?? Creating a Custom Annotation in Spring MVC: Secure Your URLs After Session Expiry ??

If you're developing a web application with Spring MVC, managing session-based access can be a bit more manual. Here, we'll create a custom annotation to ensure URLs are inaccessible when a session ends, enhancing your app's security.

??? Scenario:

Build an annotation that checks session validity before allowing access to controller methods, providing a cleaner and centralized approach to session management.

? Step-by-Step Guide:

1.Create the Custom Annotation: Save this in com.example.annotations:

package com.example.annotations;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface SessionValid {
}        

2.Create an Aspect for the Annotation: Save this in com.example.aspects:

package com.example.aspects;

import com.example.annotations.SessionValid;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.JoinPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpSession;

@Aspect
@Component
public class SessionValidationAspect {

    @Before("@annotation(sessionValid)")
    public void checkSession(JoinPoint joinPoint, SessionValid sessionValid) throws Throwable {
        HttpSession session = ((ServletRequestAttributes) RequestContextHolder
            .currentRequestAttributes()).getRequest().getSession(false);

        if (session == null || session.getAttribute("user") == null) {
            throw new RuntimeException("Session expired. Access denied.");
        }
    }
}        

3. Apply the Annotation to Controller Methods: Save this in com.example.controllers:

package com.example.controllers;

import com.example.annotations.SessionValid;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class SecureController {

    @GetMapping("/secure-data")
    @SessionValid
    @ResponseBody
    public String getSecureData() {
        return "This is protected data.";
    }
}        

4.Apply Globally Using an Interceptor (Alternative Approach): If you need global session checks across all controllers, you can create an HandlerInterceptor and register it with WebMvcConfigurer.

package com.example.interceptors;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.HandlerInterceptor;

public class SessionValidationInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        HttpSession session = request.getSession(false);
        if (session == null || session.getAttribute("user") == null) {
            response.sendRedirect("/login"); // Redirect to login if session is invalid
            return false;
        }
        return true;
    }
}        

WebMvcConfigurer Configuration:

package com.example.config;

import com.example.interceptors.SessionValidationInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new SessionValidationInterceptor()).addPathPatterns("/secure-data");
    }
}        

Here's how to create a custom annotation for session validation in Spring MVC, along with detailed instructions for implementing it across all controllers:

?? Creating a Custom Annotation in Spring MVC: Secure Your URLs After Session Expiry ??

If you're developing a web application with Spring MVC, managing session-based access can be a bit more manual. Here, we'll create a custom annotation to ensure URLs are inaccessible when a session ends, enhancing your app's security.

??? Scenario:

Build an annotation that checks session validity before allowing access to controller methods, providing a cleaner and centralized approach to session management.

? Step-by-Step Guide:

1. Create the Custom Annotation: Save this in com.example.annotations:
2. Create an Aspect for the Annotation: Save this in com.example.aspects:
3. Apply the Annotation to Controller Methods: Save this in com.example.controllers:
4. Apply Globally Using an Interceptor (Alternative Approach): If you need global session checks across all controllers, you can create an HandlerInterceptor and register it with WebMvcConfigurer.

?? Package Structure:

• com.example.annotations for @SessionValid
• com.example.aspects for SessionValidationAspect
• com.example.controllers for controllers
• com.example.interceptors for SessionValidationInterceptor
• com.example.config for WebConfig

?? Why Custom Annotations in Spring MVC?

• Centralized Session Management: Reduce repeated session-checking code in controllers.
• Cleaner Codebase: Improve readability by abstracting session checks.
• Security: Consistently enforce session validation across your application.

Takeaway: Custom annotations and global interceptors in Spring MVC can streamline session management, making your application more secure and maintainable.

?? Have you created custom annotations or used interceptors in your projects? Share your insights and experiences below! ????

#Java #SpringMVC #CustomAnnotations #WebSecurity #JavaDevelopment