java会话管理 [英] java session management
问题描述
我正在使用一个小型的webapp来获取乐趣,目前仅使用Java Servlet。我有两个页面,test1和test2。目前我正在test1中创建一个新会话,如下所示:
I am working on a small webapp for fun, using just Java Servlets at the moment. I have two pages, test1 and test2. At the moment I am creating a new session in test1 like this:
HttpSession session = request.getSession(true);
if (session.isNew() == false) {
session.invalidate();
session = request.getSession (true);
}
在test2中,我正在检索会话,如下所示:
In test2 I am retrieving the session like so:
HttpSession session = request.getSession(false);
if (session == null) {
throw new ServletException ("No session.");
}
所以问题是如果我先去test2,我总是得到有效会话,因为浏览器创建一个会话。我想限制从test1到test2的流程,所以我必须先进入test1。我的计划是最终创建一个会创建会话的登录页面,但我在这里看到的问题仍然存在。
So the problem is that if I go to test2 first, I am always getting a valid session because the browser creates one. I want to restrict the flow from test1 to test2 so that I have to go to test1 first. My plan is to eventually create a login page that will create the session, but the problem I am seeing here would still be present.
我该如何处理?我想任何想法都不包括第三方库。我这样做是为了学习练习。
How should I handle this? I would like any ideas to not include 3rd party libraries. I'm doing this as a learning exercise.
谢谢!
推荐答案
这没有任何意义。忘记 request.getSession(boolean)
。只需通过 request.getSession()
获取会话,从不担心空值/有效性。
This makes no sense. Forget the request.getSession(boolean)
. Just get the session by request.getSession()
and never worry about the nullness/validness.
如果你想要通过会话属性传递数据,然后只需在 test1
中执行:
If you want to pass data through session attributes, then just do in test1
:
request.getSession().setAttribute("test", "foo");
和 test2
(当然在 <$ em $ c> c> test1 之后相同会话中请求:
and in test2
(which is of course requested in the same session after test1
):
String test = (String) request.getSession().getAttribute("test"); // Returns "foo".
编辑关于使用会话检查已登录的用户
,只需在登录代码中执行以下操作:
As to using the session to check the logged-in User
, just do something like in the login code:
User user = userDAO.find(username, password);
if (user != null) {
request.getSession().setAttribute("user", user);
} else {
// Show error?
}
然后在 过滤器
,它映射在 url-pattern
代表限制区域,只检查是否存在用户
:
and then in a Filter
which is mapped on a url-pattern
which represents the restricted area, just check if the User
is present or not:
if (((HttpServletRequest) request).getSession().getAttribute("user") != null) {
chain.doFilter(request, response); // Just continue.
} else {
((HttpServletResponse) response).sendRedirect("login"); // Not logged-in, redirect to login page.
}
当您退出时,只需删除用户来自会话的
:
and when you logout, you just remove the User
from the session:
request.getSession().removeAttribute("user");
// Or, more drastically:
request.getSession().invalidate();
或者您也可以查看声明性容器管理安全性借助 web.xml中的一些简单条目
和 server.xml
。这样你就不必为自己的登录/过滤逻辑烦恼了。
Alternatively you can also take a look for declarative Container Managed Security with help of some simple entries in web.xml
and the server.xml
. This way you don't need to hassle with login/filter logic yourself.
这篇关于java会话管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!