1

We are developing a web application, we're using Spring MVC (along with Spring Boot and Spring Security) and AngularJS. Therefore, we have two distinct servers running for the application.

We are trying to store the user session backend, to ensure a proper level of security, so we tried to use the HttpSessionobject, but every time we want to retrieve the existing session, a new instance is created (we've checked the session ids).

Here's what we're doing to login :

$scope.authenticate = function () {

  var postObject = new Object();
  postObject.mail = $scope.userName;
  postObject.password = $scope.userPassword;

  $http({
    url: "http://localhost:8080/login",
    method: "POST",
    dataType: "json",
    data: postObject,
    headers: {
      "Content-Type": "application/json"
    }
  }).success(function successCallback(response, status) {
      if (status == 200) {
        $scope.messageAuth = "Login successful"
        $scope.go('/services');
      }
    })
    .error(function errorCallback(error, status) {
        $scope.messageAuth = "Error " + response;
    });
};

Then, we check the credentials, if they are correct, we store the user information into a new session :

@RestController
public class UserController {

@Resource
UserService userService;

@CrossOrigin
@RequestMapping(value = "/login", method = RequestMethod.POST, produces = "application/json")
public ResponseEntity<User> loginSubmit(@RequestBody User user, HttpServletRequest request, HttpSession session) {
    if (isAuthorized(user)) {
        User authenticatedUser = this.userService.getUserByMail(user.getMail());
        authenticatedUser.setPassword(null);

        session.invalidate();
        HttpSession newSession = request.getSession(true);
        newSession.setAttribute("USER_ROLE", authenticatedUser.getRole());

        System.out.println("/login : SESSION ID = " + newSession.getId());
        System.out.println("/login : " + newSession.getAttribute("USER_ROLE"));

        return ResponseEntity.ok(authenticatedUser);
    } else {
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                .body(null);
    }
}

@RequestMapping("/user")
public String user(Principal user, HttpServletRequest request, HttpSession session) {
    System.out.println("/user : SESSION ID = " + session.getId());
    System.out.println("/user : " + (String) request.getSession(false).getAttribute("USER_ROLE"));
    return (String) session.getAttribute("USER_ROLE");
}

And finally, from the Angular app, we'd like to get the user information by calling /user like this :

var f = function() {
    $http.get('http://localhost:8080/user').success(function successCallback(response) {
      console.log(response);
    }).error(function() {
      console.log('error');
    })
};

We've already tried pretty much every we found about how to manage a session with Spring Security, maybe the problem comes from the Angular part?

Any help would be greatly appreciated,

Thanks in advance

Ostro23
  • 31
  • 6
  • You aren't using Spring Security you are actually working around it... – M. Deinum Jun 01 '16 at 09:42
  • Thanks for the feedback, and you think it is part of the problem? We should be able to use `HttpSession` anyway, right? – Ostro23 Jun 01 '16 at 09:55
  • If you use Spring Security and use the defaults `/login` is intercepted by Spring Security and your controller doesn't do anything. There should be nothing preventing you from using a `HttpSession` (we use a similar setup on my current project). – M. Deinum Jun 01 '16 at 10:11
  • I tried to change `/login`by `/authent`, same result. It doesn't seem to be related to Spring Security, because when I disable it, the problem persists (still new instances of `HttpSession`) – Ostro23 Jun 01 '16 at 11:26

1 Answers1

1

We found the solution, we just needed to add a few config lines in our app.js file :

$httpProvider.defaults.useXDomain = true;
$httpProvider.defaults.withCredentials = true;

More information here : link

Hopefully it will help someone, someday!

Community
  • 1
  • 1
Ostro23
  • 31
  • 6