3

I need to validate HttpSession (for Spring MVC Application) in a better way for my current Project.

Here is the Scenario:

1) Once user is successfully validated, userObject object is added to httpSession class

HttpSession session = req.getSession(true);
session.setAttribute(AppConstants.LOGGEDIN_PARAM, userDetail);

2) Then for each request, userObject is retrieved from HttpSession Class to validate user Session

@RequestMapping(value = "/apply", method = RequestMethod.GET)
public String getTourApplyPage(HttpServletRequest req, ModelMap map) {
    UserDetailTO userDetail = (UserDetailTO) req.getSession().getAttribute(AppConstants.LOGGEDIN_PARAM);
    Long employeeId = userDetail.getUserType() == 1 ? userDetail.getEmployeeId():userDetail.getUserId();
    if (employeeId == 0) {
        req.setAttribute(AppConstants.MSG_PARAM, "Invalid employee Id.");
        return userDetail.getUserType() == 1 ? AppConstants.PIS_MESSAGE : AppConstants.ADMIN_PIS_MESSAGE;
     }
     ...
}

There can be better approaches to set userDetail object inside HttpSession but I had a restriction to not change this implementation (Point 1).

Can it possible to change getting a better implementation for getting a userDetail object from HttpSession (Point 2)?

Andrew Tobilko
  • 48,120
  • 14
  • 91
  • 142
Ankit
  • 2,126
  • 4
  • 33
  • 53
  • You want to add and retrieve from session object for validation...? – Hema Dec 14 '17 at 12:55
  • @Hema I don't want to change addition to session object since its common for whole application. But I want to change `retrieve from session object for validation` . So that i can avoid the code repetition (for let say 5 methods) for user session validation inside my controller – Ankit Dec 14 '17 at 14:11

1 Answers1

1

Is it possible to write a better implementation for getting a userDetail object from httpSession?

Working at such a high level of abstraction, as controllers are at, you don't necessarily need to inject neither an HttpServletRequest nor an HttpSession.

You can make your controller session-scoped and inject a session-scoped bean there. The bean can hold a userDetails and a message for failed validations.

@RestController
@Scope("session")
public class Controller {

    @Autowired
    private SessionDetails details;

    @PostMapping(path = "/validate")
    public void validate() {
        details.setUserDetails(...);
    }

    @GetMapping(path = "/apply")
    public String apply() {
        final UserDetailTO userDetails = details.getUserDetails();
        ...
    }

}

@Component
@Scope("session")
class SessionDetails {
    private String message;
    private UserDetailTO userDetails;
    // getters & setters
}
Andrew Tobilko
  • 48,120
  • 14
  • 91
  • 142
  • Thanks for your answer. Regrets for late reply. I had few doubts 1) how to access message on the jsp i had set for invalid session in the controller ? 2) what is the use of of `ProxyMode` attribute in `Scope` annotation ? – Ankit Dec 21 '17 at 18:57
  • @Ankit 1) I have not worked with JSP enough to answer 2) it determines how the proxy will be created (interface-based or subclass-based approach to choose) – Andrew Tobilko Dec 23 '17 at 07:24