Spring session management

I am trying to build a simple web application. I want to work on session management and security related stuff. Prior to spring framework i have build a web application using front controller model, where I managed the session and user credentials.

Similarly i want to do session management(user login, userlog out, session time out, privilege based access to resource) etc in spring framework. I have searched on net but am not able to find anything useful. I am also currently reading spring in action3, but some how the security part is not that user friendly for me to understand. It concentrated more on login stuff and not on session management. Can someone please point me to good resource.

I was checking out http://spring.io/guides/gs/securing-web/, but i did not find it much useful since it makes use of spring boots and has nothing to do with session management.

Can someone please provide some pointers.

Take a look at Spring MVC, part of the Spring Framework. MVC provides a concept of Interceptors (similar to Servlet filters), where you can manage security and session management.

- Link to Spring MVC Interceptor Example: http://www.mkyong.com/spring-mvc/spring-mvc-handler-interceptors-example/
- Authentication management with Interceptors: http://www.sivalabs.in/2011/06/authentication-checking-using-springmvc.html

You can also take a look at Spring Security, which is also based on Interceptors, for securing an application.

The examples on the spring.io site are invaluable, but there are also a LOT of videos on YouTube for each of these frameworks. Let me know if there is anything more specific I can help with.

I am trying to build a online e-store website. My UI is divided into Header/Body/Footer. In the header section, I have a link login, which call the loginPage() method from below controller and transfers control to login page. In the login page, i have a form with username and password fields. When user enters user name and password, it is validated and user is able to login.

@Controller @SessionAttributes public class LoginController { protected final Log logger = LogFactory.getLog(getClass()); @Inject UserJdbcDaoImpl userJdbcDao; @Inject UserHibernateDaoImpl userHibernateDao; ModelAndView modelAndView; @RequestMapping("/userLogin") public ModelAndView userLogin(User user, BindingResult result, ModelMap model) { user = (User) result.getModel().get("user"); String username = user.getUsername(); String password = user.getPassword(); //User userDb = userJdbcDao.getUserByUserName(username); User userDb = userHibernateDao.getUserByUserName(username); System.out.println("Timestamp:"+new Date()); System.out.println("userDb:"+userDb); if (userDb != null) { String pwdDb = userDb.getPassword(); if (password != null && pwdDb != null && password.equals(pwdDb)) { logger.info("login success"); modelAndView = new ModelAndView("welcome", "command", user); } } else { logger.info("login failure"); modelAndView = new ModelAndView("login", "command", user); } return modelAndView; } @RequestMapping("/login") public ModelAndView loginPage() { ApplicationContext appContext = SpringApplicationContextUtils .getApplicationContext(); return new ModelAndView("login", "command", new User()); } }

Now I want to implement shopping cart, where user can store his items to be purchased. User can choose to login using the above functinality, else when user checks out for payment he should be prompted for login in, otherwise use can browse without login. I want to implement such functionality by harnessing the spring framework functionality. Can you please guide.

It depends on your requirements. Most shopping cart checkouts are a flow (some support multi-cart, some require more steps, some less steps). If this is the case and the login may be required at more than one step in your flow, you can consider an Interceptor to centralize the logic. Otherwise, you can re-direct them to the login page as part of the shopping cart controller.

Also, some best practice / standard suggestions. I would narrow the scope of your @SessionAttributes annotation to the user form object if that is all you plan to store. I would create another component with the @Service annotation and put the logic for getting the user from the database:

public boolean checkAuthentication(String username, String password) { User userDb = userHibernateDao.getUserByUserName(username); if (userDb != null) { String pwdDb = userDb.getPassword(); if (password != null && pwdDb != null && password.equals(pwdDb)) { // Do what you need to return authentication successful } } else { // Do what you need to return authentication failed } }

Hopefully you are encrypting your password in the database? If not, highly recommend that you should, especially in a purchasing capability.

Finally, you may want to add a check to see if the user is already in session; otherwise, you are authenticating them every time.