Ok I just answered 1.5 of my questions:
#1- It actually does work, using getThreadLocalRequest().getSession().
My test had failed for an alternate reason.
#4- (second half) Sessions are per-browser, so multiple tabs in the
same browser share sessions, but cross-browser tabs do not.
The other questions remain...
On Jun 22, 9:16 am, Rodrigo <ipi...@gmail.com> wrote:
> Thanks for the response... A few questions come up:
>
> 1. I'm using an HttpServlet for authentication, along with
> RemoteServiceServlets for GWT-RPCs. But if I create an HttpSession in
> my authentication servlet, I cannot seem to access it on the
> RemoteServiceServlet... How am I supposed to access it? Example:
>
> // In authentication HttpServlet
> protected void doGet(HttpServletRequest req, HttpServletResponse resp)
> throws ServletException, IOException {
> // ...
> req.getSession().setAttribute("user", new User("testUser")); //
> creates a session if it didn't exist beforehand
> // ...
>
> }
>
> // In GWT RPC servlet
> public List<Offer> getOffers(int productId) {
> // ...
> User user = (User)
> getThreadLocalRequest().getSession().getAttribute("user"); // returns
> null
> // ...
>
> }
>
> 2. Why are you using a MainSession singleton object? I don't see it...
> Wouldn't it also fail once you have multiple users logged in at the
> same time?
>
> 3. In your Main page, you're doing 2 sequential RPC calls before you
> render anything: one to check logged in status, and one to load page
> contents. Is this advisable or could it be avoided somehow? For
> example, the server could set up a cookie with 'loggedIn=true' so that
> you can skip the first RPC at least. And whenever you actually have to
> fetch private content, the server can fail with a
> AuthenticationException if the user is in fact not logged in. So if a
> malicious user fakes the cookie to say he's logged in, the most he'll
> ever see is a 'Logout' button when there shouldn't be one. Any other
> place that needs to show user-specific information would still be
> protected at the server. Does this make sense? What are the drawbacks
> of this?
>
> 4. I assume the SessionTimeoutControl() object just sends an RPC to
> the server every x seconds to check if the session is still alive or
> not, correct? How do HttpSessions work across tabs and browsers? If my
> user has 2 tabs open at my site, does he have 1 or 2 sessions? If it's
> 2 browsers?
>
> Thanks!
>
> On Jun 21, 6:58 pm, Bruno Lopes <bruno.lourenco.lo...@gmail.com>
> wrote:
>
> > HI, maybe this peace of code can Help :) :
>
> > You can use two modules/entries, one for the login other after login
>
> > on login
>
> > Client side:
>
> > public void onModuleLoad() {
> > this.setLoginPanel();
> > LogUtils.info("Showing Login page");
> > loginButton = new Button("Login");
> > loginButton.addListener(new ButtonListenerAdapter() {
> > public void onClick(Button button, EventObject e) {
> > userAuthentication();
> > }
> > });
>
> > .....
>
> > private void userAuthentication() {
> > if (this.userNameField.getValueAsString().equals(""))
> > Window.alert("username must not be empty.");
> > else {
> > loginService = GWT.create(LoginService.class);
> > String username = this.userNameField.getValueAsString();
> > String password = this.passwordField.getValueAsString();
> > this.loginService.login(username, password,
> > new AsyncCallback<LoginResponse>() {
> > public void onFailure(Throwable caught) {
> > Window.alert("server side failure: " + caught);
> > }
> > public void onSuccess(LoginResponse result) {
> > if (result.isLoginSuccess()){
> > Window.Location.replace("./../Main.html?gwt.codesvr=
> > 127.0.0.1:9997");
> > }
> > else Window.alert("username or password invalid.");
> > }
> > });
> > }
> > }
>
> > ON SERVER SIDE (the login method):
>
> > public LoginResponse login(String username, String password) {
> > LoginPService loginService = ServiceLocator.getLoginService();
> > Person person = null;
>
> > try {
> > ManageLogs.info("Try to login for user: "+username);
> > person = loginService.getUserByUsername(username);
>
> > if (person == null){
> > return new LoginResponse(false, false);
> > } else if (!loginService.checkPassword(password)){
> > return new LoginResponse(false, false);
> > }
>
> > } catch (Throwable e) {
>
> > return new LoginResponse(false, false);
> > }
>
> > ManageLogs.info("Login sucessful for user: "+username);
>
> > LoginResponse response = new LoginResponse();
> > response.setLoginSuccess(true);
>
> > /*Creates de session*/
> > MainSession padroesSession = mainSession.getInstance();
> > mainSession.setRequest(getThreadLocalRequest());
>
> > mainSession.setUser(person);
> > return response;
> > }
>
> > THE MainSession
>
> > private static MainSession mainSession=null;
>
> > public static MainSession getInstance(){
> > if(mainSession == null){
> > mainSession = new MainSession();
> > return mainSession;
> > } else {
> > return mainSession;
> > }
> > }
>
> > private MainSession(){
>
> > }
>
> > private static final String USER_SESSION = "userSession";
> > private HttpServletRequest request = null;
> > private HttpSession session = null;
> > private String sessionId = "";
>
> > public Person getUser(){
>
> > if(null == session) return null;
>
> > return session.getAttribute(USER_SESSION) != null ?
