4

I have created a basic spring security authentication using UserDetailsService and now I am able to validate user. However, I don't understand how to achieve below things:

  1. Once a user is logged in, when next request comes how and where do I check if the request is coming from the same logged in user or other logged in user?

I know the concept of Spring interceptors where I can intercept all incoming request. But is there something in spring security that does this?

  1. How can I start a session after logging in and store values in session for that user?

I browsed through existing answers but most of examples are for logging in.

I would appreciate if someone can give me examples.

EDIT: I think I should use session scoped beans in order to maintain user's session contents rather than manipulating httpsession directly.

NaiveCoder
  • 957
  • 3
  • 14
  • 34
  • 1
    Have you read the documentation? – M. Deinum Jan 20 '16 at 10:08
  • Documentation is really confusing and plenty. – NaiveCoder Jan 20 '16 at 10:45
  • 1
    The spring security reference guide is imho quite clear on how to configure session management... – M. Deinum Jan 20 '16 at 11:08
  • Its there on the Spring security docs. Refer here http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/. And its pretty much well documented and straightforward. – Tech Enthusiast Jan 20 '16 at 11:15
  • I checked this section http://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#session-mgmt but I dont get a sample which I can use to get session. If you can point out certain section it will be helpful. – NaiveCoder Jan 20 '16 at 11:38
  • Do i have to implement SessionManagementFilter? – NaiveCoder Jan 20 '16 at 12:04
  • I'm still not clear how can I access session and add data to it.. All I got from spring docs is how to setup session fixation and other session configuration. – NaiveCoder Jan 22 '16 at 09:29

2 Answers2

2

I think you really need to spend some time reading the Spring security documentation and over all JSP, servlet and MVC architecture. You have several misunderstandings,

  1. After authentication, you don't need to start a session it was already there when the request came. Remember request.getSession()we get the session from the request and I am really NOT aware of any other way i.e. instantiating session object and assigning it to request/response. After successful authentication spring automatically sets a SPRING_SECURITY_CONTEXT attribute in session and this variable is later used to determine whether user is already authenticated or not (Spring does that for you, you don't need to use this attribute).

  2. In spring security we set an authentication entry point which has information about login page url and FORM_LOGIN_FILTER which has information about login processing url, login success url and login failure url among few other things.Every request whose session doesn't have SPRING_SECURITY_CONTEXT and auth attribute gets redirected to login page url.

I could give the code directly but it would be great if you read at least few pages of Spring documentation here. Once you understand the concepts and are still not able to solve the problem. Edit your question with detailed problem and we will try to fix it.

Amit
  • 13,134
  • 17
  • 77
  • 148
  • Thanks for the info. I am aware of getting session from request as request.getSession(true) but what I thought spring security might have some 'other' way of doing this.. for example: it might create a session for me and just i have to use it. – NaiveCoder Jan 22 '16 at 11:04
  • Yes, Spring will create a session for you and you can use it directly.. Found another useful link see this http://www.studytrails.com/frameworks/spring/spring-security-custom-login-page.jsp – Amit Jan 22 '16 at 11:05
  • [link](http://stackoverflow.com/questions/1629211/how-do-i-get-the-session-object-in-spring) This post says "You shouldn't interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead." but code of SecurityContextHolder doesn't give me session to play with. – NaiveCoder Jan 22 '16 at 11:19
1

At first you need to create an Authentication object using current HttpRequest as below:

 public class SessionService{

    public Authentication getSession(HttpServletRequest request) {
        HttpSession session=request.getSession();
        SecurityContext ctx= (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
        Authentication auth=ctx.getAuthentication();
        return auth;
    }
}

Then, you can retrieve the session details from this Authentication object by passing the current HttpRequest as follows:

Authentication auth = sessionService.getSession(request);

The above auth object contains the details that you need.

Ameera Najah Kv
  • 57
  • 5