Im currently reading Spring in Action 3rd edition, and have been experimenting with Spring MVC.
Everything works well, until i tried to 'port' my example webapp to a stateless webapp.
To determine whether a session object is created, i placed a debugging servlet filter on /* URL mapping, which just print out the req.getSession(false), and continue the chain.
I tried changing all of my controllers' scope to request out naiveness, but of course, session is still created on a page/controller that binds the model to the form.
I wonder how to achieve stateless Spring MVC ? Im out of luck for tutorials on this matter so far.
Make sure to have all the JSPs use
<%#page session="false" %>
else a session will be created as soon as a JSP is executed.
Accidental session creation is one of the most common sources of invalid bug reports in Spring Security (hence the FAQ you linked to in your comment above).
Spring Security's debugging filter can be useful if you're having issues with session creation. It will automatically log a message when a session is created, with a stacktrace inidicating where it happened. It also provides other useful information with more human-readable output that standard log entries, so is useful in a development environment. If you're using Spring Security's namespace support, you just need to add the element
<debug />
to your configuration.
Related
So I Want to build projects using spring Boot directly as I'm under a bit of time crunch. Please help me out.
What you need to know about JSP: nothing. JSP is old and clunky, use Thymeleaf instead. But if you're building single page web apps you don't need any templates, you just need to know how to accept and return JSON.
Servlets: you need to understand the threading model, that there's only one servlet being traversed by multiple threads, and any instance variables will be accessed by all the http request threads. More than servlets you need to know filters, because Spring Security uses them.
Currently learning Vaadin8+SpringBoot for Vaadin made me wanna forget about HTML for a while. Anyways, all is good for some CRUD operations until I mixed in SpringSecurity in the project. Well, I've been searching for days now and no solution could fit in well with the expected requirements.
Expected output:
Vaadin8+SpringBoot+SpringSecurity
All in one project/module/artifact
2 #SpringUI (MainUI = "", LoginUI = "/login")
Multiple #SpringViews contained by MainUI's ViewDisplay
Limitations:
No login.html (from the Vaadin's demo backery app)
No SpringMVC for login page
No vaadin4Spring dependency
Configurations done through annotations and not through XMLs
I know there's a way, I'm blocked how to progress on this. And if it's really not possible, need to understand as to why it isn't.
When you configure Spring Security, you need to allow anonymous access to the /login URL (either login.html if it is a non-vaadin form, or the login UI path if you want a separate UI for login). You also need to restrict access to the actual application UI. You also need to allow anonymous access to the static resources (i.e. /VAADIN/**).
The SecurityConfig in Bakery may give you a starting point. (Note: the starter or its parts cannot be redistributed as a code example or template)
There is a more detailed explanation here, though it only covers Vaadin and Spring Security integration (i.e. no spring-boot).
We have a web application that uses spring, struts and camel right now and there is a lot of customization we have done to allow us to know when beans are added to the context.
So, we have gotten to a point where we would like to remove struts from the application, because we are only using it to handle actions and we figure we could either use spring or camel to do the same thing. So I was able to get it to work with camel/velocity, but we didn't like how we really couldn't use the request object directly in the jsp (afaik, you have to put everything in the header of the Exchange and in the jsp you would do ${header.someReqVariableName}).
So we wanted to go the spring route, but since we load the context.xml directly, we have a provider that extends ContextSingletonBeanFactoryLocator and we pass the xml file name as a param, we haven't been able to figure out how to get the DispatcherServlet to work without giving it another configuration xml.
Is there a way to either:
Have camel use jsp for processing a jsp (and have all the usage of jsp tags)?
or
Have spring to see that a context has already been loaded and use that instead of having another new one?
or
Something better I have thought up?
You can use camel-jetty to expose HTTP endpoints, but I wouldn't use it for any complex web app development (JPS, etc). I'd use use Spring MVC (or similar) and use Camel for any complex routing/messaging requirements...
Here is another way, you can use the producer template to send the request to the camel context if you can get the reference of the camel context from the spring.
From my experience of using spring MVC in conjunction with hibernate I know about lazy exception problem occured when addressing to lazy-fetched collection when rendering view.
It pure spring+hibernate world it fixes by introducing OpenSessionInViewInterceptor or OpenSessionInViewFilter thus enabling one hibernate session per request.
So the question is: should I care about this problem in grails or such one-session-per-request behaviour is enabled by default.
If this isn't grails defaults please provide some code to implement this behaviour.
Thanks.
Grails registers a customized subclass of OpenSessionInViewInterceptor (it adds WebFlow awareness). So anything done in the context of a web request will have an open session and lazy-loaded references and collections will resolve.
I have a project with the following setup:
Tomcat 6.x
Struts 2.1.6
DisplayTag 1.2
Spring 2.x (1 or 5, don't remember now)
I want to know to to do session controlling in every action of my app, like if the users weren't logged in, they're redirect to certain page to login (in the case of my project, either the user come to a special crafted url like login/SPECIALHASHTOLOGIN or won't enter at all.
Need more details?
Thx in advance.
I'm still new to S2 as well, but I believe what you will need to do is modify the default interceptor stack (or create a custom stack) and add a custom interceptor. This custom interceptor will need to implement SessionAware to access the user session, and must implement your custom logic (which action to redirect to, which URLs do not need protection, etc.).
Here is a good tutorial of a LoginInterceptor that behaves similar to what you are requesting.
Acegi security is a great way to add security to your web app if you're already using Spring. Here's a decent 1-hour Acegi tutorial.