How would we implement a Session Facade design pattern in the Spring application? Would the role of the Session facade be simply served by the service bean class that would be annotated for the transactions and will have a session scope?
A Spring service (with singleton scope) is like a local stateless session bean, it is an implementation of the Session Facade pattern, only for applications that are not distributed. Spring does make the case that in most cases services don't need to be distributed and that the distributed aspects of Session facade are not as all-pervasive as J2EE made them out to be.
(When you say "session scope" it sounds like you're confusing session as in transactional with session as in HttpSession, because Spring uses the term session scope to refer to HttpSessions. (At least it's confusing me about what's intended.) My reading of the Session facade description leads me to think it doesn't have anything to do with an HttpSession.)
Anyway, I'd say the basic goal of encapsulating complexity is still valid. In some cases the goal of giving distributed access is still very valid, it's just not the default case like J2EE tried to make it out to be. And Seam makes a case for stateful session beans still being relevant.
Session should be associated with the web tier, not services.
Services do indeed own transactions, so they should have that annotation.
Related
I would want organize multithreaded access via the rest api to a resource using Spring Boot.
There is information (I found it here) that SrpingBoot can parallelize requests (which I doubt) to the controller with scope-singlotone.
How to start the design of such a controller, or what approach to apply for this?
Spring handles requests in parallel - that means your singleton controllers have to be thread-safe.
If you have a single resource which cannot handle parallel access you have to use Java's synchronized or locks to serialize the access.
Spring Rest Controllers do handle request using a thread pool. Since Spring beans are singleton, your Spring Beans should be Stateless or we can say bean should have a sheared state. Which means you cannot have a state that will change with the time.
I understand that a HTTP session is the idea to associate a state of a web application for different users which is done outside the protocol in software as HTTP is stateless.
I didn't notice before today that some articles and manuals in the Spring universe are talking about a web session as well. They make a connection to reactive webapps and streams, however I don't find anything on https://www.reactive-streams.org/ and the reactive manifesto and am thus uncertain that it's a reactive thing.
Since it's differentiated it has to be a thing, but is it a concrete technical concept or just another word for HTTP session? Does it exist outside of the Spring universe?
HttpSession comes from the Java EE servlet specification and is defined as:
[...] a way to identify a user across more than one page request or visit to a Web site and to store information about that user.
A WebSession is essentially the same thing but is used in the context of the Spring WebFlux which provides reactive programming support for web applications.
Note also the existence of the Spring Session project providing transparent integration with these different kind of sessions.
A simple question, what is the use of Spring session where I can do a login with session using spring security?
What feature can spring session offer?
To put it simple, Spring Session project provides infrastructure for managing user's session.
Most notably, this includes replacing the HttpSession implementation provided by your Servlet container (e.g. Tomcat) with an implementation provided by Spring Session which is then persisted using SessionRepository implementation of your choice (Redis, Gemfire, Hazelcast, JDBC, Mongo are supported backends in current 1.2.0.RELEASE). This ensures your sessions are stored in container/platform agnostic way and makes session clustering very easy.
Additionally, Spring Session provides some other nice features such as:
configurable strategies for correlating user's requests with a session (either cookie or HTTP request header based)
support for multiple sessions in a single browser instance
WebSocket integration, meaning the HttpSession is kept alive when consuming only WebSocket
ability to retrieve all the sessions for a given user
For more information please take a look at Spring Session's user manual as it contains detailed guides which describe the most common use cases.
In my spring MVC application i want to access Principal object created by spring security in my service layer. I thought about injecting it in my service classes, but I am sure it will not be thread safe.
Other option I am thinking, is to pass it to all service methods as argument but this do not look very clean to me.
What would be the better way to do this?
I think that the best approach would be to use the SecurityContextHolder.
Principal principal = SecurityContextHolder.getContext().getAuthentication();
Spring explains how it works in the documentation:
The most fundamental object is SecurityContextHolder. This is where we
store details of the present security context of the application,
which includes details of the principal currently using the
application. By default the SecurityContextHolder uses a ThreadLocal
to store these details, which means that the security context is
always available to methods in the same thread of execution, even if
the security context is not explicitly passed around as an argument to
those methods. Using a ThreadLocal in this way is quite safe if care
is taken to clear the thread after the present principal's request is
processed. Of course, Spring Security takes care of this for you
automatically so there is no need to worry about it.
Since it uses a ThreadLocal to store the current authentication, you will not have any thread safety problem.
Can somebody point me a good strategy for security crosscutting concern without AOP for a JSF-Spring-Hibernate web application?
Security context (in user's web session) must be accesible in Business (for rules and authorization) and Data Access Layer (to store user name in BD)
I can use Spring IOC but my boss doesn't allow me to use AOP.
You could use Spring Security's SecurityContextHolder which uses a ThreadLocal to store the current user's credentials. Then you can just access it as necessary from the business layer and the DAOs, at the cost of coupling these to the Spring framework.
You can use Java EE Interceptors but it might be little more difficult to set up than Spring AOP since you are already using Spring stack.