Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

display the number of users who have logged in to a JSF application during the past hour  RSS feed

 
Fernando Guerrero
Greenhorn
Posts: 23
Eclipse IDE Java Redhat
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,


I had one java/jsf phone interview and there was one question that I didn't know how to answer.
This was the question:

Suppose you have a web application written in JSF , after the user log in, the user is taken to the main page, In this page the user can see the number of users who have logged in, in the past hour. What technique would you use in order to display that information ?

I answered that the application would save in the database which user logged in and at what the user logged in. In this way we could use a query to count the number of users who have logged in during the past hour and display that information in the main page.

But the interviewer told me that he wanted a different technique, one where we don't have to query information from a database. I didn't know what to say, I couldn't think in any other way to get that information and display it?

Is there any other technique to get the number of users???

Thanks in advance .
Fernando

 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your interviewer is full of

It seems rather apparent that they expect you to be working with a user-defined login subsystem. The technical term for such systems is "pwned". I'm NOT kidding. I've worked with J2EE since before they invented JSPs and we had to carve HTML on stone tablets in servlets. And of all the systems I've seen since doing so, virtually every one of the apps that used DIY login code could be broken into in under 15 minutes and usually without the need for specialized technical skill or knowledge. Meaning that even dumb users could accidentally stumble past security. And that includes the "security systems" designed by the local in-house "geniuses".

Security on the Internet is a serious matter and shouldn't be left to amateurs. And by "amateurs" I mean essentially anyone who isn't a trained professional who's working full-time on the security code, not someone who thinks they're clever and does it in addition to "more important" duties. This is a chain where a single weak link makes it all wasted effort. So unless you want all your corporate secrets to end up in Serbia overnight, use one of the frameworks that were designed - and vetted - by security professionals. There's one built right into the J2EE standard, and it's implemented on every last J2EE and JEE server I've ever encountered. Even the lightweight ones like Tomcat and jetty.

Having said all that, here's how it applies in terms of your interview question.

The J2EE Container-Managed security subsystem is - like its name implies - handles by the container (a/k/a webapp server). That means that you don't really log into the web application, you log into a Security Realm. The Realms are generally implemented using plug-replaceable Realm implementation components. For example, on Tomcat, the server comes out of the box supplied with a Realm module for JDBC/SQL database-backed credential store, a LDAP/Active Directory credential store, a simple XML file-based credential store (useful for testing), and so forth,

Then there's the Single Signon type of Realm, like the popular third-party CAS realm created at Yale. When using an SSO Realm, you not only don't log in to a single webapp, you may have logged into some other app on some other server that's also in that particular Realm instance. Or for that matter you could be using a Realm whose "login" time was the moment you logged into Windows. Long before you first visited the webapp in question.

Which is why although the J2EE spec provides a number of security functions and APIs, it doesn't support a "login listener".



Because of this, if I have a webapp and I want to know when a given user first accesses it in a secured (post-login) mode, I generally add a Servlet Filter that checks incoming HttpServletRequests. You can tell when a user's logged in because the getRemoteUser() method will return a non-null value (as will the getUserPrincipal() method). The transition point, then, is when for a given session, the user ID stops being null. In an SSO environment, that may not be the actual time of login, but it will be the time that the first request is made to that particular app since logging in, so that's as good as the app can get.

To determine logout times for a given webapp, a SessionListener method can be implemented, since destroying a session effectively logs out a user. So to capture who's logged in and when, these 2 methods can be used to store information in an Application-scope object (say, a HashTable with user IDs for keys and timestamps for values), or captured permanently to a database.
 
Uwe Lindenberg
Ranch Hand
Posts: 44
2
Eclipse IDE Java Oracle
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

perhaps they can use a @ApplicationScoped managed Bean. Only the number was asked, wasn't it?

Best regards,

Uwe
 
Tim Holloway
Bartender
Posts: 18709
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You are correct. Since the scope is "in the last hour", there's no need for a permanent and persistent storage mechanism and Application Scope would definitely work.

The question is misleading, since it say "how would you display" and displaying is the least complicated part of this.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!