This is a Spring security issue.
In my application, I have a User object as a domain object. This object contains an implementation to support the Spring UserDetails object. The authentication process (login / logout) works fine.
The problem is that I need to extract this object from the session in order to make business logic decisions in my code.
I read about the SecurityContextHolder request, but to be honest, I still don't know which is the best approach, given that several versions of Spring seem to be a factor in these discussions. Also, the Principal object is not a solution for me, as it does not seem to contain any level of access or role information.
Below is a simple controller illustrating my task. It has a hard-coded user domain object. I need to replace this block with code that will receive the User object from the Spring security session. I am looking for a better way to do this in Spring 3.
- Can I get this object as an object of my domain or do I need it as a Spring UserDetails object and manually convert it?
Can this contextual security search be inserted into my controller in any way?
public class HomeController { @RequestMapping(value="/home.html", method=RequestMethod.GET) public ModelAndView getHomePage(Map<String, Object> model) { // Get current user User currentUser=new User(); currentUser.setUserName("Admin"); currentUser.setAccessLevel(UserAccessLevel.ADMINISTRATOR); // Construct HomePage bean HomeBean bean=new HomeBean(); bean.setCurrentUserName(currentUser.getUserName()); // Construct list of catalogs Collection<String> catalogList=new ArrayList<String>(); catalogList.add("articles"); catalogList.add("files"); catalogList.add("comments"); if(currentUser.hasAdministratorAccessLevel()) { catalogList.add("users"); } bean.setCatalogList(catalogList); // Construct and return ModelAndView ModelAndView mav=new ModelAndView(); mav.setViewName(WebView.HOME_PAGE.getViewName()); mav.addObject(bean.getBeanId(), bean); return mav; }
=== Update 2012-01-07 ====================================== ==== =============
I work with Luke's suggestion. The method that gets the UserDetails from the session and converts it into the returned User object of my domain is in my UserService.
Here is my controller:
@Controller public class HomeController { @Autowired private UserService userService; @RequestMapping(value="/home.html", method=RequestMethod.GET) public ModelAndView getHomePage(Map<String, Object> model) {
And here is the key code from UserServiceImpl.getCurrentlyAuthenticatedUser ():
@Override public User getCurrentlyAuthenticatedUser() { User currentUser=new User(); Authentication a = SecurityContextHolder.getContext().getAuthentication(); UserDetails currentUserDetails = (UserDetails) a.getPrincipal(); if(currentUserDetails==null) { return currentUser; } currentUser.setUserName(currentUserDetails.getUsername());
It works, but am I doing it right? Feedback is greatly appreciated. I still cannot get the object of my user domain from the session. I retrieve the Spring UserDetails object and at the same time create the User object of my domain, but some information is lost in the process.