4 Replies Latest reply on Aug 1, 2013 10:58 AM by eb_

    session variables in ADF model layer

    eb_

      Hi all,

      I want to ask you something about session variables in ADF model layer. I have a table on DataBase containing user information (userid,pid,deptid,ptype)

      In AppModuleImpl class I use the prepareSession method of AM to set username and other variables from database something like:

                 

              @Override

              protected void prepareSession(Session session) {

             

              super.prepareSession(session);

              username= ADFContext.getCurrent().getSecurityContext().getUserPrincipal().getName();

             

              if(username != "anonymous"){

               this.setUserDataEntry("user", username);

               .... and get other values from database (with JDBC)

           this.setUserDataEntry("pid", x);

           this.setUserDataEntry("deptid", y);

           this.setUserDataEntry("ptype", z);

      }

          public void setUserDataEntry(String key, String value) {

              this.getSession().getUserData().put(key, value);

          }

          public String getUserDataEntry(String key) {

              String value = (String)this.getSession().getUserData().get(key);

              return value;

          }

      and there are two other methods for passivation/activation mechanism:

          @Override

          protected void passivateState(Document document, Element parent)

          @Override

          protected void activateState(Element element)

       

      1-) I want to ask that if it is a good idea to get these variables from database with JDBC in prepareSession method ?

       

      and secondly

       

      before this method I had used another approach , created a view object with query :

      select pid,deptid,ptype from mytable where userid = :username ( bind variable -- adf.userSession.userData.user )

       

      and I got these values(when I needed them in a managed bean class) from hidden(visible:false) outputText values on a page something like:

       

      RichOutputText otxt7 = (RichOutputText)root.findComponent("pt1:ot7");

      deptid=(String)otxt7.getValue();

      ...

      2-) Would I have any problems with this second method ?

      Which method is better ? get values from database in prepareSession method of application module or use a view object and hidden values on the page ?

        • 1. Re: session variables in ADF model layer
          Jan Nawara

          In general you would want to set the session values once after the user is authenticated and simply read them back from the session afterwards. This of course assumes that the values never change after the user logs in, if they do prepareSession is a pretty good place to reload them. Also you should only load the values if they are changed, otherwise you are making a lot of unnecessary JDBC calls slowing down your app (probably not a significant  amount on it's own, but it can add up, especially in prepareSession).

           

          Personally I would not store the individual values on their own in the session but place them in a central HashMap to keep them together. Remember the session scope is shared by both the model and view and it's possible someone else will use a session variable key you've used. Also by storing the values in the session itself you don't have to worry about activation/passivation of the AM.

           

          Using a hidden outputText is a BAD idea. While the outputText is hidden from the user it's content is still present in the page source. Basically you have exposed all those values to anyone who can right click in the browser and "View Source". A big security failure. You can easily access any session variable in a managed bean with the code below (where blah is the key you used to set the value in the AM).

           

          FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get("blah")

          • 2. Re: session variables in ADF model layer
            eb_

            Hi Jan,

            Thanks for your reply..

            Could you please look at these two links about session scope and global user data .. That's why I used activation/passivation..

            * http://andrejusb.blogspot.com/2012/05/bad-practice-for-session-scope-access.html

            *http://andrejusb.blogspot.ca/2012/05/solution-for-sharing-global-user-data.html


            and in the second approach , if the variables are not security - critic , could we still use hidden outputText ? I asked it if they might not be initialized or something like that..



            • 3. Re: session variables in ADF model layer
              Jan Nawara

              I can see his point of view. I guess if keeping the MVC model is high priority then his solution would be needed. Personally in all the years I have been working with ADF I never had a need to reuse the model in any meaningful way. There have always been business logic or database changes that made reuse impossible or difficult beyond common base classes. That being said I also don't consider the session scope to be a dumping ground for data. At most I store just a couple of the most important ID's that are required to access the data a user can/should see (less than 10 or so numbers basically). From these couple ID's I can always join up a bunch of tables and get the data I need.

               

              Personally I'm not sure how I feel about relying on activation/passivation. The process of creating the XML and saving it to the database, then reading from the database and parsing the XML just feels like a lot of unnecessary work to me. If you keep the amount info reasonably small keeping things in session scope works quite well since all that needs to be done is for the web server to sync the info between cluster nodes. Personally I avoid using class level AM variables that would need to be passivated and prefer to use a couple (three in my case) numbers that I can pass into my view objects as bind variables when getting data.

               

              As for storing data in the outputText, even nothing to do with security, the questions is why? There is no reason to do it I can think of other than maybe needing some data for JavaScript. And even then there are much better ways of getting it there. In you bean you still have to bind or worse find the component  from the page to get the info, so why not just access the source of the data directly anyway. BTW hardcoding component Id's in Java code is a fantastic way of introducing hard to find bugs in your code. All it takes is an extra container component and all those Id's change on you. This is why the preferred method is to bind the components to the beans, even if the id's shift around you still get your component, but of course the problem is that there is only one bean that can have the component bound to it. Do yourself a favor and keep the data in a session bean and keep it out of the UI, security or not.

              1 person found this helpful
              • 4. Re: session variables in ADF model layer
                eb_

                Thanks Jan ...