Win a copy of Modern JavaScript for the Impatient this week in the Server-Side JavaScript and NodeJS forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Session exists even before we have logged in

 
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Source: Marcus

Which of the following classes is appropriate for monitoring when users sign into the system and recording it in the log.

A. ApplicationContextAttributeListener
B. HttpSessionListener
C. HttpSessionActivationListener
D. HttpLoginListener
E. ServletContextListener

Given answer: B

i also though B is the answer but then I thought, why?

See a HttpSession can be created even when the user is not logged in.
For ex: I add items to shopping cart and login only if I wish to check out.
The main point of having session is to keep track of user without asking him to login to the site otherwise we could have used HTTPS built in mechanism all the time to keep track of user.

So why is it said that if you want to log people who are logging in to the website then use HttpSessionListener?
 
Creator of Enthuware JWS+ V6
Posts: 3349
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

See a HttpSession can be created even when the user is not logged in.


True, but you can see whether somebody has logged in by using the request.getUserPrincipal() method

See also this section of the specs:

SRV.12.10 Login and Logout
Being logged in to a web application corresponds precisely to there being a
valid non-null value in getUserPrincipal method, discussed in SRV.12.3 and the
javadoc. A null value in that method indicates that a user is logged out.
Containers may create HTTP Session objects to track login state. If a
developer creates a session while a user is not authenticated, and the container
then authenticates the user, the session visible to developer code after login must
be the same session object that was created prior to login occurring so that there is
no loss of session information.


Regards,
Frits

 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
ok.. so you mean the sessionCreated method will run whenever a new session is created and you can check that this session is created because someone has logged in(using getUserprincipal or getRemoteUser methods) or in general.

If these methods return non null value then an entry is made in logs that new user has logged in.


But see this line in spec

If a developer creates a session while a user is not authenticated, and the container
then authenticates the user, the session visible to developer code after login must
be the same session object that was created prior to login occurring so that there is
no loss of session information.



There is no new session created if user logs in after he was allready using a session. So this means the sessionCreated method will not be running again and we will not be able to log this user into the session. Right?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3349
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

There is no new session created if user logs in after he was allready using a session. So this means the sessionCreated method will not be running again and we will not be able to log this user into the session. Right?


Yes, so monitoring users that are logged in (authenticated) is not possible by only implementing a HttpSessionListener.

So the answer is depends on whether the users are logged in immediatly into the system and that we don't know....

Regards,
Frits
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hey Frits,

I think the best listener would be HttpSessionAttributeListener because Containers may create HTTP Session objects to track login state and if they do they will store attributes in the user's session, such as the user's security related information and if that happens then the attributeAdded method will be called on HttpSessionAttributeListener.

So, the attributeAdded method is a perfect place to log such information.

But this is another container specific thing.
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Doesn't anyone think the same(that best listener would be HttpSessionAttributeListener )?
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3349
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Parth,

Containers may create HTTP Session objects to track login state and if they do they will store attributes in the user's session, such as the user's security related information and if that happens then the attributeAdded method will be called on HttpSessionAttributeListener.


There is nowhere writen in the specs that certain security attributes should be available in the HttpSession object. (for instance: tomcat doesn't add anything to the session object, after a user has logged in)

I think that if you really want track who is logged in that you can't do that with a listener alone (unless that you always have to log in).

Regards,
Frits
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok.. thanks..
 
Ranch Hand
Posts: 2066
IntelliJ IDE Clojure Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?



I think that if you really want track who is logged in that you can't do that with a listener alone (unless that you always have to log in).

If a session allready exists then it is not changed or anything by user login.
 
Frits Walraven
Creator of Enthuware JWS+ V6
Posts: 3349
303
Android Eclipse IDE Chrome
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

What is the solution for this? Can't we use HttpSessionEvent objects to notify when a session had been changed by user log in?


If you want to log all the user that are logged into the system you could do it with a Filter. For every user that is logged in you could add an attribute to the HttpSession object.

Just to give an idea:

and a filter definition like this:
 
Parth Twari
Ranch Hand
Posts: 163
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks Frits , you have really helped..
 
Abimaran Kugathasan
Ranch Hand
Posts: 2066
IntelliJ IDE Clojure Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Frits!
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic