This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Spring and the fly likes Spring session management Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring session management" Watch "Spring session management" New topic
Author

Spring session management

Naresh Chaurasia
Ranch Hand

Joined: May 18, 2005
Posts: 356
I am trying to build a simple web application. I want to work on session management and security related stuff. Prior to spring framework i have build a web application using front controller model, where I managed the session and user credentials.

Similarly i want to do session management(user login, userlog out, session time out, privilege based access to resource) etc in spring framework. I have searched on net but am not able to find anything useful. I am also currently reading spring in action3, but some how the security part is not that user friendly for me to understand. It concentrated more on login stuff and not on session management. Can someone please point me to good resource.

I was checking out http://spring.io/guides/gs/securing-web/, but i did not find it much useful since it makes use of spring boots and has nothing to do with session management.

Can someone please provide some pointers.


SCJP 1.4, SCWCD1.4, OCA(1Z0-007)
Michael A Hoffman
Ranch Hand

Joined: Mar 04, 2009
Posts: 36

Take a look at Spring MVC, part of the Spring Framework. MVC provides a concept of Interceptors (similar to Servlet filters), where you can manage security and session management.

- Link to Spring MVC Interceptor Example: http://www.mkyong.com/spring-mvc/spring-mvc-handler-interceptors-example/
- Authentication management with Interceptors: http://www.sivalabs.in/2011/06/authentication-checking-using-springmvc.html

You can also take a look at Spring Security, which is also based on Interceptors, for securing an application.

The examples on the spring.io site are invaluable, but there are also a LOT of videos on YouTube for each of these frameworks. Let me know if there is anything more specific I can help with.
Naresh Chaurasia
Ranch Hand

Joined: May 18, 2005
Posts: 356
I am trying to build a online e-store website. My UI is divided into Header/Body/Footer. In the header section, I have a link login, which call the loginPage() method from below controller and transfers control to login page. In the login page, i have a form with username and password fields. When user enters user name and password, it is validated and user is able to login.



Now I want to implement shopping cart, where user can store his items to be purchased. User can choose to login using the above functinality, else when user checks out for payment he should be prompted for login in, otherwise use can browse without login. I want to implement such functionality by harnessing the spring framework functionality. Can you please guide.
Michael A Hoffman
Ranch Hand

Joined: Mar 04, 2009
Posts: 36

It depends on your requirements. Most shopping cart checkouts are a flow (some support multi-cart, some require more steps, some less steps). If this is the case and the login may be required at more than one step in your flow, you can consider an Interceptor to centralize the logic. Otherwise, you can re-direct them to the login page as part of the shopping cart controller.

Also, some best practice / standard suggestions. I would narrow the scope of your @SessionAttributes annotation to the user form object if that is all you plan to store. I would create another component with the @Service annotation and put the logic for getting the user from the database:



Hopefully you are encrypting your password in the database? If not, highly recommend that you should, especially in a purchasing capability.

Finally, you may want to add a check to see if the user is already in session; otherwise, you are authenticating them every time.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: Spring session management