I am relatively new to Spring and Spring security.
I was attempting to write a program where I needed to authenticate a user at the server end using Spring security,
I came up with the following:
public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider{ @Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken) throws AuthenticationException { System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated()); } @Override protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication) throws AuthenticationException { System.out.println("Method invoked : retrieveUser"); //so far so good, i can authenticate user here, and throw exception if not authenticated!! //THIS IS WHERE I WANT TO ACCESS SESSION OBJECT } }
My usecase is that when a user is authenticated, I need to place an attribute like:
session.setAttribute("userObject", myUserObject);
myUserObject is an object of some class that I can access throughout my server code across multiple user requests.
The Session object is created and made available through the context variable, $session . You do not need to perform any explicit call to create it. You can get a Session object by using the following syntax, if you already have a valid Entity object: $session=$entity->GetSession();
The session storage that you mentioned by default is provided by the Servlet container.It is just an internal java. util. Map . Spring Session is a Spring sub-project.
currentRequestAttributes(). getSessionId(); This relies on Spring's RequestContextHolder , so it should be used with Spring MVC's DispatcherServlet or you should have a RequestContextListener declared. Also session will be created if not exists.
Your friend here is org.springframework.web.context.request.RequestContextHolder
// example usage public static HttpSession session() { ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes(); return attr.getRequest().getSession(true); // true == allow create }
This will be populated by the standard spring mvc dispatch servlet, but if you are using a different web framework you have add org.springframework.web.filter.RequestContextFilter
as a filter in your web.xml
to manage the holder.
EDIT: just as a side issue what are you actually trying to do, I'm not sure you should need access to the HttpSession
in the retieveUser
method of a UserDetailsService
. Spring security will put the UserDetails object in the session for you any how. It can be retrieved by accessing the SecurityContextHolder
:
public static UserDetails currentUserDetails(){ SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = securityContext.getAuthentication(); if (authentication != null) { Object principal = authentication.getPrincipal(); return principal instanceof UserDetails ? (UserDetails) principal : null; } return null; }
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With