Previous Next Contents Index


HttpSession2 interface

The HttpSession2 interface is used within JSPs and servlets to share session state with AppLogics.

Netscape Application Server already supports javax.servlet.http.HttpSession as a standard interface to NAS sessions. But the application server also provides HttpSession2, a NAS-specific interface. HttpSession2 gives servlets direct access to NAS sessions. Therefore, servlet programmers can use HttpSession2 to share sessions between AppLogics and servlets.

Sharing sessions is useful when you want to migrate an application from NAS 2.x to NAS 4.0. When migrating an application, one of the tasks is to rewrite AppLogics into servlets. Furthermore, when you rewrite AppLogics, you typically need to use NAS-specific servlet interfaces, such as HttpSession2 and HttpServletRequest2. The resulting servlet is nonstandard; however, the alternate approach—mixing AppLogics and standard servlets—is not recommended.

In servlets, a session is an instance of HttpSession. But in AppLogics, session data is an IValList object. An AppLogic stores integers, strings, and blobs (byte arrays) in a session, whereas a servlet stores serializable objects in a session. As a result, there is no immediate mapping between what an AppLogic stores and and what a servlet stores in a session (except for strings).

The HttpSession2 interface solves the issue of sharing session data. HttpSession2 provides methods for storing and retrieving integers, strings, blobs, and user login data—methods that parallel what an AppLogic developer uses. In this way, HttpSession2 enables sessions to work back and forth across AppLogics and servlets.

HttpSession2 provides loginSession( ) and logoutSession( ) for servlets to share the AppLogic session API. These two methods are typically used with isAuthorized( ), as is done for AppLogics. Servlets are also registered with an access control list, so that a secure session established in an AppLogic can be used in a servlet, and vice versa.

Package
com.netscape.server.servlet.extension

Methods
Method
Description
getBytes( )
Returns the byte array defined by the specified name in the session.
getInt( )
Returns the integer defined by the specified name in the session.
getString( )
Returns the string defined by the specified name in the session.
isAuthorized( )
Checks whether the current user has a specified permission.
loginSession( )
Logs an authorized user into a session with a secured application.
logoutSession( )
Removes a user's association with a session.
putBytes( )
Defines a name in the session to have a specified byte array value.
putInt( )
Defines a name in the session to have a specified integer value.
putString( )
Defines a name in the session to have a specified String value.

Related Topics
Writing Secure Applications

getBytes( )
Returns the byte array defined by the specified name in the session.

Syntax 
public abstract byte[] getBytes(
	String name)

name. The name whose value is to be returned.

Return Value
The byte array defined by name in the session, or null if name is not defined.

Related Topics
putBytes( )

getInt( )
Returns the integer defined by the specified name in the session.

Syntax 
public abstract int getInt(
	String name)

name. The name whose value is to be returned.

Return Value
The integer defined by name in the session, or -1 if name is not defined.

Related Topics
putInt( )

getString( )
Returns the string defined by the specified name in the session.

Syntax 
public abstract String getString(
	String name)

name. The name whose value is to be returned.

Return Value
The string defined by name in the session, or null if name is not defined.

Related Topics
putString( )

isAuthorized( )
Checks whether the current user has a specified permission.

Syntax 
public abstract boolean isAuthorized(
	String acl,
	String permission)

acl. The access control list in which to check for the permission.

permission. The permission to check for.

Usage
Use isAuthorized( ) in portions of the code where application security is enforced through Access Control Lists (ACLs). This method lets an application check a specified ACL to determine whether a user has permission to execute a servlet (or AppLogic) or to perform a particular action. The application can use the result of isAuthorized( ) as a condition in an If statement. It can, for example, return a message to users who are denied access to a servlet (or AppLogic).

Each ACL is defined in the registry and maps users to privileges such as read and write. Application developers should obtain the list of registered ACLs, users and groups from the server administrator who created these items. ACLs are created through the Enterprise Administrator tool or through the kreg tool.

Rule
Before calling isAuthorized( ), the application must create a session. The user must also be logged in with loginSession( ).

Return Value
Returns true if the authorization check succeeds; otherwise, returns false.

Related Topics
loginSession( )

loginSession( )
Logs an authorized user into a session with a secured application.

Syntax 
public abstract boolean loginSession(
	String user,
	String password)

user. The login user name.

password. The user password.

Usage
The loginSession( ) method logs the named user in the session, using the given password. Logging in associates the user with the session so that the application can control authorization of AppLogic and servlet access.

Call loginSession( ) after creating or retrieving a user session. loginSession( ) checks the passed in login name and password against the user names and passwords stored in the Netscape Application Server (the administrator sets up and manages this information) and logs the user into the session if the login name and password are valid.

If login is successful, a security credential object is created and associated with the session. The server checks this security credential object each time it receives an AppLogic or servlet request, and verifies if the user has execute permission for the AppLogic or servlet.

Using loginSession( ) in conjunction with isAuthorized( ), an application can ensure that only authorized users can take certain actions, such as executing AppLogics or servlets.

Tip
The server administrator creates users and passwords and manages access to AppLogics, servlets, and specified resources, such as sales or forecast reports. During the development and debugging phases, application developers can use the ldapmodify tool to create users, groups, and ACLs in the LDIF file. These tasks cannot be done programmatically.

Return Value
Returns true if the login is successful.

Related Topics
isAuthorized( ), logoutSession( )

logoutSession( )
Removes a user's association with a session.

Syntax 
public abstract int logoutSession()
Usage
AppLogics or servlets call loginSession( ) to log into a session with a secured application. If loginSession( ) was called, you must call logoutSession( ) when the user exits the application or the secured portion of it.

Return Value
GXE.SUCCESS if the method succeeds.

Related Topics
isAuthorized( ), loginSession( )

putBytes( )
Defines a name in the session to have a specified byte array value.

Syntax 
public abstract void putBytes(
	String name,
	byte[] value)

name. The name to be defined.

value. The byte array value to assign to name.

Related Topics
getBytes( )

putInt( )
Defines a name in the session to have a specified integer value.

Syntax 
public abstract void putInt(
	String name,
	int value)

name. The name to be defined.

value. The integer value to assign to name.

Related Topics
getInt( )

putString( )
Defines a name in the session to have a specified String value.

Syntax 
public abstract void putString(
	String name,
	String value)

name. The name to be defined.

value. The String value to assign to name.

Related Topics
getString( )
 

© Copyright 1999 Netscape Communications Corp.