Announcement Announcement Module
No announcement yet.
HttpSession not to be used with Spring Security for storing values?? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • HttpSession not to be used with Spring Security for storing values??

    Hi everybody,

    I got a very simple question. I have scoured the internet but have not come up with anything concrete.

    I have applied Spring Security 3.0.5 to an existing Spring MVC web app. I used to store values/attributes in HTTPSession before. i.e. some String value OR a class.

    I understand now that I should not use HTTPSession to store any custom values.
    This is as per Spring documentation here:
    "You shouldn't interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead. "

    Question: How can I store my custom values in session with Spring Security? Do I need to store it in the SecurityContext OR can I still use HttpSession? I looked into that and I did not find any where where I can store values....
    Ultimately even Spring Security uses HTTPSession to store the SecurityContext

    Please advise. Thank you.

  • #2
    The section you are referring to is called "Storing the SecurityContext between requests". It's talking about accessing the SecurityContex object directly in the session.

    There's nothing to stop you storing your own data in the session separately.


    • #3
      that's good to know BUT what is the best practice with storing session attributes with respect to Spring Security.
      I heard from some colleauges that the "security context" is where you should ideally store session info because it would be more "secure".

      I mean, isn't that possible? Shouldnt Spring Security also encrypt or secure httpsession somehow? and then we save to that session....isnt that the point?

      seems like Spring security context is just a wrapper for the authentication object....

      OR are you saying that in a web app, there will be an HTTPSession established regardless that would contain the SpringSecurity as just one atttrubute of httpSession....essentially httpsession is one giant container with lots of stuff put in it, Spring Security also makes use of httpsession by puttings its own stuff in it...

      for any custom attributes, I will store it as I always have, directly to httpsession?