I'm working with an audited entity in my Spring Boot app (#CreatedBy, #LastModifiedBy etc.) and setting the current auditor with a session scoped bean based on the current logged in user. The auditing with a logged in user works just fine. But I'm also periodically pulling data with #Scheduled and I need to save the pulled data as the audited entity into my DB. The problem is that trying to save an audited entity without a logged in user still calls getCurrentAuditor() in AuditorAwareImpl which gets the current user from a session scoped bean, which is set when the user logs in, but beacause there is no user or session it causes this error:
Scope 'session' is not active for the current thread;
So basically I need my audited entity to be able to be saved by logged in users but also by the "System" (without a logged in user). Is there a reasonable solution to this problem or is my approach just wrong?
Related
I have a simple auditing requirement for my JPA entities : keep the creation and last modification date and author. The author should be the currently logged-in user.
I would like to implement this using #PrePersist and #PreUpdate annotations on a base class, or a JPA interceptor (no additional framework).
However, in both cases, I need a way to access the currently logged in user, which is stored in the HttpSession.
How can I access this information from a method on my base entity class or from a JPA interceptor ?
Is there any best practice or any tested method on how to achieve that ?
I was thinking, maybe add a web interceptor that, for each request, puts the logged-in user object into a globally reachable ThreadLocal (e.g. inside a Spring singleton service), which would make it possible to look it up from anywhere...
Does that sound like a good idea ?
Any suggestion welcome !
Edit: found similar question here (found it only after posting my own through suggestions on the right) : Setting createdBy and updatedBy in JPA entities automatically
The conclusion seems to go in the direction of ThreadLocal... still, any feedback welcome !
If you do not use remote (EJB) calls then the idea to use ThreadLocal should work, as most containers use one thread for each request processed. You need to be careful when you put the user and when you delete it, as the container probably uses a thread pool and you don't want to leave the user object attached to a thread that might be used to process another request.
I am working on a weam web application where the once the user logs in, the main (or landing) page calls 4 stateful session beans. So once the user logs in, there will be atleast 4 threads of stateful session beans created. The page also has a logout button. The logout component in the xhtml calls a POJO which has a logout method.
In the logout method, the following statement is executed:
Session.instance().invalidate();
Now the question is, will the 4 threads/instances of the stateful session beans which are created when the user logs in will be destroyed or not.
I am running this application on JBOSS 4.2.3, Seam 2.2.1 Final
I am using JOSSO for authentication.
Yes, they're all part of the same session. You're actually creating session scoped beans, not separate sessions.
Easy enough to check though. Create a method in each of the session beans and annotate them with #Destroy, when the annotated bean is destroyed, it will call this method.
#Destroy
public void callMeWhenIDie(){
log.debug("I'm melting, I'm melting" + this.someDefiningCharacteristic);
}
Want to save User information in session and want to get that back from session using Spring MVC 3.
Can any one give an example
But this is giving an exception
org.springframework.web.HttpSessionRequiredException: Session attribute 'user' required - not found in session
I would like to set the User Object which contains the details of the user into session in my Spring Application.
I would like to use this session object when I would like to retrieve the details of the logged in user on various JSP pages.
I am using Spring 3 and Spring Security 3
I would like to set the User object in the session from my custom authentication class which is not a controller
How can I achieve this?
I assume you have some implementation of UserDetailsService class. You can return any User object implementing UserDetails from loadUserByUsername(). This object is then automatically placed in your HTTP session. It can then be retrieved with:
User user = (User)SecurityContextHolder.
getContext().getAuthentication().getPrincipal();
Spring Security handles everything you need automatically.
I'm doing some proof-of-concept work with Spring MVC and security. So far I've managed to write a simple web-app which has a secure webpage which requires a user to login and have the correct role before accessing the database and listing some data. I'm using Spring 2.0.8 by the way.
What I require is that, after the user has logged on, is to access the user principal object for the current session to pass into my DAO layer. I'd like to do this through the standard bean wiring, so it will have to be something determined at runtime.
Any pointers to get started ?
Cheers
Neil
SecurityContextHolder#getContext() will return a SecurityContext associated with the current user request.
From there, you can call getAuthentication().getPrincipal() to get the data associated with the logged-in user.
There is no need to inject any bean, the static method in SecurityContextHolder will take care of accessing the correct thread-local data.