Managing Session Validator

48 views
Skip to first unread message

aby peter

unread,
Sep 13, 2012, 9:20:36 AM9/13/12
to AribaWeb (aribaweb.org)
Hi All,

In my Ariba-Web application I would like to add Session validator .

I have writtern the login details in Main.java


public class Main extends AWComponent
{
public String _userName;
public String _password;
UserAccountDto objUserAccountDto=new UserAccountDto();

public AWResponseGenerating login ()
{
UserAccountBoIntf objUserAccountBoIntf =
(UserAccountBoIntf)ContextBean.getRequiredBo(ServletContext.class,UserAccountBoIntf.USERACCOUNT_BO);
objUserAccountDto.setUser_id(_userName);
objUserAccountDto.setPassword(_password);
objUserAccountDto=objUserAccountBoIntf.load(objUserAccountDto);

request().getSession().setAttribute("USER_SESSION",objUserAccountDto);

return pageWithName("app.Home");

}

}

But Here, how can I use Ariba Session validator ? Also How to use
Ariba Logout action ?


Thanks,
Aby

František Kolář

unread,
Sep 13, 2012, 9:34:57 AM9/13/12
to arib...@googlegroups.com
Hi Aby, 

I think the first think you should do is to check out the DEMo application and its Application.java class and then maybe ask what is not clear it will be easier to answer :-) , but 

basically:

*  on the AWServletApplication you need to set your own implementation of the AWLocalLoginSessionHandler and when the AWSessionValidationException is thrown you return your Main / Login page in the showLoginPage ()
-> Logout action can simply invalidate session and send a user to the Main page


Regards
František Kolář 


--
You received this message because you are subscribed to the Google Groups "AribaWeb (aribaweb.org)" group.
To post to this group, send email to arib...@googlegroups.com.
To unsubscribe from this group, send email to aribaweb+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/aribaweb?hl=en.


aby peter

unread,
Sep 14, 2012, 3:19:31 AM9/14/12
to arib...@googlegroups.com
Hi František,

    Thanks for your quick reply.
   
    I have gone through the Application.java file and I used following code in my Application .java. Instead of Login I am using Main.java
   
   
     public void initSessionValidator ()
    {
       
        if (_sessionValidator == null) setSessionValidator(new AWLocalLoginSessionHandler() {
            protected AWResponseGenerating showLoginPage (AWRequestContext requestContext,
                                                          CompletionCallback callback)
            {
                Main mainPage = (Main)requestContext.pageWithName(Main.class.getName());
                mainPage.init(callback);
                return mainPage;
            }
        });
    }

    But I am unable to return this mainPage . When will be the _sessionValidator become null? My doubt is whether we need to  do anything for _sessionValidator at the time of Logout?


Thanks,
Aby

František Kolář

unread,
Sep 14, 2012, 3:22:10 AM9/14/12
to arib...@googlegroups.com
You need to implement also some of the assertSession methods to check and throw this validation exception.




Regards.

František Kolář 
Phone: +420 604 55 55 77  




aby peter

unread,
Sep 14, 2012, 4:09:59 AM9/14/12
to arib...@googlegroups.com
Hi František,
   
   
    Like Demo application I have used one Session.java  and Application.java
   
   
    public class Session extends AWSession{

        private boolean _isAuthenticated = false;

        public void setAuthenticated (boolean isAuthenticated){
        _isAuthenticated = isAuthenticated;
        }

        public boolean isAuthenticated ()
        {
        return _isAuthenticated;
        }

        public void assertAuthenticated ()
        {
        if (!isAuthenticated()) throw new AWSessionValidationException();
        }
}
   

    And in Application.java
   
   
    public class Application extends AWServletApplication{

   
     public void initSessionValidator ()
    {
       
        if (_sessionValidator == null) setSessionValidator(new AWLocalLoginSessionHandler() {
            protected AWResponseGenerating showLoginPage (AWRequestContext requestContext,
                                                          CompletionCallback callback)
            {
                Main mainPage = (Main)requestContext.pageWithName(Main.class.getName());
                mainPage.init(callback);
                return mainPage;
            }
        });
    }

      public void assertAuthenticated (AWRequestContext requestContext)
    {
        Session session = (Session)requestContext.session(false);
        if ((session == null) || !session.isAuthenticated()) {
            throw new AWSessionValidationException();
        }
    }
   
}   



    From where I should call assertAuthenticated(AWRequestContext requestContext) method of Application.java?



