🔒 Creating a Custom Annotation in Spring MVC: Secure Your URLs After Session Expiry 🔒

If you're developing a web application with Spring MVC, managing session-based access can be a bit more manual. Here, we'll create a custom annotation to ensure URLs are inaccessible when a session ends, enhancing your app's security.

🛠️ Scenario:

Build an annotation that checks session validity before allowing access to controller methods, providing a cleaner and centralized approach to session management.

✅ Step-by-Step Guide:

1.Create the Custom Annotation: Save this in com.example.annotations:

package com.example.annotations;

import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;

@Target(ElementType.METHOD)
@Retention(RetentionPolicy.RUNTIME)
public @interface SessionValid {
}        

2.Create an Aspect for the Annotation: Save this in com.example.aspects:

package com.example.aspects;

import com.example.annotations.SessionValid;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.aspectj.lang.JoinPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import javax.servlet.http.HttpSession;

@Aspect
@Component
public class SessionValidationAspect {

    @Before("@annotation(sessionValid)")
    public void checkSession(JoinPoint joinPoint, SessionValid sessionValid) throws Throwable {
        HttpSession session = ((ServletRequestAttributes) RequestContextHolder
            .currentRequestAttributes()).getRequest().getSession(false);

        if (session == null || session.getAttribute("user") == null) {
            throw new RuntimeException("Session expired. Access denied.");
        }
    }
}        

3. Apply the Annotation to Controller Methods: Save this in com.example.controllers:

package com.example.controllers;

import com.example.annotations.SessionValid;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
public class SecureController {

    @GetMapping("/secure-data")
    @SessionValid
    @ResponseBody
    public String getSecureData() {
        return "This is protected data.";
    }
}        

4.Apply Globally Using an Interceptor (Alternative Approach): If you need global session checks across all controllers, you can create an HandlerInterceptor and register it with WebMvcConfigurer.

package com.example.interceptors;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.web.servlet.HandlerInterceptor;

public class SessionValidationInterceptor implements HandlerInterceptor {

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        HttpSession session = request.getSession(false);
        if (session == null || session.getAttribute("user") == null) {
            response.sendRedirect("/login"); // Redirect to login if session is invalid
            return false;
        }
        return true;
    }
}        

WebMvcConfigurer Configuration:

package com.example.config;

import com.example.interceptors.SessionValidationInterceptor;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@Configuration
public class WebConfig implements WebMvcConfigurer {

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(new SessionValidationInterceptor()).addPathPatterns("/secure-data");
    }
}        

Here's how to create a custom annotation for session validation in Spring MVC, along with detailed instructions for implementing it across all controllers:

🔒 Creating a Custom Annotation in Spring MVC: Secure Your URLs After Session Expiry 🔒

If you're developing a web application with Spring MVC, managing session-based access can be a bit more manual. Here, we'll create a custom annotation to ensure URLs are inaccessible when a session ends, enhancing your app's security.

🛠️ Scenario:

Build an annotation that checks session validity before allowing access to controller methods, providing a cleaner and centralized approach to session management.

✅ Step-by-Step Guide:

1. Create the Custom Annotation: Save this in com.example.annotations:
2. Create an Aspect for the Annotation: Save this in com.example.aspects:
3. Apply the Annotation to Controller Methods: Save this in com.example.controllers:
4. Apply Globally Using an Interceptor (Alternative Approach): If you need global session checks across all controllers, you can create an HandlerInterceptor and register it with WebMvcConfigurer.

🔧 Package Structure:

• com.example.annotations for @SessionValid
• com.example.aspects for SessionValidationAspect
• com.example.controllers for controllers
• com.example.interceptors for SessionValidationInterceptor
• com.example.config for WebConfig

💡 Why Custom Annotations in Spring MVC?

• Centralized Session Management: Reduce repeated session-checking code in controllers.
• Cleaner Codebase: Improve readability by abstracting session checks.
• Security: Consistently enforce session validation across your application.

Takeaway: Custom annotations and global interceptors in Spring MVC can streamline session management, making your application more secure and maintainable.

💬 Have you created custom annotations or used interceptors in your projects? Share your insights and experiences below! 🛡️✨

#Java #SpringMVC #CustomAnnotations #WebSecurity #JavaDevelopment