Meaningless Drivel is fun!*
The moose likes Struts and the fly likes low-level understanding of http/struts/beans Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Struts
Bookmark "low-level understanding of http/struts/beans" Watch "low-level understanding of http/struts/beans" New topic
Author

low-level understanding of http/struts/beans

john scofield
Greenhorn

Joined: Jun 08, 2006
Posts: 1
Hello all,

i've been playing with Struts for some time and really like the framework.

The thing i have been wondering is how the HTTP really works. For example when I'm doing a password secured application, I like to add a UserBean to the session scope when user goes through the LoginAction. The bean contains all the necessary information about the user I'll would like to have available while the user is using the application.

The question: is the UserBean really transferred to the client via HTTP or does the HTTP/app.server simply keep a somekind of a reference to the bean?

The reason I'm asking is that I've been wondering about the security issues. If the bean is really transferred to the client, can somebody with knowledge "decrypt" the bean and read all of its data?

Thanks.

- John
Merrill Higginson
Ranch Hand

Joined: Feb 15, 2005
Posts: 4864
When an HttpSession is created for a user, that session and all objects associated with it exist strictly on the server. It is not transferred back and forth to the browser. The way that most application servers keep track of sessions is with cookies. The way this works is that when the App Server creates a session for you, it puts a cookie on your browser. In that cookie is a unique session ID which tells the App Server which session is yours.

The only way that a third party could access this data would be to either guess the session ID (very unlikely) or to listen in on your interactions with the server and then create a cookie with the same session ID on their browser. If you're worried about this, using HTTPS will prevent a third party from listening in on the transaction.


Merrill
Consultant, Sima Solutions
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: low-level understanding of http/struts/beans
 
Similar Threads
Collections and Struts...
Struts2 Action best practice
JSF to Struts conversion
Updating bean object through servlet
Architecture: Remoting from a Swing GUI to a Database