Thanks,
Aby

František Kolář

unread,
Sep 14, 2012, 4:43:36 AM9/14/12
to arib...@googlegroups.com
You do not call its called automatically for every request

Also check the:  public void assertValidSession(AWRequestContext requestContext). that decides if it should be validated or not. 


Regards

František Kolář 
Phone: +420 604 55 55 77  



aby peter

unread,
Sep 14, 2012, 7:38:29 AM9/14/12
to arib...@googlegroups.com
Hi František,

In my Main.java class I am receiving the session from request() method ( request().getSession() ) but in Demo application I have seen the session is from

requestContext  ie requestContext.session()

are both approaches same ? Please tell me the better approach?




Thanks,
Aby

František Kolář

unread,
Sep 14, 2012, 1:39:26 PM9/14/12
to arib...@googlegroups.com
It really depends what you want. 

request().getSession() )  - 
 ->>  This one retrieves  HTTP session and the other calls is your AWSession. 

Usually in your app you want to use AWSession. 

so you can either use your second call or simply call session() on the AWComponent page

Regards

František Kolář 
Phone: +420 604 55 55 77  




František Kolář

unread,
Sep 14, 2012, 1:50:19 PM9/14/12
to arib...@googlegroups.com
You can also do something like :

MyAWSession.currentSession() where this method would retrieve current session from Current ThreadLocal and just like in the demo all you want bind the AWSession the thread local using AWSession.LifecycleListener 


YouSessionBinder implements AWSession.LifecycleListener {
        public void sessionWillAwake(AWSession session) {
            _ThreadLocalSession.set(session.dict().get(SessionKey));


        }

        public void sessionWillSleep(AWSession session) {
            _ThreadLocalSession.set(null);
        }
    }


But in your webapp it is wise not to use so much ThreadLocal
 

Fadamo s.r.o. 
Zelená 480  
250 66 Zdiby 
Phone: +420 604 55 55 77  
IC: 24135691 | DIC: CZ24135691 

On Sep 14, 2012, at 7:39 PM, František Kolář wrote:

It really depends what you want. 

request().getSession() )  - 
 ->>  This one retrieves  HTTP session and the other calls is your AWSession. 

Usually in your app you want to use AWSession. 

so you can either use your second call or simply call session() on the AWComponent page
Regards

František Kolář 
Phone: +420 604 55 55 77  



<btn_viewmy_160x25.png>

On Sep 14, 2012, at 1:38 PM, aby peter wrote:

Hi František,

In my Main.java class I am receiving the session from request() method ( request().getSession() ) but in Demo application I have seen the session is from

requestContext  ie requestContext.session()

are both approaches same ? Please tell me the better approach?




Thanks,
Aby

--
You received this message because you are subscribed to the Google Groups "AribaWeb (aribaweb.org)" group.
To post to this group, send email to arib...@googlegroups.com.
To unsubscribe from this group, send email to aribaweb+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/aribaweb?hl=en.

aby peter

unread,
Sep 18, 2012, 1:59:34 AM9/18/12
to arib...@googlegroups.com
Hi František,
   
    In some form I have used HttpSession so that I have to Invalidate this session at the time of Logout And I have mentioned in following way,
   
    public AWResponseGenerating logout(){
       
            HttpSession session =request().getSession();
            if(session!=null){
                session.invalidate();
            }               
            return pageWithName("app.Main");
           
        }
       
    But When I clicked on logout It showing an exception  that shown below
   
    ariba.ui.aribaweb.util.AWGenericException: java.lang.IllegalStateException: getAttribute: Session already invalidated
      
