to a JSP View for rendering. That is working just fine.
I'd like the "comment" part to be a separate JSP, so on the RecipeView.jsp I can use to separate these views out. So I've made that, but am now a little stuck. The form in the CommentOnRecipe.jsp posts to a CommentAction servlet that handles the recording of the comment just fine. So when I reload the Recipe page, I can see the comment I just made.
I'd like to:
Reload the page automatically after commenting (no AJAX for now)
Block the user from making more than one comment on each Recipe over a 1 day timeframe (via a Cookie). So I store a cookie indicating the product ID whenever the user makes a comment, so we can check this later? How would it work in a MVC context?
Show a message to the user that they have already commented on the Recipe when they visit one
which they have commented on
I'm confused about using beans/including JSPs etc on how to achieve this.
I know in ASP.NET land, it would be a UseControl that I would place on a page, or in ASP.NET MVC, it would be a PartialView of some sort. I'm just confused with the way this works in a JSP/Servlets/MVC context.
you can use response.sendRedirect() or forward APIs in javax.servlet to redirect to a new page or refresh the same page (redirect to the same page/path so that the beans/data gets refreshed)
about restricting to one comment per day - yes you can use cookie but the problem is that user might use another browser type (chrome, FF, Safari) and will be able to make multiple comments.
Ideally you should store the lastCommentTime in the model/persistent store and tie it to the user information - this way your model object can expose an API that checks the last comment time and returns true/false depending on whether user can comment or not.
You can use this API in your servlet/JSP to show/hide the comment button, for example and also show a message

Resources