I am currently redesigning a web application that requires user authentication and has column level security on reporting pages (user can or can't see certain columns of a table).

I have implemented a basic DAOFactory and am using an interceptor much like the one on http://www.hibernate.org/43.html

Lets say the follwing Action validates a user against the database and returns his/her "session" information (security settings, profile info, etc).


This problem that i'm having is this is only good for the forward page (in this case index.jsp. My question is, how do I make the user info "persist" across pages for the lifetime of the user (until he closes the webbrowser). I thought to set it in request.getSession() but then i would have to update that anytime a user made changes to their info and saved to the database (hibernate). Am I completely missing it? Is there another way?

Thanks for any help!

Well, I think the typical approach is to put it in the HttpSession.

Just look at what the big players do, like Sun and IBM and Oracle - they put a token or identifier in your session, which is often linked to a cookie or a URL encoded id. Then, that id is used to grab any information about the user when it is needed.

To avoid session bloat, it's best to put just an identifier in the Session, and then pull out what data you need from the database or LDAP system when it's needed. That's what the big boys do. But then again, ease of development must be weighed against performance. If it's easier to stuff everything in the session and there won't be too big of a performance hit, then do it!

-Cameron McKenzie

Thanks for the reply!

I ended up just saving User (with only the attributes that i need on every page) in the HttpSession. If i need more for a certain page, I can then extend User to something more bloated...

Indeed!

And you know, there's nothing wrong with using the id of the User to hit the database for some extra information when you need it. That's what the big vendors do!

-Cameron McKenzie