3

This is probably a newbie question.

I have a table USER which contains info about login, pass and authorities. Depending on authority or role, detail information about each user can be found in one of following: Teacher, Student, Parent. When the User logs in, the information stored in USER table can be easly taken from security context.

I want to display first name and last name all the time in the header after log in - these can be fetched from the other tables.

My question is this: how do I handle storing one of these objects in session all the time? Or is it okay just to store User (its stored by spring) and then fetch particular table every time I need detail information?

I use spring security 3, hibernate, jsp, sitemash.

For more clarification:

I know how to deal with logged user and to restrict some content. Login details (id, pass, role) are stored in USER table and this is ok - I can fetch it and show whereever I want. The problem is that the details about a particular user (address, name, email, etc) are stored in in another table (STUDENT, TEACHER, PARENT - depending on the role in USER table). This is what I want to know on every page - for example to show his/her name.

Jakub Pilimon
  • 131
  • 1
  • 10
  • Are you already loading the user data yourself? If so, why not just load all the information you need at once (do a separate query based on the authorities), then parcel it all up as a custom user object that is stored as the security context principal object? – Shaun the Sheep May 15 '12 at 20:34
  • Yes, I'm loading the data from user myself. You mean that I should extend User class, add a few fields, and use it in the same way as I do now? At the moment I have like this: user = new User(username, dbUser.getHaslo(), true, true, true, true, grants); so basiclly only this constructor will change to the one I'm going to implement and it will work? Anyway, I will check it tmrw and mark the answer :) – Jakub Pilimon May 15 '12 at 20:50
  • Ok, I did, but using Authentication auth = SecurityContextHolder.getContext().getAuthentication() ... I can only fetch logged username and authorities. I have extended org.springframework.security.core.userdetails.User and add two fields - name and lastname. But still don't know how to pass it to to the model. Doing like above only allows me to use getName() for example (which is login). Still no access to added fields – Jakub Pilimon May 15 '12 at 22:45
  • The `UserDetails` instance is usually returned as the `principal` property of the `Authentication` object - i.e. call [`getPrincipal()`](http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/Authentication.html#getPrincipal()) on it. – Shaun the Sheep May 16 '12 at 15:08
  • That works perfectly! Thanks! How do I mark your comment as a solution answer? – Jakub Pilimon May 16 '12 at 18:12
  • You can't. You can vote up my comments if you want :). You can provide your own answer and accept it though. If I were you, I'd make a few changes to the question to make it more useful for future reference. It is essentially about loading custom user data in Spring Security so I would remove the references to Sitemesh, hibernate etc. In your answer, I'd describe what interfaces to implement, loading the user and roles, loading additional data based on the roles and returning a UserDetails instance and accessing it via the security context. – Shaun the Sheep May 16 '12 at 21:13
  • You might also find this You might also find [this answer](http://stackoverflow.com/questions/8764545/best-practice-for-getting-active-users-userdetails/8765597#8765597) useful as an alternative to accessing the security context directly everywhere you need it. – Shaun the Sheep May 16 '12 at 21:14

1 Answers1

1

TO cut it short - 1. you need to extend spring User to provide additional fields. 2. you need to implement UserDetailsService interface and reference it in the security context. 3. Now you can fetch your object in a controller like this: authentication.getPrincipal() - rememebr to cast to your type.

Additionaly - personally i always have AbstracController which is a base for every controller in my project. There, among others, I have method which returns current principal.

Jakub Pilimon
  • 131
  • 1
  • 10