The issue here is that we want to control session tracking. In the web.xml file you may have something that looks like:
1 2 3 4 | < session-config > < session-timeout >30</ session-timeout > < tracking-mode >COOKIE</ tracking-mode > </ session-config > |
1 2 3 4 | < session-config > < session-timeout >30</ session-timeout > < tracking-mode >URL</ tracking-mode > </ session-config > |
This is a problem. You see we are trying to be more secure around our session and having the JSESSIONID in the URL is not helping much with that. Well, we can perhaps keep our application safe, and frustrate our developer slightly if he doesn't figure out this little bit of magic. We can control the session tracking programmatically in an "obvious" well-known location. We can enlist a
ServletContextListener
to help us.The ServletContextListener can help us by listening for when our application is being initialized, and set the session tracking back to COOKIE for us. The implementation is simple, and will help foil the "developer mode-itis" that sometimes infects the code.
ServletContextListenerImpl.java
Note: Even if you didn't have a value set in the web.xml file, this would set it to COOKIE.1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | package com.bluelotussoftware.web.listener.impl; import java.text.MessageFormat; import java.util.EnumSet; import java.util.HashMap; import java.util.Set; import javax.servlet.ServletContext; import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextListener; import javax.servlet.SessionTrackingMode; import javax.servlet.annotation.WebListener; /** * An implementation of {@link ServletContextListener} web application lifecycle * listener. * * @author John Yeary * @version 1.0 */ @WebListener public class ServletContextListenerImpl implements ServletContextListener { /** * {@inheritDoc} * * We add a {@code HashMap<string bject="">} attribute to the * {@link ServletContext}, and set the session tracking to use Cookie * tracking. This will override the web.xml file.</string> */ @Override public void contextInitialized(ServletContextEvent sce) { // Set the session tracking globally for this servlet context to Cookie. This will override web.xml session tracking. Set<sessiontrackingmode> modes = EnumSet.noneOf(SessionTrackingMode. class ); modes.add(SessionTrackingMode.COOKIE); sce.getServletContext().setSessionTrackingModes(modes); } /** * {@inheritDoc} */ @Override public void contextDestroyed(ServletContextEvent sce) { } } |
0 comments :
Post a Comment