9

I have Spring REST webserivce Now from a mobile client webservice is getting called. First, login method is called for log in succes or failure based on sent value userid and password.

      @RequestMapping(value = "/login", method = RequestMethod.POST,       headers="Accept=application/json")
     public @ResponseBody List<LogInStatus> getLogIn(@RequestBody LogIn person , HttpServletRequest request) {
              // Call service here
             List<LogInStatus> lList = logInService.getUser(person);
//service method and then in DAO database method is there

             return lList;
     }

Now, for many other call, I need logged in user based values, so need to keep session and need to get current user.And at log out call, need to destroy session. How to do this and achieve,please help with ideas.

Raju Sharma
  • 2,496
  • 3
  • 23
  • 41
Pan
  • 101
  • 2
  • 2
  • 7
  • 3
    Don't involve HTTPSession in a REST Service anyway: http://stackoverflow.com/questions/544474/can-you-help-me-understand-this-common-rest-mistakes-sessions-are-irrelevant – Stefan Oct 27 '14 at 13:32

2 Answers2

10

You don't need to create session manually - this is done by servlet container.

You can obtain session from HttpServletRequest 

HttpSession session = request.getSession();

or just add it as a method parameter, and Spring MVC will inject it for you:

public @ResponseBody List<LogInStatus> getLogIn(@RequestBody LogIn person , HttpServletRequest request, HttpSession httpSession)

You then can save user details in session via setAttribute()/getAttribute().

However, you are much better off using Spring Security, which is intended just for the task - see @Pumpkins's answer for references. SecurityContext contains info about currently logged in principal, which you can obtain from SecurityContextHolder

Vladimir
  • 9,683
  • 6
  • 36
  • 57
  • 2
    Does this break the `code of being stateless` for RESTful API? See here: http://stackoverflow.com/questions/34130036/how-to-understand-restful-api-is-stateless – smwikipedia Dec 07 '15 at 13:19
  • Check here `Common REST mistakes` (http://stackoverflow.com/questions/544474/can-you-help-me-understand-this-common-rest-mistakes-sessions-are-irrelevant) – smwikipedia Dec 07 '15 at 13:51
3

You need to integrate spring security in your project and make your rest calls via authentication verifier tokens.

You may refer to the documentation :

http://projects.spring.io/spring-security/

Or this nice tutorial can jumpstart your implementation :

http://www.networkedassets.com/configuring-spring-security-for-a-restful-web-services/

Pumpkin
  • 1,993
  • 3
  • 26
  • 32