Proper usage of #SessionAttribute Annotation - spring

I have difficult understand the proper usage of #SessionAttribute annotation.
I wonder does the #SessionAttribute is used to store user authentication object or use to store the form object that exist within the session only.
I want to check whether a use has been login before invoke the handler.
I really confuse between these three class object.
Session scope bean
#SessionAttribute
HttpSession
Please give a proper example of #SessionAttribute usage and pron/cons of each of this
Thanks.

#SessionAttribute is for temporarily storing model objects in the session. Examples include storing a set of search criteria or storing data for a multi-page wizard.
If you're after checking for authentication status, while in theory you could probably hack something together with #SessionAttribute, you're much better off using Spring Security. There are many other authentication and authorization concerns that you aren't addressing if you don't have a security solution in place.

Related

how many way to access the scope variables in spring-mvc

Some one please me to find out the spring mvc examples,
Because usually, once we log in into the application we will create a session and put some objects into session . we will access later point of time , request scope as well. but spring MVC3 is difficult to understand even documentation also confusing, but every one giving example is basic examples only.
You can access these objects in a JSP/JSTL:
applicationScope
cookie
header
headerValues
initParam
pageContext
pageScope
param
paramValues
requestScope
sessionScope
As well as any request attributes that you add, including model attributes (who's default name is command).
More info here: http://www.informit.com/articles/article.aspx?p=30946&seqNum=7
If you want to access HttpRequest, HttpResponse, HttpSession, add them as arguments to a Spring Controller Handler Method . Spring will pass them in for you.

How to get the current SecurityContext in a Spring Controller without using SecurityContextHolder static methods?

In my application, when a user updates their username, I want to clear that authentication from the security context because the old username was used in basic auth calls.
In my controller doing the update, this is easy enough with
SecurityContextHolder.getContext().setAuthentication(null);
But I'm looking for a way to access the current security context without using static methods for ease of unit testing (not to mention the static call doesn't seem very "springy").
The answer here looks pretty close to what I'm looking for, but I'm hoping there's a way to do this without writing a wrapping class. I also tried to inject SecurityContextHolderStrategy into my controller constructor (as was implied I might be able to do in that answer and the related jira) and there was no bean defined of that type.
So: Is there a way to access the current SecurityContext in a Spring Controller without using SecurityContextHolder static methods?
My version of spring security is 3.2.5.RELEASE.

Auditing JPA entities in webapp : how to obtain logged-in user?

I have a simple auditing requirement for my JPA entities : keep the creation and last modification date and author. The author should be the currently logged-in user.
I would like to implement this using #PrePersist and #PreUpdate annotations on a base class, or a JPA interceptor (no additional framework).
However, in both cases, I need a way to access the currently logged in user, which is stored in the HttpSession.
How can I access this information from a method on my base entity class or from a JPA interceptor ?
Is there any best practice or any tested method on how to achieve that ?
I was thinking, maybe add a web interceptor that, for each request, puts the logged-in user object into a globally reachable ThreadLocal (e.g. inside a Spring singleton service), which would make it possible to look it up from anywhere...
Does that sound like a good idea ?
Any suggestion welcome !
Edit: found similar question here (found it only after posting my own through suggestions on the right) : Setting createdBy and updatedBy in JPA entities automatically
The conclusion seems to go in the direction of ThreadLocal... still, any feedback welcome !
If you do not use remote (EJB) calls then the idea to use ThreadLocal should work, as most containers use one thread for each request processed. You need to be careful when you put the user and when you delete it, as the container probably uses a thread pool and you don't want to leave the user object attached to a thread that might be used to process another request.

Inject cookies into controller

Is there any way to inject the cookie dependecy to a controller? Or do i have to write my own interface and wrapper class around the Cookie collection class?
I think you're asking about whether you can get a Cookie as a parameter to an Action. I don't believe you can do this, so you'll have to hit the Cookie class directly.
What we do in this case (when cookie based data is required by most of the actions in an application) is put a utility method in a Controller base class and then have all our controllers descend from that. Makes it very easy to use the Cookie in an Action, and centralizes the code for extracting it.
Since no better answered surfaced I just implemented a interface and injected that for concrete scenario and Mocked it for test

Access to User ID in Spring

I'm doing some proof-of-concept work with Spring MVC and security. So far I've managed to write a simple web-app which has a secure webpage which requires a user to login and have the correct role before accessing the database and listing some data. I'm using Spring 2.0.8 by the way.
What I require is that, after the user has logged on, is to access the user principal object for the current session to pass into my DAO layer. I'd like to do this through the standard bean wiring, so it will have to be something determined at runtime.
Any pointers to get started ?
Cheers
Neil
SecurityContextHolder#getContext() will return a SecurityContext associated with the current user request.
From there, you can call getAuthentication().getPrincipal() to get the data associated with the logged-in user.
There is no need to inject any bean, the static method in SecurityContextHolder will take care of accessing the correct thread-local data.

Resources