• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

spring 4 session management

 
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I have concern regarding session creation in spring 4. 1. When ever any jsp page is rendered from server, spring creates session. for example url is GET /login, then Login.jsp served and session is automatically created and sent with response.It is affecting my session handling,because i have filter which executes before Dispatcher servlet and checks for the session if session is not active it redirects to login, but after login.jsp page is rendered then it creates session.so once page is passed to user his session gets activated and he can access the protected resource. I can solve this problem by adding some tokens but Is there any way by which we can prevent session creation? I'm using spring 4. I'v tried SessionCreationPolicy.stateless and others but didn't work. How to prevent session creation?





Thanks
 
Ranch Hand
Posts: 499
Spring AngularJS Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hari pandey,

Are you using Spring security? Can you show us the config files you have used?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The presence or absence of the session is not the factor upon which to base your security. Use tokens in the session, not the session itself.

Or better yet, don't roll your own security -- use Spring security or container-managed security.
 
Hari pandey
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@Partheban Udayakumar



This is only thing i'm using afa security is concerent and i'v filter where i'm checking session existence in pure servelt way

Please let me know if you need any input
 
Hari pandey
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:The presence or absence of the session is not the factor upon which to base your security. Use tokens in the session, not the session itself.

Or better yet, don't roll your own security -- use Spring security or container-managed security.



Yes, That is the solution which even i was thinking. But Is there any way by which we can stop spring mvc to create session while rendering the jsp page. As i understand there are two session one created by spring-security and another by spring mvc. If we don't use spring-security one session(security context) is gone. But not sure how to disable session creation by spring mvc. I'm using spring 4.


Please let me know if you need any input.
 
Partheban Udayakumar
Ranch Hand
Posts: 499
Spring AngularJS Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hari pandey wrote:
This is only thing i'm using afa security is concerent.



Then you must be using Controller to redirect url's to login page. Am I right? Spring has a nice security feature. Please try to learn Spring Security as Bear suggested. There are many popular sites about spring security. One such site is Mkyong. I find this site helpful at beginner level.
 
Hari pandey
Greenhorn
Posts: 12
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Hari pandey wrote:Hi All,

I have concern regarding session creation in spring 4. 1. When ever any jsp page is rendered from server, spring creates session. for example url is GET /login, then Login.jsp served and session is automatically created and sent with response.It is affecting my session handling,because i have filter which executes before Dispatcher servlet and checks for the session if session is not active it redirects to login, but after login.jsp page is rendered then it creates session.so once page is passed to user his session gets activated and he can access the protected resource. I can solve this problem by adding some tokens but Is there any way by which we can prevent session creation? I'm using spring 4. I'v tried SessionCreationPolicy.stateless and others but didn't work. How to prevent session creation?





Thanks



well the problem was with jsp page. JSP page by default always create session. To prevent creation of session simply putting session="false" in jsp page. This solved my problem!
reply
    Bookmark Topic Watch Topic
  • New Topic