File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Servlets and the fly likes preventing access based on all sessions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Java » Servlets
Bookmark "preventing access based on all sessions" Watch "preventing access based on all sessions" New topic

preventing access based on all sessions

Mark Lybarger
Ranch Hand

Joined: Dec 19, 2003
Posts: 72
here's what we're after. if a user is working with an order (is on the order detail page), no other users can work with that order. if they try to go to the order detail page, it should show the order as being worked on by _user1_.

we currently have the users and the order they're working on in their http session. so, my thought is that when user2 goes to the order detail page, the servlet can query to see if any sessions have that order as being used.

i'm not sure how this could be done at all, so if anyone has some thoughts it would be most appreciated.
Dushy Inguva
Ranch Hand

Joined: Jun 24, 2003
Posts: 264

1. You can store associations between user names and the resources in a static variable e.g.: Map<User, Resources>
In this case, you will have to consider the fact that since you are tied to the static variable, you will NOT be able to scale. A solution could be to have this association object as a JNDI resource (But, make sure your container supports writable JNDI contexts, i know tomcat doesn't)

2. We have this exact same problem, and we store the associations in the database. But, we have to consider the cases where the server crashes/ user does not sign off but just closes the browser etc. The cleanup is the MAJOR part of the headache.

Which ever approach you take, make sure you have support from your application framework level.

You can make use of the HttpSessionBindingListener or one of the other session listeners (beware, atleast one of them behaves quite differently between J2EE 1.3 and 1.4)


I agree. Here's the link:
subject: preventing access based on all sessions
It's not a secret anymore!