I'm trying to create a service bean that when referenced will be initialized with HttpSession based attributes.
Let's say for sake of argument that my webapp would do the following:
Establish a session
Request login & password
When service is requested (it is scope="session" and has init-method="init()") a new instance is created for the session.
In the init method, can I reference the HttpSession either through passing it in as a parameter and referencing it by EL?
Any ideas on this would be appreciated.
You can access a thread-bound HttpSession as follows:
HttpSession session =
(HttpSession) RequestContextHolder.getRequestAttributes()
.resolveReference(RequestAttributes.REFERENCE_SESSION);
Related
In my Struts application once an user login I need to invalidate the current session and create a new session. I invalidate the session with
getHttpServletRequest().getSession().invalidate();
And I create a new session as
getHttpServletRequest().getSession(true);
The problem here is after above I try to access getSession() it gives the state invalid exception; HttpSession is invalid.
getSession() returns a map where in my action class I implements SessionAware which has the setSession(Map session).
EDIT: Below is the exception
Error creating HttpSession due response is commited to client. You can use the CreateSessionInterceptor or create the HttpSession from your action before the result is rendered to the client: HttpSession is invalid
java.lang.IllegalStateException: HttpSession is invalid
So, what I assume the problem is the Struts getSession() still reference the session which I've invalidated.
How to make the Struts getSession() to reference the new session which I've created?
If you want to access the struts session after you invalidated the servlet session you should update or renew the struts session. For example
SessionMap session = (SessionMap) ActionContext.getContext().getSession();
//invalidate
session.invalidate();
//renew servlet session
session.put("renewServletSession", null);
session.remove("renewServletSession");
//populate the struts session
session.entrySet();
now struts session is ready to use the new servlet session and you ready to reuse the struts session.
I am new with spring ,I have a doubt about spring session management and spring security session ,whether both concept are same or different ? If different what are that ? Any suggestion ?
May you be a little bit more specific in your question?
In Spring:
session can refer to one of the scopes that a bean belongs to. For example, if you define an instance (bean) of a class a org.something.Counter with scope session, whenever you will access that bean during a web session you will have the same instance of the object. Web session does not require Spring Security in order to exists. You can start from here to understand a little bit more about the session scope in Spring.
session may refer to HttpSession as speciffied by the Servlet API. This is not really related to Spring, even if you can use the standard HttpSession from within Spring, is more in general related to the Servlet API.
In Spring Security:
If you are talking of Spring Security, instead of session I would talk of SecurityContext. The SecurityContext is actually stored as an HttpSession and restored to the SecurityContextHolder at every request. Here is were all security-related infos are stored for the current session. See here for more details. In general a SecurityContext (at least at a very basic level) exists from the moment you login to the moment you logout. Because it is stored as an HttpSession it expires when the HttpSession expires (again, see the Servlet API specifications for more details)
Luca
In my Spring MVC project I have a jsp page , registration page , in which there is a form. In this form the user inserts his data (name, surname and so on).I created a bean User and I bound the form with this bean.But now I have a problem.How can i put the user object into a session in a method of a controller?
Can I use #SessionAttributes,httpsession or I set the scope of the bean to session? How can i solve it?Sorry for my English. Thanks
You can use HttpSession so just need to set your user object in your session and access anywhere into the system.
Refer this httpsession documentation for setting session value.
I'm using Spring 3.1.1.Release, Security 3.1.0.Release.
I've added login/logout to my web app, however a session scoped bean is not functioning the way it was. The bean is used to connect to a CMS called CMSConnector.
To authenticate users, I implemented an AuthenticationProvider, and in the authenticate() call, I get the session-scoped CMSConnector and call the CMSConnector.login(). If the CMS login fails, it fails the login.
THE PROBLEM -
If the login is success, #predestroy logout() is called immediately after the successful login. I then found it was the SessionFixationProtectionStrategy is invoking the invalidate the previous session and assign it a new session.
session.invalidate();
session = request.getSession(true); // we now have a new session
The invalidate() is calling the #predestroy method on the session-scoped bean.
So I have temporarily removed the the #predestroy annotation leaving the connection not closed. (VERY BAD PRACTICE.)
What is a work around to resolve the issue?
I tried to create a #PostConstruct and put the login process there, but the #PostConstruct doesn't get called when request.getSession(true) is called.
Thanks!
Jason
I think its not the SessionFixationProtectionStrategy but the ConcurrentSessionControlStrategy.
Set max-sessions="-1" for this code snippet
I did not solve my original question, but I implemented a workaround - expire session in the session expire object instead of attached with #predestroy.
I want to know about setting and un-setting the session in JSF2.0. Although following some blogs and books (Core JavaServer Faces-3rd Edition), i got to know that using annotation #SessionScoped we can set any manage bean to be in session. I have a loginBean which is #ManagedBean and SessionScoped declared. On the top right corner, my web has login button.
When this session is created (i am not setting it manually, that is why i am confused) and when i gets destroyed? It must be destroyed either by time out or by clicking in logout button only.
JSF uses the Servlet API under the covers. A session scoped managed bean is in essence set as an attribute of the HttpSession. It will be created and set whenever the EL expression referencing the managed bean #{sessionBean} is evaluated for the first time. It will be "removed" from the session whenever the session expires (by either a restart of the client or a timeout in the server) or get invalidated. If you let your logout button call ExternalContext#invalidateSession(), then the session will be invalidated.
If you're familiar with the basic Servlet API, you should already understand how this all works. For an in-depth explanation of the Servlet's HttpSession works under JSF's covers, read this answer: How do servlets work? Instantiation, sessions, shared variables and multithreading.
In jsf 2.0 we can set total class ob as session like i mention
Class_name sm;
ExternalContext extContext = FacesContext.getCurrentInstance().getExternalContext(); extContext.getSessionMap().put("Give name for access this property",sm);
Class_name sm = (Class_name) extContext.getSessionMap().get("Give name for access this property");