Geek asks and answers

Do I need to validate valid sessions on every controller in Spring?

Suppose in a Spring Mvc web application we need to check valid sessions on each controller or in jsps too? How can I solve this session management task in MVC? What do we mainly do? What other things can add extra security to my application?

+3
source share
4 answers

We usually check if the session has ended at the filter level and match it DispatcherServletso that all incoming requests that will be processed using spring will be filtered out first and thus will not allow any a spring interaction if the session has already expired. If the session has expired, send a redirect to a page where the user will be informed that their session has already expired.

Filter Code Example

public class MyFilter implements Filter{
    ...
    public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {
        if (isSessionExpired((HttpServletRequest) theRequest)) {
            response.sendRedirect(((HttpServletRequest) theRequest).getContextPath() + "/expired.jsp");
            response.flushBuffer();
        }else{
            //..its not yet expired, continue
            theChain.doFilter(theRequest, theResp);
        }
    }
    ...
}

Map to DispatcherServletin web.xml

    <filter>
        <filter-name>MyFilter</filter-name>
        <filter-class>com.mycompany.ourproject.filter.MyFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>MyFilter</filter-name>
        <servlet-name>springdispatcher</servlet-name>
    </filter-mapping>

    <servlet>
        <servlet-name>springdispatcher</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
+2
source

Do you want to check the authorization or authentication of each session on each controller? You can use aspectj.

0
source

You can look at the spring reference guide for setting up the session, and it’s very simple to set up and directly http://docs.spring.io/autorepo/docs/spring-security/3.0.x/reference/session-mgmt.html

0
source

No. You do not need to check the correct sessions on every controller in Spring.

Structure

Spring makes session management easier because you can just configure spring security in a single xml file, and spring will take care of you for session management.

Check out these examples on spring

0
source

More articles:


All Articles