Get Spring Principal User From HTTPSession From a Servlet - spring

I have a web application that is using Spring 3.* and I have a Flash component inside my web application that needs to POST to a Servlet. Inside the Servlet's doPost method I want to check the Spring application context to ensure there is an authenticated session, is this possible?

Well it is very simple, just use
Authentication auth = SecurityContextHolder.getContext().getAuthentication();

Related

spring-Security page redirect Issue

First of all am new to spring security.
my Question is when I authenticate a user from form and redirect to a url of controller handler method and get a view.Then after user click a link,Then how to authenticate that url and other particular user.
This thing I did in Session validation in every jsp normal java with out spring security.
How to achieve this in spring security.

Difference of Spring session management and spring security session?

I am new with spring ,I have a doubt about spring session management and spring security session ,whether both concept are same or different ? If different what are that ? Any suggestion ?
May you be a little bit more specific in your question?
In Spring:
session can refer to one of the scopes that a bean belongs to. For example, if you define an instance (bean) of a class a org.something.Counter with scope session, whenever you will access that bean during a web session you will have the same instance of the object. Web session does not require Spring Security in order to exists. You can start from here to understand a little bit more about the session scope in Spring.
session may refer to HttpSession as speciffied by the Servlet API. This is not really related to Spring, even if you can use the standard HttpSession from within Spring, is more in general related to the Servlet API.
In Spring Security:
If you are talking of Spring Security, instead of session I would talk of SecurityContext. The SecurityContext is actually stored as an HttpSession and restored to the SecurityContextHolder at every request. Here is were all security-related infos are stored for the current session. See here for more details. In general a SecurityContext (at least at a very basic level) exists from the moment you login to the moment you logout. Because it is stored as an HttpSession it expires when the HttpSession expires (again, see the Servlet API specifications for more details)
Luca

transferring Principal from EJBContext to Spring SecurityContext

I'm using springsecurity to protect some EJB methods deployed on jBoss 5.1.0.
I'm looking for a nice way to transfer the java.security.Principal retrieved from the EJBContext, by calling getPrincipal(), to the Spring SecurityContext.
I wouldn't like to give up the springsecurity schema, just need to set the Principal before the execution of the MethodSecurityInterceptor.
Any idea?

How to make a non web thread run with the Spring Security Anonymous Use?

I am using Spring Security 3.1 and I have some code which I execute on web application strartup from the init method of a Servlet. Problems is that there is no valid Authentication object at the time my servlet init method execute. My servlet is configured to run after the Spring has been initialized and spring security is full configured.
How do I make the code in my init method run as the anonymous user in spring security?
How about:
SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken(key, login, authorities))
where any non-empty string should do as a key, login like "anonymous", authorities - whichever you want him to have, at least one.

Spring security custom fields

1) How can i add a custom field in my login form and use that value to navigate to a different page after login. I need a custom authentication provider for authenticating. Can we use spring mvc to tie all this?
2) How can we get hold of HttpSession in auth provider?
1) I guess, you can choose the default behavior by implementing your own AuthenticationSuccessHandler and passing it to <form-login authentication-success-handler-ref="..."/>
2) This is actually not in the vein of the separation of concerns paradigm in Spring Security where the authentication provider populates the Authentication object and another filter persists/populate the authentication in/from the HTTP session. Nevertheless, you can in general have access to the current HTTP request and, therefore a session, from anywhere inside the request processing chain by adding the filter org.springframework.web.context.request.RequestContextListener to your web.xml. Use then ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getSession() to reach the session from your authentication provider.

Resources