I have a springboot web application and I am trying allow concurrent user activity on the same browser.
The login function has a member object with email and password attribute tied to a thymeleaf form.
When the user logs in it displays information for that user.
The issue I have is when I log in as a second user in a new tab while still logged in as first user, when i add a change to the first user the details of the user are changed to the second users.
On the java side the issue is related to this part.
What's happening is when a new member signs in I check if the member exists in "database" and then pass the object to the model. The model uses this object to populate the fields.
#RequestMapping(method = RequestMethod.POST, path = "/profile")
public String signIn(#ModelAttribute MemberEmail memberEmail, Model model, #RequestHeader, HttpHeaders headers)
{
if(MemberDB.validate(memberEmail))
{
member = MemberDB.getMember(memberEmail.getEmail());
model.addAttribute("member", member);
return "home";
}
else
{
System.out.println("Login Failed");
return "redirect:/devshub";
}
}
In my thymeleaf, I have a function where users can enter a message and it is displayed on their profile.
This function takes the message input and displays it on the users profile but it also needs a member to populate the fields again because it returns to the "home"
#RequestMapping(method = RequestMethod.POST, path="/save")
public String saveMessage(#ModelAttribute Member m, Model model, #RequestHeader HttpHeaders headers)
{
member.setMessage(m.getMessage());
model.addAttribute("member", member);
return "home";
}
When i log in to two different accounts on different browsers, i think because it uses two different session ids, the correct member object is referenced for each account(by the session). However when using the same browser, when the member object is set to the second user, if i add a message as the first user, the message is added but the user information is switced to second users.
I'm thinking a possible solution could be to redirect without returning to home to when user object is already populated but still thinking of how I could do this as I would preferably not like to mess with session id's.
I have an action named "Login.action" that puts a certain type of object in the SESSION but depending on this object i want to do something with jQuery this is my example
public String execute() {
HttpServletRequest request = ServletActionContext.getRequest();
HttpSession sesion = request.getSession();
sesion.setAttribute(user.getprofile(), user);
return SUCCESS;
}
as i said i put an object in my SESSION so i want to acces later on JSP with jQuery
(if the user's profile is "Admin" i want to make an "Admin Panel" button appear using jQuery)
Also i want to know if this is a good way to get this result or there's another (and better) way to do it
Strut set session
Map session = ActionContext.getContext().getSession();
session.put("user","username);
set your user in session
$.session.set("user", $("#uname").val());
get session user
$.session.get('user');
For populating entries only visible to the user I need to know which user is logged in. This information is stored in my HttpSession object. How can I access this object from an odata4j ProducerFactory implementation?
I am following the link http://middlewaremagic.com/weblogic/?p=2034 to perform form based authentication. I have created a security realm then successfully delegate the authentication check to weblogic 10.3.
Everything is fine, but I could not get username, HttpServletRequest->getRemoteUser() returns null.
Do you have an idea how to get username after login? I am going to use username in every Managed bean to log user operations.
EDIT:
I have found my mistake that I invalidated the session before logging user operation (logout operation), that is why HttpServletRequest->getRemoteUser() returns null. Thanks for contribution.
You can obtain it from SecurityContext as well :
SecurityContextHolder.getContext().getAuthentication().getPrincipal().getUserName();
Try to get user principal from request and then get name from it. Like this:
Principal p = request.getUserPrincipal();
String username = p.getName();
j_username is available in the Principe, so just check there is any Principle in the request object.
String username;
Principal principal = request.getUserPrincipal();
if (principal != null) {
username= principal.getName(); // Find User by j_username.
}
I have found my mistake that I invalidated the session before logging user operation (logout operation), that is why HttpServletRequest->getRemoteUser() returns null.
Thanks for contribution.
This question already has answers here:
How do servlets work? Instantiation, sessions, shared variables and multithreading
(8 answers)
Closed 5 years ago.
So far I understand Httpsession concepts in Java.
HttpSession ses = req.getSession(true);
will create a session object, according to the request.
setAttribute("String", object);
will, bind the 'String', and value with the Session object.
getAttribute("String");
will return an object associated with the string, specified.
What I am not able to understand is: I am creating a session object like
HttpSession ses = req.getSession(true);
and setting a name for it by calling setAttribute("String", object);.
