Ok I just answered 1.5 of my questions: #1- It actually does work, using getThreadLocalRequest().getSession(). My test had failed for an alternate reason. #4- (second half) Sessions are per-browser, so multiple tabs in the same browser share sessions, but cross-browser tabs do not.
The other questions remain... On Jun 22, 9:16 am, Rodrigo <ipi...@gmail.com> wrote: > Thanks for the response... A few questions come up: > > 1. I'm using an HttpServlet for authentication, along with > RemoteServiceServlets for GWT-RPCs. But if I create an HttpSession in > my authentication servlet, I cannot seem to access it on the > RemoteServiceServlet... How am I supposed to access it? Example: > > // In authentication HttpServlet > protected void doGet(HttpServletRequest req, HttpServletResponse resp) > throws ServletException, IOException { > // ... > req.getSession().setAttribute("user", new User("testUser")); // > creates a session if it didn't exist beforehand > // ... > > } > > // In GWT RPC servlet > public List<Offer> getOffers(int productId) { > // ... > User user = (User) > getThreadLocalRequest().getSession().getAttribute("user"); // returns > null > // ... > > } > > 2. Why are you using a MainSession singleton object? I don't see it... > Wouldn't it also fail once you have multiple users logged in at the > same time? > > 3. In your Main page, you're doing 2 sequential RPC calls before you > render anything: one to check logged in status, and one to load page > contents. Is this advisable or could it be avoided somehow? For > example, the server could set up a cookie with 'loggedIn=true' so that > you can skip the first RPC at least. And whenever you actually have to > fetch private content, the server can fail with a > AuthenticationException if the user is in fact not logged in. So if a > malicious user fakes the cookie to say he's logged in, the most he'll > ever see is a 'Logout' button when there shouldn't be one. Any other > place that needs to show user-specific information would still be > protected at the server. Does this make sense? What are the drawbacks > of this? > > 4. I assume the SessionTimeoutControl() object just sends an RPC to > the server every x seconds to check if the session is still alive or > not, correct? How do HttpSessions work across tabs and browsers? If my > user has 2 tabs open at my site, does he have 1 or 2 sessions? If it's > 2 browsers? > > Thanks! > > On Jun 21, 6:58 pm, Bruno Lopes <bruno.lourenco.lo...@gmail.com> > wrote: > > > HI, maybe this peace of code can Help :) : > > > You can use two modules/entries, one for the login other after login > > > on login > > > Client side: > > > public void onModuleLoad() { > > this.setLoginPanel(); > > LogUtils.info("Showing Login page"); > > loginButton = new Button("Login"); > > loginButton.addListener(new ButtonListenerAdapter() { > > public void onClick(Button button, EventObject e) { > > userAuthentication(); > > } > > }); > > > ..... > > > private void userAuthentication() { > > if (this.userNameField.getValueAsString().equals("")) > > Window.alert("username must not be empty."); > > else { > > loginService = GWT.create(LoginService.class); > > String username = this.userNameField.getValueAsString(); > > String password = this.passwordField.getValueAsString(); > > this.loginService.login(username, password, > > new AsyncCallback<LoginResponse>() { > > public void onFailure(Throwable caught) { > > Window.alert("server side failure: " + caught); > > } > > public void onSuccess(LoginResponse result) { > > if (result.isLoginSuccess()){ > > Window.Location.replace("./../Main.html?gwt.codesvr= > > 127.0.0.1:9997"); > > } > > else Window.alert("username or password invalid."); > > } > > }); > > } > > } > > > ON SERVER SIDE (the login method): > > > public LoginResponse login(String username, String password) { > > LoginPService loginService = ServiceLocator.getLoginService(); > > Person person = null; > > > try { > > ManageLogs.info("Try to login for user: "+username); > > person = loginService.getUserByUsername(username); > > > if (person == null){ > > return new LoginResponse(false, false); > > } else if (!loginService.checkPassword(password)){ > > return new LoginResponse(false, false); > > } > > > } catch (Throwable e) { > > > return new LoginResponse(false, false); > > } > > > ManageLogs.info("Login sucessful for user: "+username); > > > LoginResponse response = new LoginResponse(); > > response.setLoginSuccess(true); > > > /*Creates de session*/ > > MainSession padroesSession = mainSession.getInstance(); > > mainSession.setRequest(getThreadLocalRequest()); > > > mainSession.setUser(person); > > return response; > > } > > > THE MainSession > > > private static MainSession mainSession=null; > > > public static MainSession getInstance(){ > > if(mainSession == null){ > > mainSession = new MainSession(); > > return mainSession; > > } else { > > return mainSession; > > } > > } > > > private MainSession(){ > > > } > > > private static final String USER_SESSION = "userSession"; > > private HttpServletRequest request = null; > > private HttpSession session = null; > > private String sessionId = ""; > > > public Person getUser(){ > > > if(null == session) return null; > > > return session.getAttribute(USER_SESSION) != null ? > > (Person)session.getAttribute(USER_SESSION) : null; > > > } > > > public HttpSession getSession(){ > > return session; > > } > > > public void invalidate(){ > > if(request!=null) > > if(request.getSession(false)!= null) > > request.getSession(false).invalidate(); > > if(null != session){ > > session.invalidate(); > > session = null; > > } > > setSessionId(null); > > > } > > > public void setUser(Person user){ > > if(null == user){ > > if(session!=null) session.removeAttribute(USER_SESSION); > > return; > > } > > > if(null != request) > > this.session = request.getSession(true); > > > if(session!=null){ > > session.setAttribute(USER_SESSION, user); > > setSessionId(session.getId()); > > } > > > } > > > public String getId(){ > > return request.getSession(false).getId(); > > } > > > public HttpServletRequest getRequest() { > > return request; > > } > > > public void setRequest(HttpServletRequest request) { > > this.request = request; > > } > > > public String getSessionId() { > > return sessionId; > > } > > > public void setSessionId(String sessionId) { > > this.sessionId = sessionId; > > } > > > .... > > > ON THE SECOND ENTRY > > > public void onModuleLoad() { > > LogUtils.info("Loading Padroes Module"); > > MainSessionServiceAsync mainSessionService = > > GWT.create(MainSessionService.class); > > > AsyncCallback<Boolean> callback = new AsyncCallback<Boolean>(){ > > @Override > > public void onFailure(Throwable caught) { > > LogUtils.debug("no session available"); > > Window.Location.replace("./../Login.html"); > > } > > > @Override > > public void onSuccess(Boolean result) { > > if(!result){ > > LogUtils.debug("no session available"); > > Window.Location.replace("./../Login.html"); > > return; > > } > > > LogUtils.info("creating new Session Time Out for this > > session"); > > /* initialize timers for session time out control */ > > new SessionTimeOutControl(); > > > /* Creates de layout +/ > > doLayout(); > > > } > > }; > > > try{ > > > mainSessionService.isValidSession(callback); > > > }catch(Exception e){ > > e.printStackTrace(); > > > } > > > public void doLayout(){ > > AsyncCallback<PageConfiguration[]> callback = new > > AsyncCallback<PageConfiguration[]>(){ > > @Override > > public void onFailure(Throwable caught) { > > LogUtils.debug("server side error on getting > > PageConfiguration"); > > Window.Location.replace("./../Login.html"); > > } > > > @Override > > public void onSuccess(PageConfiguration[] result) { > > mainPanel.setStyleName("panel-border"); > > mainPanel.setFrame(true); > > ....... > > > Hope it helps :) > > > 2010/6/21 Jaroslav Záruba <jaroslav.zar...@gmail.com> > > > > You don't need to generate session ids, they are generated automatically > > > by > > > server. You can invalidate session though, as you may notice in > > > HttpSession > > > API. This results in new session being generated. (I'm not sure though > > > whether this happens immediately or on following http request. But that > > > can > > > be > > ... > > read more » -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.