Announcement Announcement Module
Collapse
No announcement yet.
"remember-me" doesn't put SPRING_SECURITY_CONTEXT into the session Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • "remember-me" doesn't put SPRING_SECURITY_CONTEXT into the session

    Hi all.

    I use such EL expressions to put user information on my JSPs:

    Code:
    ${SPRING_SECURITY_CONTEXT.authentication.principal.username}
    and I got the following trouble (steps to reproduce):
    1. I am logging in with a user with "remember-me" checkbox enabled
    2. I am closing the tab and the browser
    3. I am reopening browser and enter the app URL

    and I see that I am logged in (remember-me works!) but user information above is not shown.

    I've debugged and seen that remember-me filter actually calls my user service and puts the principal to the SecurityContextHolder. But in need to press F5 in the browser to make user information visible.

    My setup (pretty simple):

    Code:
      <http>
        <intercept-url pattern="/home" access="ROLE_ANONYMOUS,ROLE_USER" />
        <!-- skipped -->
    
        <form-login login-page="/home" default-target-url="/home" authentication-failure-url="/home?login_error=1" />
        <logout logout-url="/logout" logout-success-url="/home" />
        <anonymous granted-authority="ROLE_ANONYMOUS" />
        <remember-me user-service-ref="userDetailsService" />
      </http>
    
      <beans:bean id="userDetailsService" class="util.UserDetailServiceImpl" />
    
      <authentication-provider user-service-ref="userDetailsService" />
    Please, any suggestions how to fix this?

    Regards.
    Last edited by Bohtvaroh; Apr 29th, 2009, 05:23 PM.

  • #2
    I debugged my issue and I see that:

    1. RememberMeProcessingFilter is called and it puts Authentication object to the SecurityContextHolder
    2. My controller is called (???)
    3. HttpSessionContextIntegrationFilter is called and it puts SPRING_SECURITY_CONTEXT to the session.

    I am completely disappointed by this scenario - why is controller called before HttpSessionContextIntegrationFilter?

    Comment


    • #3
      Originally posted by Bohtvaroh View Post
      I debugged my issue and I see that:

      1. RememberMeProcessingFilter is called and it puts Authentication object to the SecurityContextHolder
      2. My controller is called (???)
      3. HttpSessionContextIntegrationFilter is called and it puts SPRING_SECURITY_CONTEXT to the session.

      I am completely disappointed by this scenario - why is controller called before HttpSessionContextIntegrationFilter?
      It is generally intended that you don't access the context directly from the session, but use the SecurityContextHolder instead. The purpose of HttpSessionContextIntegrationFilter is to store the context between requests.

      If you want to access it in a JSP the there is a taglib which allows you to do so, e.g.

      <security:authentication property="principal.username"/>

      Comment


      • #4
        Great thanks!

        Comment

        Working...
        X