先看后台的业务代码: package biz; import javax.servlet.http.HttpSession; public class UserBiz { /** * session和request是不需要传的,dwr会自动传,所以在页面调用的时候没有带session参数 * @param name * @param session * @return */ public String save(String name, HttpSession session) { session.setAttribute("name", name); return session.getAttribute("name").toString(); } } 页面的JSP代码,注意调用的时候有些不同: <html> <head> <base href="<%=basePath%>"> <title>dwr中如何访问session</title> <mce:script type='text/javascript' src="/dwr-session/dwr/interface/userBiz.js" mce_src="dwr-session/dwr/interface/userBiz.js"></mce:script> <mce:script type='text/javascript' src="/dwr-session/dwr/engine.js" mce_src="dwr-session/dwr/engine.js"></mce:script> <mce:script type="text/javascript"><!-- //把abc放在session中,并从session中取出来,回调的时候显示出来 function saveSession() { userBiz.save("abc",function(name) { alert(name); }); } // --></mce:script> </head> <body> <input type="button" οnclick="saveSession()" value="session"> </body> </html> dwr.xml的代码: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE dwr PUBLIC "-//GetAhead Limited//DTD Direct Web Remoting 2.0//EN" "http://getahead.org/dwr/dwr20.dtd"> <dwr> <allow> <create creator="new" javascript="userBiz"> <param name="class" value="biz.UserBiz" /> </create> </allow> </dwr> 注意:web.xml的配置 <servlet> <servlet-name>dwr-invoker</servlet-name> <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class> <init-param> <param-name>debug</param-name> <param-value>true</param-value> </init-param> <!-- 新加corssDomainSessionSecurity参数 不然会出现A request has been denied as a potential CSRF attack --> <init-param> <param-name>crossDomainSessionSecurity</param-name> <param-value>false</param-value> </init-param> </servlet> <servlet-mapping> <servlet-name>dwr-invoker</servlet-name> <url-pattern>/dwr/*</url-pattern> </servlet-mapping>