1

My problem is this: I need to implement login/logout functionality with Spring mvc. My approach is as follows. I have a LoginController which handles get and post methods.

@RequestMapping(value = "/login", method = RequestMethod.GET)
public String login(Model model) {
    if (sessionController.getSessionUserDto() != null) {
        return "redirect:/secure/admin/index";
    }
    UserDto dto = new UserDto();
    model.addAttribute("userDto", dto);

    return "/login";
}

I have a SessionController which is a session-scoped bean that holds the user credentials. And this is my POST method.

@RequestMapping(value = "/login", method = RequestMethod.POST)
public String executeLogin(@ModelAttribute("userDto") UserDto userDto, BindingResult result,
        HttpServletRequest request) {
    String[] suppressedFields = result.getSuppressedFields();
    if (suppressedFields.length > 0) {
        throw new RuntimeException("Attempting to bind disallowed fields: "
                + StringUtils.arrayToCommaDelimitedString(suppressedFields));
    }

    if (userDto.getUser() == null || userDto.getUser().isEmpty()) {
        return "/login";
    }

    if (userDto.getPassword() == null || userDto.getPassword().isEmpty()) {
        return "/login";
    }

    try {
        UserDto dto = userManager.login(userDto.getUser(), userDto.getPassword());
        if (dto != null) {
            sessionController.setSessionUserDto(dto);
            request.getSession().setAttribute("terminal", request.getRemoteAddr());
            return "redirect:/secure/admin/index";
        } else {
            return "/login";
        }
    } catch (DaoException ex) {
        System.out.println("DaoException: " + ex.getMessage());
        return "redirect:/login";
    }
}

The issue is that every user that log into the system, always override the user stored in SessionController. That is, sessionController holds only one user for the whole application. If I login in machine A and then open machine B and request http://localhost:8080/webapp/login, I will be redirected to index, as if I be logged. So, What should I do?

Suncatcher
  • 60
  • 1
  • 7
  • 1
    Simply use [SpringSecurity](http://projects.spring.io/spring-security/). It is easy and mature and has dozens of interfaces – Stefan Nov 26 '15 at 15:27
  • That would be nice. However I don't have enough time to learn about it. Do you know any other workaround? – Suncatcher Nov 26 '15 at 15:30

2 Answers2

2

I strongly recommend you to use Spring Security. You can use the default configuration and do the authentication to your application.

http://www.mkyong.com/tutorials/spring-security-tutorials/ https://docs.spring.io/spring-security/site/docs/3.0.x/reference/springsecurity.html

If you need a custom authentication, you need to use an Authentication Provider. Here there is an example

http://www.baeldung.com/spring-security-authentication-provider

reos
  • 8,766
  • 6
  • 28
  • 34
0

Firstly "if (sessionController.getSessionUserDto() != null)" may be always true after the first login, so please review your code. Secondly do not use class scope variables in Controller as it is singleton and users will overwrite each other data.

Moataz Mohammad
  • 36
  • 3
  • I understand. So, if I want to store user credentials in sessionController and at the same time, not to use class scope variables in controller, where should I put my sessionController variable? – Suncatcher Nov 26 '15 at 15:52
  • user info should be stored on the session variable on the request or context scope. Each client (machine) should open new session with your server. – Moataz Mohammad Nov 26 '15 at 16:03
  • Could you provide me some code to understand please? – Suncatcher Nov 26 '15 at 16:07
  • this link may help http://stackoverflow.com/questions/18791645/how-to-use-session-attributes-in-spring-mvc – Moataz Mohammad Nov 26 '15 at 16:13