I'm doing some proof-of-concept work with Spring MVC and security. So far I've managed to write a simple web-app which has a secure webpage which requires a user to login and have the correct role before accessing the database and listing some data. I'm using Spring 2.0.8 by the way.
What I require is that, after the user has logged on, is to access the user principal object for the current session to pass into my DAO layer. I'd like to do this through the standard bean wiring, so it will have to be something determined at runtime.
Any pointers to get started ?
Cheers
Neil
SecurityContextHolder#getContext() will return a SecurityContext associated with the current user request.
From there, you can call getAuthentication().getPrincipal() to get the data associated with the logged-in user.
There is no need to inject any bean, the static method in SecurityContextHolder will take care of accessing the correct thread-local data.
Related
In my application, when a user updates their username, I want to clear that authentication from the security context because the old username was used in basic auth calls.
In my controller doing the update, this is easy enough with
SecurityContextHolder.getContext().setAuthentication(null);
But I'm looking for a way to access the current security context without using static methods for ease of unit testing (not to mention the static call doesn't seem very "springy").
The answer here looks pretty close to what I'm looking for, but I'm hoping there's a way to do this without writing a wrapping class. I also tried to inject SecurityContextHolderStrategy into my controller constructor (as was implied I might be able to do in that answer and the related jira) and there was no bean defined of that type.
So: Is there a way to access the current SecurityContext in a Spring Controller without using SecurityContextHolder static methods?
My version of spring security is 3.2.5.RELEASE.
I'd like my application layer to be aware of which user is logged in to simplify method signatures - for instance method(owner, object) would be simply method(object). I use Spring Security for security though I'd like to keep Spring out of my application layer so there is a separate layer just for that purpose (and DTO conversion) - like a facade (adapter for application services).
How to make the application layer aware of the user context its operating on without using spring?
You would need to register a Filter or HandlerInterceptor that would have a look at the HttpSession and, if the user is logged in, store some kind of User representation in some static ThreadLocal context. Any class could then have access to this static ThreadLocal containing your User object.
You would have to remove this object when the user logs out or session expires. Hint: HttpSessionListener.
I have a simple auditing requirement for my JPA entities : keep the creation and last modification date and author. The author should be the currently logged-in user.
I would like to implement this using #PrePersist and #PreUpdate annotations on a base class, or a JPA interceptor (no additional framework).
However, in both cases, I need a way to access the currently logged in user, which is stored in the HttpSession.
How can I access this information from a method on my base entity class or from a JPA interceptor ?
Is there any best practice or any tested method on how to achieve that ?
I was thinking, maybe add a web interceptor that, for each request, puts the logged-in user object into a globally reachable ThreadLocal (e.g. inside a Spring singleton service), which would make it possible to look it up from anywhere...
Does that sound like a good idea ?
Any suggestion welcome !
Edit: found similar question here (found it only after posting my own through suggestions on the right) : Setting createdBy and updatedBy in JPA entities automatically
The conclusion seems to go in the direction of ThreadLocal... still, any feedback welcome !
If you do not use remote (EJB) calls then the idea to use ThreadLocal should work, as most containers use one thread for each request processed. You need to be careful when you put the user and when you delete it, as the container probably uses a thread pool and you don't want to leave the user object attached to a thread that might be used to process another request.
I have difficult understand the proper usage of #SessionAttribute annotation.
I wonder does the #SessionAttribute is used to store user authentication object or use to store the form object that exist within the session only.
I want to check whether a use has been login before invoke the handler.
I really confuse between these three class object.
Session scope bean
#SessionAttribute
HttpSession
Please give a proper example of #SessionAttribute usage and pron/cons of each of this
Thanks.
#SessionAttribute is for temporarily storing model objects in the session. Examples include storing a set of search criteria or storing data for a multi-page wizard.
If you're after checking for authentication status, while in theory you could probably hack something together with #SessionAttribute, you're much better off using Spring Security. There are many other authentication and authorization concerns that you aren't addressing if you don't have a security solution in place.
I would like to set the User Object which contains the details of the user into session in my Spring Application.
I would like to use this session object when I would like to retrieve the details of the logged in user on various JSP pages.
I am using Spring 3 and Spring Security 3
I would like to set the User object in the session from my custom authentication class which is not a controller
How can I achieve this?
I assume you have some implementation of UserDetailsService class. You can return any User object implementing UserDetails from loadUserByUsername(). This object is then automatically placed in your HTTP session. It can then be retrieved with:
User user = (User)SecurityContextHolder.
getContext().getAuthentication().getPrincipal();
Spring Security handles everything you need automatically.