Is it the only way that making an RPC call in GWT for getting HTTP session attributes ?
Is there any way to get them directly in the client side code without making an rpc call ?
If browser is maintaining session why we need to go to the server again for a session variable?
Is it the only way that making an RPC call in GWT for getting HTTP
session attributes ?
For getting session attributes you can use different approach (for example with JSON). GWT-RPC is just one
mechanism for passing Java objects to and from a server over standard HTTP. Read this article: Communicating with the server.
is there any way to get them directly in the client side code without
making an rpc call ?
Shortly, no you cannot access them unless you retrieve them from server. Because all GWT applications run as JavaScript code in the end user's web browser, but the session lives in the server side. So you have to ask them from your server.
If browser is maintaining session why we need to go to the server
again for a session variable ?
You have a wrong perception about sessions, they are not maintained by your browser. For controlling the session you have to call to the server-side with asynchronous callbacks or with another technique. Or if you mean Client side web sessions, you can control them with Cookies.
The browser doesn't have the session variables! All it has is the session identifier (which is usually kept in a cookie).
HttpSession session = RemoteServiceUtil.getThreadLocalRequest().getSession();
I think you may just want to set cookie values to match some of your session values. You can do this at authentication time and set cookie values using the
public boolean authentication() {
// Do authentication stuff
getResponse().addCookie(new Cookie("SOMESESSIONID", session.getId()));
}
public HttpServletResponse getResponse() {
return RemoteServiceUtil.getThreadLocalResponse();
}
Then on the client side you can simply use the Cookie class to fetch these values.
Session is only available at server side and GWT compiles java in Js so we can not have session avilable at client side.
Read the google group post - Synchronous Call
GWT does not make any effort to allow you to do it easily. You'd have
to write your own extension of the RequestBuilder that allows
Synchronous requests.
The problem with Synchronous requests is that they tend to block the
browser waiting for a response, giving your application the appearance
of being locked up. This is particularly bad application design. You
have no control of the client machine or the network between it and
your servers, and as such can't even dictate how long your application
is going to appear locked.
So, the best idea is to simply use the asynchronous method and
continue execution via the callbacks provided. You will end up with a
much better user experience, and a more professional appearing
application.
Related
I have two web Applications. I will login in to one Web Application and will navigate to another by links or redirection from the first Application. Lastly after completing some steps in Application two, I will be redirected to Application one. How can I implement this?
Here Application two is generic, and I will have three instances of Application One, which will interact with Application two.
Please suggest a better approach. I have to use spring and Spring Webflow to implement it.
Technically, session between two web application (two different WARs) cannot be shared. This is by design and done for security reasons. I would like to make following comments and suggestions for your problem,
Session are generally tracked using an session ID which is generally stored as a cookie on the browser and Session object on the server side.
This cookie is sent server side every time when you send a request.
A cookie will be sent ONLY to the server where it came from.
So a cookie set by www.mysite.com/app1 will be sent only to www.mysite.com/app1 and not to www.mysite.com/app2.
For you case, for a user sessions to be valid across two application, the browser will need two cookies to be set from app1 and app2.
One way would be, when you login to app1 , using java script, also send a login request to app2. When both these request return successfully, your browser will have session for both the applications (app1 and app2)
Now logout will have its own challenges, when you logout from app1, you also need to logout from app2. Technically this means, you need to clear the cookies set from both of these applications. With little help from java script you can do this.
When you have to make a call to app2 from app1, pass all necessary information via the request object (as a request params) then app2 can read and create the session there (perhaps a servlet/filter can be used for this).
you can share a session between the same application (app1 and app1) across machines using clustering.
I'm implementing a game in JSP and Servlets. The game should support multiple players.
It is obvious that each player ID is generated on the server side. But where do I store it on the client side, so I can retrieve it later (from within the servlet) when the client calls for the Servlet?
Sessions are handled automatically by the servlet framework, and you retrieve the session by calling request.getSession() in a servlet.
The session is available in different ways once you start using a framework once you outgrow servlets (this happens quickly) and is framework-dependent.
Depends on how long you want the client to remember the player ID.
During the session: The session is a good place
During his subsequent visists: A (permanent) cookie is a good place
Session: request.getSession()
Cookie: request.getCookies() and response.addCookie(cookie)
Session ids are usually stored in a cookie.
I'd be amazed if JSP doesn't have a session library that would take care of all that for you.
What's the best (most secure) way of implementing session handling in a web server? I'd like to add that, but don't know how to implement it really. Is cookies a "must" for session handling? (To be able to identify which session)
The session handling isn't really your concern. It is handled by the HttpSession class (read the description in the javadoc!), which you can obtain by calling request.getSession().
It works in two ways (no need for you to do anything to support them):
using a session cookie (if cookies are allowed)
using url-rewriting - appending the session id (JSESSIONID) to the URL.
