1

I have a customized spring AuthenticationProvider class but try to intercept the HTTPServletRequest and HTTPServletResponse within the loadUserDetails method.

@Component("darnGoodAuthenticaionProvider")
public class DarnGoodAuthenticaionProvider 
                    extends HandlerInterceptorAdapter 
                    implements AuthenticationUserDetailsService {
    private HttpServletRequest request;
    private HttpServletResponse response;

    @Override
    public boolean preHandle(HttpServletRequest request, 
                            HttpServletResponse response, Object handler) 
                            throws Exception {
            this.request = request;
            this.response = response;
            // we don't want anything falling here
            return true;
}

    @Override
    public UserDetails loadUserDetails(Authentication token)throws 
                                                    UsernameNotFoundException{
           .......
    }
}

I know the preHandler method from HandlerIntercepterAdapter is capable to the job but how can I be sure that the preHandler method is called prior to loadUserDetails, so that I can get the request and response prepared?

Thanks

Dreamer
  • 7,333
  • 24
  • 99
  • 179

1 Answers1

1

On a servlet container, each request will be handled from the moment the request is received until the response is returned by only one thread (request == current thread).

So it's a matter of putting a servlet filter BEFORE the spring security filter chain (with the filter-mapping element above the filter-mapping of spring security), and storing the request and response in the thread using a ThreadLocal variable - see also this answer.

Then on the DarnGoodAuthenticaionProvider access the request using a static method RequestResponseHolder.getRequest().

web.xml config:

<filter>
    <filter-name>saveRequestResponseFilter</filter-name>
    <filter-class>sample.save.request.filter.SaveRequestResponseFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>saveRequestResponseFilter</filter-name>
    <url-pattern>/mobilews/*</url-pattern>
</filter-mapping>

Filter to save the request response in the thread:

public class SaveRequestResponseFilter implements Filter {

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        HttpServletRequest req = (HttpServletRequest) request;
        HttpServletResponse resp = (HttpServletResponse) response;

        RequestResponseHolder.setRequestResponse(req,resp);
        try {
            chain.doFilter(request, response);
        }
        finally {
            RequestResponseHolder.clear();
        }
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        ...
    }

    @Override
    public void destroy() {
       ...
    }
}

Request/Response holder:

public class RequestResponseHolder {

    private static ThreadLocal<HttpServletRequest> requestHolder = new ThreadLocal<HttpServletRequest>();
    private static ThreadLocal<HttpServletResponse> responseHolder = new ThreadLocal<HttpServletResponse>();


    public static void setRequestResponse(HttpServletRequest request, HttpServletResponse response) {
        requestHolder.set(request);
        responseHolder.set(response);
    }

    public static HttpServletRequest getServletRequest(){
         return requestHolder.get();
    }

    public static HttpServletResponse getServletResponse()  {
        return responseHolder.get();
    }

    public static void clear() {
        requestHolder.remove();
        responseHolder.remove();
    }
}

Obtaining the request from DarnGoodAuthenticaionProvider:

HttpServletRequest req = RequestResponseHolder.getServletRequest();
Community
  • 1
  • 1
Angular University
  • 42,341
  • 15
  • 74
  • 81