Spring Security Additional Logged in user information - spring

I have created a Spring security application. When the user logs in the user name and roles get stored in Security Context. The same can be retrieved using Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
How can I store the additional user information like user ID, Email, Associated Branch ID etc in the context?

The basic idea is to implement a custom UserDetails. You can read
this question for a longer explanation.

Related

Check user roles from Application Service

i'm implementing Application Service that sends statistical data to home page (dashboard application page).
Based on User's Role (the service needs authentication) i would extract/aggregate data from database using WhereIf() based on is role
In particular if user is administrator, I will not apply a data extraction filter using WhereIf()
To do that i've injected IAbpSession inside service constructor to be able to give userid, but how can i ckeck if user is an administrator?
You can check if current user is an administrator by checking the associated roles of that user. You must inject the UserManager which has several methods for role checking. One of them is IsInRole(userId, roleName).

Grails - Spring Security - Many dynamic roles

I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.

Spring Security:custom query

I have question:
It is possible to customize query at authentication provider using jdbc-user-service ?
For example:
i have an application where users chose there roles when they insert there logins and passwords, so i want to create a query like this:
select login,password, enabled from xxxx where username=?
and after this query i want to attribute to this person (returned by this query),if exists, a role which is xxxx. I should also pass the role selected to this query.
xxxx is the role which is selected by user at first
I hope that you understand me and sorry if it is a stupid question , i'm still beginner.
I think you should consider writing custom authentication service class, instead of jdbc-user-service query. You hold the user role somehow and while building authorities of logged in user in UserDetails service, add appropriate role in the collection. OR The role of logged in user can be manipulated later. You are gonna have to try and manipulate spring security context. Read this forum page to know more.

Concurrent user Login in spring mvc

I am currently having a problem in implementing concurrent user session in spring mvc. My requirement is that "I have a web application which uses spring MVC, and I have my own login form and I have not implemented spring security yet(which means I have not configured any role based user restriction in my web application). I want only one user with same username to be logged in from a machine. I have surfed all over the net , but couldn't find any useful links nor example project(without role based).
My Requirement:
One user per session
No role based restriction
Have my own login form and once the user logs in , user object(which contains username an password) is stored in session object
If user tries to login for second time , previous user session should be terminated and new user(second user) should be allowed to home page.
Can some one please provide me a solution, links or example project for my requirement ? Many thanks in advance :)
Why not just go ahead and use Spring Security? It will take care of deactivating sessions for you. You can use your own login form and not restrict any of your endpoints based on roles.
You can configure the max number of sessions like so:

Spring MVC security based on Session Attribute

I am using a Security scheme that is based on session attributes. I know that Spring has Acegi Security but I don't have much time to study that module. I just want to share this to solicit comments.
The pseudocode is like this.
On successful Login, I am setting an attribute on user session. The object that I am placing as session attribute is a simple javabean with a map of privileges.
public class UserInfo{
public String getRole(){};
public Map checkPrivilege(){};
//getters and setters
}
The session attributes contains the Role also of the user. (He could be a User/Guest/Admin/Super Admin). Now there are certain privileges that are authorized to User.
For my JSP, I just check out the user session for his role and privilege.
My rough code is like this using JSTL
IF (User Info in Session is 'User' and has this privilege)
Add Button is shown
Else
No Add Button is shown.
I have these questions:
Are session attributes considered secure that no one else can sniff or hack?
Are security based on these scheme considered secure-enough?
Session attributes are stored on the server side only, so yes they are secure.
There is no problem with putting these security identifiers into session attributes in terms of security. But that is the easy part of web application security! The hard part is the rest of the security infrastructure, which I am concerned that you have not thought about yet.
I recommend you investigate Spring Security.

Resources