> > (Person)session.getAttribute(USER_SESSION) : null;
>
> > }
>
> > public HttpSession getSession(){
> > return session;
> > }
>
> > public void invalidate(){
> > if(request!=null)
> > if(request.getSession(false)!= null)
> > request.getSession(false).invalidate();
> > if(null != session){
> > session.invalidate();
> > session = null;
> > }
> > setSessionId(null);
>
> > }
>
> > public void setUser(Person user){
> > if(null == user){
> > if(session!=null) session.removeAttribute(USER_SESSION);
> > return;
> > }
>
> > if(null != request)
> > this.session = request.getSession(true);
>
> > if(session!=null){
> > session.setAttribute(USER_SESSION, user);
> > setSessionId(session.getId());
> > }
>
> > }
>
> > public String getId(){
> > return request.getSession(false).getId();
> > }
>
> > public HttpServletRequest getRequest() {
> > return request;
> > }
>
> > public void setRequest(HttpServletRequest request) {
> > this.request = request;
> > }
>
> > public String getSessionId() {
> > return sessionId;
> > }
>
> > public void setSessionId(String sessionId) {
> > this.sessionId = sessionId;
> > }
>
> > ....
>
> > ON THE SECOND ENTRY
>
> > public void onModuleLoad() {
> > LogUtils.info("Loading Padroes Module");
> > MainSessionServiceAsync mainSessionService =
> > GWT.create(MainSessionService.class);
>
> > AsyncCallback<Boolean> callback = new AsyncCallback<Boolean>(){
> > @Override
> > public void onFailure(Throwable caught) {
> > LogUtils.debug("no session available");
> > Window.Location.replace("./../Login.html");
> > }
>
> > @Override
> > public void onSuccess(Boolean result) {
> > if(!result){
> > LogUtils.debug("no session available");
> > Window.Location.replace("./../Login.html");
> > return;
> > }
>
> > LogUtils.info("creating new Session Time Out for this
> > session");
> > /* initialize timers for session time out control */
> > new SessionTimeOutControl();
>
> > /* Creates de layout +/
> > doLayout();
>
> > }
> > };
>
> > try{
>
> > mainSessionService.isValidSession(callback);
>
> > }catch(Exception e){
> > e.printStackTrace();
>
> > }
>
> > public void doLayout(){
> > AsyncCallback<PageConfiguration[]> callback = new
> > AsyncCallback<PageConfiguration[]>(){
> > @Override
> > public void onFailure(Throwable caught) {
> > LogUtils.debug("server side error on getting
> > PageConfiguration");
> > Window.Location.replace("./../Login.html");
> > }
>
> > @Override
> > public void onSuccess(PageConfiguration[] result) {
> > mainPanel.setStyleName("panel-border");
> > mainPanel.setFrame(true);
> > .......
>
> > Hope it helps :)
>
> > 2010/6/21 Jaroslav Záruba <jaroslav.zar...@gmail.com>
>
> > > You don't need to generate session ids, they are generated automatically
> > > by
> > > server. You can invalidate session though, as you may notice in
> > > HttpSession
> > > API. This results in new session being generated. (I'm not sure though
> > > whether this happens immediately or on following http request. But that
> > > can
> > > be
>
> ...
>
> read more »
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
