I would need to implement an audit log for a web application written with JBoss Seam. EntityListeners seem like good candidates, but I don't know how to connect the EntityListeners to the application session context to include the logged in used principal in the audit record.
I wonder if there is a way to do this "connection", or if there is a more confortable/elegant/effective way to implement an audit log for this programming environment.
Thanks in advance.
Rafa.
Edit:
Many thanks to Damo for his answer! I tried the injection of my identity component, but it did not work. However, the suggested call to Component.getInstance() did provide the desired reference to the user's identity in the EntityListener.
Have you tried injecting your Application/Session scoped Beans into the EntityListener? Or using Component.getInstance("myBean") if injection is unavailable.
Related
I'm trying to let two machines with the same base domain (subdomains differ) to share session.
spring-session-jdbc seems to be a solution I could use to achieve the goal.
When a user logs into server-a, session info is stored in SPRING_SESSION db.
What worries me is the fact that custom org.springframework.security.core.userdetails.UserDetails class is stored in that db as well.
When server-b tries to read session data from the db, it has to use the same custom subclass of the org.springframework.security.core.userdetails.UserDetails.
So I'm copying codes that relates to the UserDetails class from server-a to server-b.
I'm feeling a little awkward doing this, because server-a and server-b might want different UserDetails in general.
Is this really intended way of using spring-session-jdbc ?
Another question is, is it mandatory to use spring-security for both server-a and server-b?
Spring Session is meant to easily enable session clustering, i.e. have the multiple instances of the same app share the external session store therefore making it easier to scale your app.
For the problem you are trying to solve it might be a good idea to use an appropriate higher level protocol such as OAuth 2.0 and OpenID Connect and implement single sign-on without coupling you applications through the session store.
While the idea of sharing session store between different apps might seem convenient initially, such arrangement is usually very problematic, as you noted yourself with the UserDetails example.
In line with Vedran Pavic's answer it sounds like you should be using sso. That said there are instances where different code bases may want to share the same session such as in micro-service clusters. In this case you should simply put your UserDetails into a base jar/module that the other jar/module's are dependent upon. You can use a build automation tool to make this packaging easier to accomplish.
To answer your final question, if these two applications are regularly communicating with each other then I'd recommend either using spring security everywhere or nowhere.
Default mechanism to persist and load session is through the SecurityContextRepository (Spring Security) or SessionRepository (Spring Session).
If you use Redis for session sharing the repository implementation could be RedisSecurityContextRepository (spring-security-redis) or RedisIndexedSessionRepository (Spring Session).
The latter one for sure serialize UserDetails so you cannot share the session unless you use same Frameworks & user classes versions.
I would use custom SessionRepository and store shared user info in portable Json or XML, or whatever you like, not the Java object serialized ))
My questions is similar to this SO question.
But I am using Spring security 3.1.4 in which following call is deprecated.
(OpenIDAuthenticationToken)exception.getAuthentication()
What is the alternative mechanism to get OpenIDAuthenticationToken in SimpleUrlAuthenticationFailureHandler implementation?
Thanks for your time and help.
If your requirement is to register users who are not already in your system, you can do that in the same way that the sample application does.
If you need more interaction with the user at that point, then the only alternative to the deprecated method that springs to mind would be to use your own custom exception.
I wanted to know whether it is possible to have custom handler execution just before spring authentication manager. I wanted to validate licenses for the user before he access system. Initially i wrote custom filter and executed it before calling to authentication manager, but in this case he wont be able to access some resources since he is not authenticated, but later i moved my code to sucessHandler of spring which worked fine, except it has some security issues like if open in multiple tabs it fails.
Any help is highly appreciated.
Thanks,
Brijesh
I think what you are looking for is to add a Spring AuthenticationProvider. In short, an AuthenticationManager has a list of AuthenticationProviders, each of which is queried in order. The question and answer to Multiple Authentication Providers in Spring Security has a good explanation of this. The Spring documentation also explains how the various components fit together.
I wonder whether it is possible to use any spring services from within hibernate search ClassBridge.
Abstract:
My entity does not have all information i'd like to put into indexed document. I can not get it by #IndexedEmbeded too. This data comes from external data source, and I have service to provide this. This is only needed when reindexing. When indexing single object save service provide this information in transient entity field.
For reindex I use MassIndexer.
My application is working in Spring MVC environment. I use annotation driven configuration. So to access my service I need only use #Autowired annotation and service is ready to be used.
Solution?
When using Hibernate Search life is not so easy (or I have no idea how it could be).
To get additional information I decided to use ClassBridge. I also implement simple MassIndexer procedure called from within my spring service.
In my ClassBridge spring does not autowire service. When I try do quick workaround and use static field in ClassBridge and pass service reference from MassIndexer caller the other problem occurred. Service reports exception "no session" (sessionFactory.getCurrentSession() throws exception)... I have no idea where to go further.
What is recommended way to access Spring service from within ClassBridge code?
How can I get active hibernate Session (or SessionFactory) from within ClassBridge?
Thanx for you time & hope your help.
The recommended way is through compile time weaving and #Configurable
A comment on this page (http://guylabs.ch/2014/02/22/autowiring-pring-beans-in-hibernate-jpa-entity-listeners/) provides a much simpler way of handling this that might be useful. You can have Spring autowire an object for you, more explicitly by calling:
SpringBeanAutowiringSupport.processInjectionBasedOnCurrentContext(this);
Doc: http://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/context/support/SpringBeanAutowiringSupport.html
Can someone point me to example implementation for custom session state management ?
I am looking for following approach "keep all the session state in database and keep only the keys in HttpSession object. "
Can it be done using Spring ?
TIA
-Vin
Using a plain old java proxy for this (or cglib proxies) should be possible, you still need to handle saving/loading to/from your db. There's also the issue to see if a proxied object has been modified this would have to been handled additionally. Spring does not anything to this AFAIK.
Not sure what you're trying to achieve really, but perhaps also memcached-session-manager is interesting for you (shameless plug :-)).