Here, This code resides inside the server. For every person, when he tries to login the same code in the server will be executed. setAttribute("String", object); in this method the string value is a constant one. So, each session object created will be binded by the same string which I have provided. When I try to retrieve the string to validate his session or while logout action taken the getAttribute("String"); ll return the same constant string value(Am I right!!?? Actually I don't know, I'm just thinking of its logic of execution). Then, how can I be able to invalidate.
I saw this type of illustration in all of the tutorials on the WEB. Is it the actual way to set that attribute? Or, real application developers will give a variable in the "String" field to set it dynamically
(ie. session.setAttribut(userName, userName); //Setting the String Dynamically.. I dono is it right or not.)
And my final question is
WebContext ctx = WebContextFactory.get();
request = ctx.getHttpServletRequest();
What do the two lines above do? What will be stored in ctx & request?
HttpSession ses = req.getSession(true); will creates new session means. What value stored in ses.
Some [random] precisions:
You don't need login/logout mechanisms in order to have sessions.
In java servlets, HTTP sessions are tracked using two mechanisms, HTTP cookie (the most commonly used) or URL rewriting (to support browsers without cookies or with cookies disabled). Using only cookies is simple, you don't have to do anything special. For URL re-writing, you need to modify all URLs pointing back to your servlets/filters.
Each time you call request.getSession(true), the HttpRequest object will be inspected in order to find a session ID encoded either in a cookie OR/AND in the URL path parameter (what's following a semi-colon). If the session ID cannot be found, a new session will be created by the servlet container (i.e. the server).
The session ID is added to the response as a Cookie. If you want to support URL re-writing also, the links in your HTML documents should be modified using the response.encodeURL() method. Calling request.getSession(false) or simply request.getSession() will return null in the event the session ID is not found or the session ID refers to an invalid session.
There is a single HTTP session by visit, as Java session cookies are not stored permanently in the browser. So sessions object are not shared between clients. Each user has his own private session.
Sessions are destroyed automatically if not used for a given time. The time-out value can be configured in the web.xml file.
A given session can be explicitly invalidated using the invalidate() method.
When people are talking about JSESSIONID, they are referring to the standard name of the HTTP cookie used to do session-tracking in Java.
I suggest you read a tutorial on Java sessions. Each user gets a different HttpSession object, based on a JSESSIONID request/response parameter that the Java web server sends to the browser. So every user can have an attribute with the same name, and the value stored for this attribute will be different for all users.
Also, WebContextFactory and WebContext are DWR classes that provide an easy way to get the servlet parameters.
As I understand it, your concerns are about separation of the different users when storing things in the HttpSession.
The servlet container (for example Tomcat) takes care of this utilizing its JSESSIONID.
The story goes like this :
User first logs onto website.
Servlet container sets a COOKIE on
the user's browser, storing a UNIQUE
jsessionId.
Every time the user hits the
website, the JSESSIONID cookie is
sent back.
The servlet container uses this to
keep track of who is who.
Likewise, this is how it keeps track
of the separation of data. Every
user has their own bucket of
objects uniquely identified by the
JSESSIONID.
Hopefully that (at least partially) answers your question.
Cheers
Your basic servlet is going to look like
public class MyServlet{
public doGet(HttpServletRequest req, HttpServletResponse res){
//Parameter true:
// create session if one does not exist. session should never be null
//Parameter false:
// return null if there is no session, used on pages where you want to
// force a user to already have a session or be logged in
//only need to use one of the two getSession() options here.
//Just showing both for this test
HttpSession sess = req.getSession(true);
HttpSession sess2 = req.getSession(false);
//set an Attribute in the request. This can be used to pass new values
//to a forward or to a JSP
req.setAttribute("myVar", "Hello World");
}
}
There is no need to set any attribute names for your session that is already done. As others have suggested in other answers, use cookies or URL re-writing to store the sessionID for you.
When you are dealing with the DWR WebContext, it is simply doing the same thing as above, just normally the Request object isn't passed into the method, so you use the WebContext to get that request for you
public class DWRClass {
public doSomething(){
WebContext ctx = WebContextFactory.get();
HttpServletRequest req = ctx.getHttpServletRequest();
HttpSession sess = req.getSession(); //no parameter is the same as passing true
//Lets set another attribute for a forward or JSP to use
ArrayList<Boolean> flags = new ArrayList<Boolean>();
req.setAttribute("listOfNames", flags);
}
}