(Note: it is actually handled by the servlet container (Tomcat, jetty, etc) which provides an implementation of HttpSession)
Assuming that you're talking about a servlet container, then session handling comes backed in. See the relevant part of if the JavaEE tutorial. It covers the session API, as well as how sessions are tracked (cookie or URL rewriting).
Session handling is handled by the web container. If you want safety from prying eyes, use https (enforced in web.xml).
What you might be interested in also, is how the user identifies himself to the web container. Several options exist, where the most secure is the client uses a web browser with a digital certificate. That is quite tedious, but very secure :)
I'm using gwt on my glassfish server, and I'm attempting to make some of my RPC calls authenticated via cookies. Is this possible? Are there any examples out there of how to code it?
Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications.
The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc).
Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.
I assume that you use GWT's RPC servlet for handling requests made by the client.
One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.
You might rethink using cookies as it is a potencial security hole.
Why not put your communication to HTTPS?
Can you not just use the standard 'session' scope, i.e.
request.getSession()
A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.
If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.
Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with the coding example.
Which is the best among:
URL Rewriting: Server will add an additional parameter at the end of URL link
Hidden parameter in Form: server will add an additional parameter at every form in HTML
cookie: Server will ask browser to maintain a cookie.
The session management (client identification, cookie handling, saving session scoped data and so on) is basically already done by the appserver itself. You don't need to worry about it at all. You can just set/get Java objects in the session by HttpSession#setAttribute() and #getAttribute(). Only thing what you really need to take care of is the URL rewriting for the case that the client doesn't support cookies. It will then append a jsessionid identifier to the URL. In the JSP you can use the JSTL's c:url for this. In the Servlet you can use HttpServletResponse#encodeURL() for this. This way the server can identify the client by reading the new request URL.
Your new question shall probably be "But how are cookies related to this? How does the server do it all?". Well, the answer is this: if the server receives a request from a client and the server side code (your code) is trying to get the HttpSession by HttpServletRequest#getSession() while there's no one created yet (first request in a fresh session), the server will create a new one itself. The server will generate a long, unique and hard-to-guess ID (the one which you can get by HttpSession#getId()) and set this ID as a value of the cookie with the name jsessionid. Under the hood the server uses HttpServletResponse#addCookie() for this. Finally the server will store all sessions in some kind of Map with the session ID as key and the HttpSession as value.
According to the HTTP cookie spec the client is required to send the same cookies back in the headers of the subsequent request. Under the hood the server will search for the jsessionid cookie by HttpServletRequest#getCookies() and determine its value. This way the server is able to obtain the associated HttpSession and give it back by every call on HttpServletRequest#getSession().
To the point: the only thing which is stored in the client side is the session ID (in flavor of a cookie) and the HttpSession object (including all of its attributes) is stored in the server side (in Java's memory). You don't need to worry about session management youself and you also don't need to worry about the security.
See also:
Authenticating the username, password by using filters in Java (contacting with database)
How to redirect to Login page when Session is expired in Java web application?
How to implement "Stay Logged In" when user login in to the web application
All Java web frameworks support cookies or URL-encoded session IDs. They will chose the correct approach automatically, so there is nothing you need to do. Just request the session object from your container and it will handle the details.
[EDIT] There are two options: Cookies and a special URL. There are problems with both approaches. For example, if you encode the session in an URL, people can try to pass the session on (by putting the URL into a mail, for example). If you want to understand this, read a couple of articles about security and build app servers. Otherwise: Your Java app server will do the right thing for you. Don't think about it.
The cookie just stores the session ID, this ID is useless once the session has expired.
Servlet specification defines the API for accessing/setting session data in standard J2EE application. Also it defines that session data is stored on the server-side and nothing is transferred to the client except the session identifier. There are 2 mechanisms how session id is transferred:
1) request URL e.g. jessionid=....
2) cookie
Mechanism is determined automatically based on client capabilities.
EDIT. There is no best option, there is servlet specification that defines the way.
Http is a stateless, client-side pull only protocol.
To implement a stateful conversation over it, Java EE Web Server need to hide some information (which is sessionid) in client-side and the mechanism it can use should follow HTTP and HTML spec.
There are three ways to accomplish this goal:
URL Rewriting: Server will add an additional parameter at the end of URL link.
Hidden parameter in Form: server will add an additional parameter at every form in HTML.
cookie: Server will ask browser to maintain a cookie.
Basically, modern web server will have a "filter" to choose which way to use automatically.
So if Server detected that browser already turn off cookie support, it will switch to other ways.
2 important questions:
Which web technology are you using? JSF, Struts, SpringMVC or just plain servlets/JSPs.
Servlets/JSPs already give you the session support you need. JSP Example: Hello, <%= session.getAttribute( "theName" ) %>
I really don't think you have something to worry about cookies, since the data is stored safely in the server and handeling the cookie is done automaticlly.
Is your application installed on a single server?
If YES than you have no problem, use the servlet session option.
if NO than you gotta find another way to do this. Like using a sticky session, or maybe parse the entire session object in the requests/responses as a field. This option indeed requires you to take security measures.