I am trying to build a simple web application. I want to work on session management and security related stuff. Prior to spring framework i have build a web application using front controller model, where I managed the session and user credentials.
Similarly i want to do session management(user login, userlog out, session time out, privilege based access to resource) etc in spring framework. I have searched on net but am not able to find anything useful. I am also currently reading spring in action3, but some how the security part is not that user friendly for me to understand. It concentrated more on login stuff and not on session management. Can someone please point me to good resource.
I am trying to build a online e-store website. My UI is divided into Header/Body/Footer. In the header section, I have a link login, which call the loginPage() method from below controller and transfers control to login page. In the login page, i have a form with username and password fields. When user enters user name and password, it is validated and user is able to login.
Now I want to implement shopping cart, where user can store his items to be purchased. User can choose to login using the above functinality, else when user checks out for payment he should be prompted for login in, otherwise use can browse without login. I want to implement such functionality by harnessing the spring framework functionality. Can you please guide.
It depends on your requirements. Most shopping cart checkouts are a flow (some support multi-cart, some require more steps, some less steps). If this is the case and the login may be required at more than one step in your flow, you can consider an Interceptor to centralize the logic. Otherwise, you can re-direct them to the login page as part of the shopping cart controller.
Also, some best practice / standard suggestions. I would narrow the scope of your @SessionAttributes annotation to the user form object if that is all you plan to store. I would create another component with the @Service annotation and put the logic for getting the user from the database:
Hopefully you are encrypting your password in the database? If not, highly recommend that you should, especially in a purchasing capability.
Finally, you may want to add a check to see if the user is already in session; otherwise, you are authenticating them every time.