• Post Reply Bookmark Topic Watch Topic
  • New Topic

Session tracking in client-server model ?  RSS feed

 
James Clarke
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Iam writing a client-server app with three types of users with
different privileges. Is there a session tracking type mechanism for
client server apps ?

If not I would just have to write a different user interface with access to
different data based on the type of the user. Is this the best approach ?

thanks,

J.C
 
Kai Witte
Ranch Hand
Posts: 356
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
hello,

you could use TCP. If you use RMI, you can use a different remote object on the server for each user, so that you can identify a user by that.

Kai
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Kai points up some interesting things we don't know yet ... What protocol do your client and server use to communicate? Is your server a standard like a servlete container, or something you made yourself?
 
James Clarke
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi guys,

thanks for the response. My server is one that I will be writing myself
using RMI working over a Windows NT network.

I was planning on using different remote objects for different types of users but Iam not sure if this is the best design ?
Anyone have any other suggestions ?

thanks,

J.C
 
Jan Groth
Ranch Hand
Posts: 456
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well, i might have understood your needs wrongly, but i don't think so.

my approach _always_ is to assign a role to a user. to be more precise: a collection of roles. later, those roles get connected with certain rights. this can be hardcoded by the application or maintainable through any sort of administration UI.

i would not - really not - bother to put anything about rights in the (http?)session or even in the protocol. just make sure that you can identify your user, typically by its id and check everything about his roles and rights on the server-side at run time.

hope it helps,
jan
[ February 14, 2006: Message edited by: Jan Groth ]
 
Stan James
(instanceof Sidekick)
Ranch Hand
Posts: 8791
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A "session" is not magical. It's just some state kept on the server related to a particular user. You could make your own Session object and put it in a static HashMap keyed by the user's IP or a token they send on every request or whatever works in your environment. I don't know RMI ... maybe it has something suitable for the key or even the object.

I agree with Jan. A user has roles and a role has rights. At runtime you can ask a simple API if this user has this right: isAuthorized(user,right). You might need userid on the session but the rest of the mappings should be neatly hidden behind the authorization API.

I have to admit I did one system where the client loaded all the rights at startup and didn't have to ask the server after that. But internally it kept the rights private had the identical isAuthorized() API. Any time the client tried to do something the server double checked the authorization. Don't trust the clients!
 
James Clarke
Ranch Hand
Posts: 148
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys,

Thanks for the responses but the system I am talking about is a client-server system using RMI, so HTTP session tracking doesn't apply.

And I don't think there is a session tracking mechanism for client-server apps....

thanks,
J.C
 
Henry Wong
author
Sheriff
Posts: 23291
125
C++ Chrome Eclipse IDE Firefox Browser Java jQuery Linux VI Editor Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by James Clarke:
Hi Guys,
Thanks for the responses but the system I am talking about is a client-server system using RMI, so HTTP session tracking doesn't apply.

And I don't think there is a session tracking mechanism for client-server apps....

thanks,
J.C


Session tracking services is provided with http, mainly because it was a pain to implement. (No real parameters -- either it is cookies or part of the URL)

With RMI, it is not necessary. When you need a session, just create a new handle object that you pass back. Whenever a call is made, the handle is passed back to the server to signify the session. This handle is used by the server to find the state of the session.

Henry
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!