    at ariba.ui.aribaweb.core.AWSession.session(AWSession.java:659)
    at ariba.ui.aribaweb.core.AWPage.session(AWPage.java:329)
    at ariba.ui.aribaweb.core.AWPage.browserState(AWPage.java:563)
    at ariba.ui.aribaweb.core.AWPage.renderResponse(AWPage.java:715)
    at ariba.ui.aribaweb.core.AWRequestContext.generateResponse(AWRequestContext.java:1077)
    at ariba.ui.aribaweb.core.AWRequestContext.generateResponse(AWRequestContext.java:1139)
    at ariba.ui.aribaweb.core.AWComponentActionRequestHandler.handleRequest(AWComponentActionRequestHandler.java:583)
    at ariba.ui.aribaweb.core.AWRequestContext.handleRequest(AWRequestContext.java:1146)
    at ariba.ui.aribaweb.core.AWComponentActionRequestHandler.handleRequest(AWComponentActionRequestHandler.java:762)
    at ariba.ui.aribaweb.core.AWConcreteServerApplication._dispatchRequest(AWConcreteServerApplication.java:516)
    at ariba.ui.aribaweb.core.AWConcreteServerApplication.dispatchRequest(AWConcreteServerApplication.java:560)
    at ariba.ui.aribaweb.core.AWConcreteApplication.dispatchRequest(AWConcreteApplication.java:880)
    at ariba.ui.servletadaptor.AWDispatcherServlet.aribawebDispatcher(AWDispatcherServlet.java:191)
    at ariba.ui.servletadaptor.AWDispatcherServlet.doPost(AWDispatcherServlet.java:266)
   

   
    In Main.java

   
   
    public class Main extends AWComponent{
        public String _userName;
        public String _password;
        UserAccountDto objUserAccountDto=new UserAccountDto();

  public AWResponseGenerating login () {
        UserAccountBoIntf objUserAccountBoIntf =
        (UserAccountBoIntf)ContextBean.getRequiredBo(ServletContext.class,UserAccountBoIntf.USERACCOUNT_BO);
        objUserAccountDto.setUser_id(_userName);
        objUserAccountDto.setPassword(_password);
        objUserAccountDto=objUserAccountBoIntf.load(objUserAccountDto);
        return pageWithName("app.Home");

  }

}


Please tell me the reason behind it?


Thanks,
Aby

ottydotty

unread,
Sep 18, 2012, 3:09:26 AM9/18/12
to arib...@googlegroups.com
Aby you should check your session like this:

if (session != null && (session.isRequestedSessionIdValid() ){

}

Scott

František Kolář

unread,
Sep 18, 2012, 3:18:27 AM9/18/12
to arib...@googlegroups.com
It really does not matter if you use HTTP session or AWSession as long as you are able to handle it correctly.

Once you call invalidate on the real HttpSession then you can not really invoke any set/get method on it. So in AW world you should not call invalidate directly rarther let the AW handle it. In this case you called invalidate() but when your page was being rendered AWPage asked for the session.  (httpSession.getAttribute(SessionKey)) but its too late try to get any value from it cuz of this invalidate call. 

You should focus mainly working with AWSession + when you want to do your logout magic you simply call .terminate() on the AWSession. 


Regards

František Kolář 


aby peter

unread,
Sep 18, 2012, 4:00:16 AM9/18/12
to arib...@googlegroups.com
Thank you ottydotty.

But I have not seen the ' isRequestedSessionIdValid() ' method in HttpSession. It is from HttpRequest.

Thanks,

Aby

František Kolář

unread,
Sep 18, 2012, 4:04:16 AM9/18/12
to arib...@googlegroups.com
Regarding the termination you should really use the .terminate which is the clean way how to invalidate your session for AW. We need to understand that this termination is something like schedule for termination once all the processed are finishing. If you do this earlier then you get your exception 


Regards

František Kolář 


aby peter

unread,
Sep 19, 2012, 10:27:45 AM9/19/12
to arib...@googlegroups.com
Thank you František .

   
    Still I am facing some issues in Login/Logout .
   
    When I refresh AribaWeb URL I am getting the Main.java file as login page but it is not loading from Application.java so that I can't use
   
    return _callback.proceed(requestContext()) in login() method of Main.java . Instead of that I have used return pageWithName("app.Home").
   
    From the Home Page , If I clicked Logout it will return to main.java(login page) through Application.java but again if we try for login ,the page will not logged in to Home page it will be in same page ie, in Main.java

How can I load the Main.java at first time through Appplication.java?

