java ee - Session always being created on login -
usually utilize java ee authentication custom login form , beans in project. configure glassfish user/password database (jdbc), create jsf form calls login() method on requestscoped bean (named "loginbean"), calls httpservletrequest's login() method.
when login effort succeeds, set user info in sessionscoped bean injected in loginbean, named "loginservice". , then, in lots of other website pages , beans utilize info injecting loginservice , acessing it's data.
all fine, noticed session beingness created if user goes login page, if hasn't attempted login yet. guess happens because loginservice injected in loginbean always, on object creation.
and because of have 2 questions:
should care session? can cause problems? what best way custom login without creating session every time user access login page? mean, pass user info on querystring after succeding, horrible. :)thx.
should care session? can cause problems?
depends. if server on relatively "cheapass" hardware, chance on successful ddos attack bigger because more sessions created server can destroy before hardware limits reached.
what best way custom login without creating session every time user access login page?
don't inject session scoped bean. set user in session map yourself. see "update" part of best way user authentication on javaee 6 using jsf 2.0? concrete example:
public void login() throws ioexception { facescontext context = facescontext.getcurrentinstance(); externalcontext externalcontext = context.getexternalcontext(); httpservletrequest request = (httpservletrequest) externalcontext.getrequest(); seek { request.login(username, password); user user = userservice.find(username, password); externalcontext.getsessionmap().put("user", user); externalcontext.redirect(originalurl); } grab (servletexception e) { // handle unknown username/password in request.login(). context.addmessage(null, new facesmessage("unknown login")); } } session java-ee login cdi
No comments:
Post a Comment