3

In PHP when a user logs into her account, I do the following in order to remember the user as she navigates through the site:

session_start();
...
$_SESSION['username'] = $username;

On any other page that may require sensitive data, I check that $_SESSION['username'] is valid.

When a use logs out, I do the following

unset($_SESSION['username']
session_destroy();

How do I do the same thing in Java? I have a REST API which uses Jersey and EJB. In case the following is important, I am persisting with JPA, Hibernate, Glassfish, and mysql.

UPDATED FOR VERIFICATON:

Is this correct?

@Path("login")
public class UserLoginResource {

  @EJB
  private LoginDao  loginDao;

  @Context
  HttpServletRequest request;

  @POST
  public Response login(JAXBElement<Login> jaxbLogin){
    Login login = jaxbLogin.getValue();
    loginDao.authenticateUserLogin(login);
    HttpSession session = request.getSession();
    session.setAttribute("username", login.getUsername());
    return Response.ok().build();
  }
}
kasavbere
  • 5,873
  • 14
  • 49
  • 72

2 Answers2

3

Java is very different from php, so in java You will get session from only HttpRequest 's getSession() method, In php it is all time assumed, your code is run by some server(ie apache), In java, you will obtain it from ServletContainer(ie Apache Tomcat).

You do not have to start session in java unlike php, As long as you are in servlet container and giving request, for this client servlet container is responsible to start if there is not session for it

So for above actions:

    reqest.getSession().setAttribute("udername","Elbek");
    //later 
    reqest.getSession().removeAttribute("udername");

   //destroy it
   reqest.getSession().invalidate();

Here request is object of HttpRequest class

You may have a look to this HttpSession

I strongly recommend you to have a look java scopes

There is not this kind of thing in php, I wish there is, BUT there is NO

Here is how you get request object into your jersey action(method), ie by injecting @Context HttpServletRequest httpRequest

EDIT: You do not create HttpRequest object by yourself, Instead you will get it from servlet container, Your server creates it from clients request and gives for your.

Community
  • 1
  • 1
Elbek
  • 3,434
  • 6
  • 37
  • 49
  • Thanks for the reply. I am still trying to get it to work. In the php version I discuss, the server is able to distinguish between 1000 users and understand that `$_SESSION['username']` is different for each user. Does the java version also do that? I am reading all over the place and may be confusing myself a bit. – kasavbere Oct 10 '12 at 22:41
  • Of course java does, The http session concept is the same no matter what language. – Elbek Oct 10 '12 at 23:01
  • To make sure I get it correct, I have included the code in my original post. Does it look correct? Basically, in the other web services, I will call `session.getAttribute("username")` to check matching username. Thanks. – kasavbere Oct 10 '12 at 23:31
  • It looks like good, Here `HttpSession session = request.getSession();` Do you have `request` object?, I am not fully familiar with jerseys injection, If you have request object, then others are good – Elbek Oct 11 '12 at 01:32
0

+elbek describes plain servlet situation - however, nowadays almost nobody writes plain servlet. It sickes soo much back then, that a lot of web frameworks evolved. There is a sh*tload of them, but good ones will utilize dependency injection techniques like spring
( for example , struts 2 ) and there are distinct scopes - application / session / request - containing plain java beans, which can in turn have authentication data.

J2EE also provides own authentication semantics with servlet container and JAAS - it also uses session tracking and useful when you need to access some backend resources like datasources or queues or EJBs - but most web application do not bother wth it.

Konstantin Pribluda
  • 12,329
  • 1
  • 30
  • 35