Please give me any solution
   
   
    Kindly check following files

   
   
    Application.java
   
   
public class Application extends AWServletApplication{
 
 
    public void initSessionValidator ()
    {
        if (_sessionValidator == null) setSessionValidator(new AWLocalLoginSessionHandler() {
            protected AWResponseGenerating showLoginPage (AWRequestContext requestContext,
                                                          CompletionCallback callback)
            {
                Main mainPage = (Main)requestContext.pageWithName(Main.class.getName());
                mainPage.init(callback);
                return mainPage;
            }
        });
    }

    public void assertAuthenticated (AWRequestContext requestContext)
    {
        Session session = (Session)requestContext.session(false);
        if ((session == null) || !session.isAuthenticated()) {
            throw new AWSessionValidationException();
        }
    }
}


   
  Main.java
   
   
public class Main extends AWComponent
{
    AWLocalLoginSessionHandler.CompletionCallback _callback;

    public String _userName;
    public String _password;

    public void init (AWLocalLoginSessionHandler.CompletionCallback callback)
    {
        _callback = callback;
    }

    public AWResponseGenerating login ()
    {
            ((Session)session()).setAuthenticated(true);
    //////  return _callback.proceed(requestContext());///////////Not working this
            return pageWithName("app.Home");
    }

 
}
   
   
    Logout in Home.java
   
public class Home extends AWComponent{
       
    public AWResponseGenerating logout(){
           
            if(session()!=null)
            {
                session().terminate();     
                throw new AWSessionValidationException();     //////////////////It will go through   Application.java
            }
            return null;
           
        }
}

Thanks,
Aby

František Kolář

unread,
Sep 19, 2012, 10:40:14 AM9/19/12
to arib...@googlegroups.com
I am writing another article about this one how to handle SessionManagement and Simple Authentications. It should be ready by the end of this week depending on my workload and I hope this will highlight everything for you and for anybody who tries to  do similar things.
AW relies on the fact that you are using its own Wrapped API around the servlet API. Of course you are free to use anything you want but then again you should know that this i will not influence AW  - just like you .invalidate call on the httpSession. 


Regards

František Kolář 


aby peter

unread,
Jan 18, 2013, 1:36:34 AM1/18/13
to arib...@googlegroups.com
Hi  Frantisek,

Can we set or override the Session Time Out ? Where should I mention ?

Thanks,
Aby

František Kolář

unread,
Jan 18, 2013, 3:58:19 AM1/18/13
to arib...@googlegroups.com
Hi Aby, 

Session timeout is driven by container and I think  there is a API in servlet spec which allows you to overwride this value. HttpSession has method -> public void setMaxInactiveInterval(int interval);

you can set this by overriding method protected int initSessionTimeout () from AWServletApplication. As you can see in the code this comment:

 Ariba Web framework by default does not allow application to
        to add seesion time and leave it to app server to do that
        but if the application feels the urge to do this, they can
        do this by overriding the sessionTimeout() method



Regards
František Kolář 


František Kolář

unread,
Jan 18, 2013, 4:00:52 AM1/18/13
to arib...@googlegroups.com
Btw. I will respont to you all regarding those promised chat/video session just so busy at this time. Finishing some release and this has little bit higher priority ;-) 


Regards

František Kolář 
 

aby peter

unread,
Jan 30, 2013, 1:18:18 AM1/30/13
to arib...@googlegroups.com
Hi František,

I have tried  Session Timeout by overriding the sessionTimeout() method in Application.java and it is working .


 public int sessionTimeout ()
    {
        return 600;

    }

 I would like to show one message as "Session Timeout" in Login Page. Could I pass this message to Main.java ?
 Main.java is my Login page. Where should I mention this message?

Thanks,
Aby




František Kolář

unread,
Jan 31, 2013, 5:34:24 AM1/31/13
to arib...@googlegroups.com
Usually aribaweb has something like sessionManager that is rendered when you are inactive 
as part of BasicPageWrapper:

  </a:If>
                <w:SessionManagerInclude sessionless="$^sessionless"/>
                <a:PollInterval/>\
                <w:FooterIncludes/>
            </a:If>\
            <w:ClientSideTemplates/>
            <!--- NOTE: make sure that the AWRichCli

But you need to provide your own implementation. 

The easiest way is to detect that session timeouts and kick user back to LoginPage and mark this state. Maybe using DirectAction, or inside your sessionHandler. 


Regards

František Kolář 


--
You received this message because you are subscribed to the Google Groups "AribaWeb (aribaweb.org)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aribaweb+u...@googlegroups.com.

To post to this group, send email to arib...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages