How do I access the HttpSession inside a Struts 2 interceptor? Should I?

Question

I am seeing the concept of Interceptors in Struts2. I have seen the below example from a tutorial on Struts2.

In this example the author uses an interceptor to check the credentials by accessing the HttpSession and checks for USER_KEY in it.

Is it a bad idea to access to HttpSession in the interceptor itself? I guess interceptors are simple servlet filters in Java EE programming.

I feel the best place to get access to HttpSession is inside the action class in Struts2.

Please correct me in case I am wrong.

public class AuthorizationInterceptor extends AbstractInterceptor {

    private static final String USER_KEY = "user";

    public String intercept(ActionInvocation invocation) throws Exception {
        Map session = invocation.getInvocationContext().getSession();
        if (session.get(USER_KEY) == null) {
            addActionError(invocation, "You must be authenticated to access this page");
            return Action.ERROR;
        }

        return invocation.invoke();
    }

    private void addActionError(ActionInvocation invocation, String message) {
        Object action = invocation.getAction();
        if (action instanceof ValidationAware) {
            ((ValidationAware) action).addActionError(message);
        }
    }
}

This may help you too: http://stackoverflow.com/questions/5509606/session-problem-in-struts2-application/5517526#5517526 — Steven Benitez, Sep 14 '11 at 16:21

Dave Newton · Accepted Answer · 2011-11-26T15:33:39.293

6

Accessing the HttpSession from interceptors is perfectly fine; accessing it in an action is actively discouraged.

Controlling access through an interceptor is a perfect use-case. Access control generally affects large portions of applications. Isolating it in an interceptor keeps the mainline code cleaner. Interceptors are the most appropriate place to interface with servlet spec artifacts like the session.

Actions may access session attributes through the SessionAware interface. It exposes only a Map<String, Object> of the attributes. This keeps the action decoupled from the servlet specification, making testing easier.

edited Nov 26 '11 at 15:33

answered Sep 14 '11 at 12:30

Dave Newton

158,873
26
254
302

So you mean to say that keep Session access code , inside Interceptors only ?? – Pawan Sep 14 '11 at 12:47
No, I mean access the session wherever you need it, but do it appropriately. Most actions only ever need the session attributes, so implementing [`SessionAware`](http://struts.apache.org/2.x/struts2-core/apidocs/org/apache/struts2/interceptor/SessionAware.html) is the most session most actions would ever need. That interface is meaningless in interceptors, so usually `ActionContext` is the way to go. – Dave Newton Sep 14 '11 at 12:57

score 2 · Answer 2 · answered Jan 11 '17 at 14:59

2

If you want access real HttpSession inside interceptor, you may acquire it by:

HttpSession session = ServletActionContext.getRequest().getSession();

P.S. I know, my answer is too late for your question, but it may help to others, hope =)

answered Jan 11 '17 at 14:59

Yan Pak

1,767
2
19
15

But you *shouldn't*, in almost all circumstances, because this is what `SessionAware` is for. Accessing the session directly breaks isolation and ties your action to the servlet spec. – Dave Newton Mar 03 '20 at 15:59

How do I access the HttpSession inside a Struts 2 interceptor? Should I?

2 Answers2