Here's the scenario: a websystem with user accounts, and as each user logs in, their user info is stored in their session. Now, a user admin can go and change/update ppls information - is it possible to search through everybody's session objects to find that user info and update it>
In general, no. However, it is quite possible to instead place an object (such as, for example, a HashMap keyed on userid or sessionid) in the application context rather than the session context. Each user session can then update its own details in the central object, and your admin servlet can have access to all the details from all the user sessions.
Good suggestion. But how would I handle logouts? Assuming that users will just close the browser instead of logging out, how would I know to remove a user info from the application context? I don't want to write a task that repeatedly checks last user activity every 30 mins. On the other hand, is this the best way to do this? I could just keep permanent data in the session, such as just the user id, but I'd like menu options to show up on the JSPs depending on a user's permissions, which can be modified. [ August 29, 2003: Message edited by: Phil Chuang ]
William Brogden
,
Author and all-around good cowpoke
Access to all sessions in a servlet context was part of an early version of the servlet API but they quickly realized that it was a security hole. A number of early methods got deprecated - see for instance the getServlet( name ) method. While you are looking at the API, look at the various Listeners such as HttpSessionBindingListener interface for the answer to your tracking the expired sessions problem. Bill
Hi, The following is a partial solution that you may find useful. However, please be advised that if your web application works in clustered environment you will need to take extra care synchronizing user information. 1. Create a Global Repository class (a Singleton with a HashMap ) and helper methods to add/remove/update HttpSession object based on the user id or the session id whichever is unique. This is similar to what Frank has mentioned earlier. Alternatively you can also use the ServletContext to store the session information as advised in the earlier posting. In this case the Global Repository becomes a mere conveniece wrapper to the SevletContext and provides helper method as above.
2. Create a Session Cleanup class that implements the HttpSessionBindingListener. The constructor will typically take the session id or the user id whichever you use to lookup HttpSession from Global Repository/ServletContext. Since this class implements the HttpSessionBindingListener you must provide implementation of valueBound and valueUnbound. The valueBound is just an empty stub. The valueUnbound is a callback method and gets called when the user session gets invalidated ( if HttpSession.invalidate() or session timeout occurs as configured in your web application <session-timeout> element). You can do the required cleanup to remove the user information from the Global Repository ( you already have the user/session to lookup passed to C'tor) 3. When you store the user information in session also create an instance of Session Cleanup and store it in the HttpSession. Also store the HttpSession in the Global Repository/ServletContext class using the helper methods. 4. Now let us say an Administrator updates some of the user information. The handler code will call a Global Repository helper method that iterates through the collection finds out the HttpSession. Retrieve user information and compares it against the user id entry and when it finds the one that matches updates it as required. Hope this helps. Good Luck!!!
Post by:autobot
There's a hole in the bucket, dear Liza, dear Liza, a hole in the bucket, dear liza, a tiny ad:
a bit of art, as a gift, that will fit in a stocking