Announcement Announcement Module
Collapse
No announcement yet.
Storing information between requests for anonymous users Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Storing information between requests for anonymous users

    Hello together,

    Im developing a webapplication with Spring 3 and Spring Security 3.0.5. I have a question regarding the storage of informations between requests for one session.

    I know that it is possible to store (and change) additional informations for one principal and I already do this. Actually, when a user logs in, I create my own UserDetailsImpl-Object where I store additional informations in an array.

    But this is exactly the problem. Those informations now can only be stored for "persons" who are logged in. I need to store informations inbetween for persons who are anonymous as well.

    As far as I know a principal always "exists", but if the user is not logged in, of cause the variables specified by my own UserDetailsImpl can not be set.

    I guess I could maybe set the informations as a Session Attribute directly for anonymous users. If I do this, I could throw away the UserDetailsImplementation, because I could then always use the Sessions Attributes directly.

    Im interessted in knowing if my assumption is correct, because I have not got a lot of experience. How would you solve the problem? Would you use always the Session Attributes? Or only if one user is anonymous?
    Do you have any idea how to solve the problem differently? Are there any springspecific solutions?

    Thanks in advance!
    Last edited by jeeper; Apr 12th, 2011, 11:19 AM.

  • #2
    Sorry if this is a newbie question, but I did not find any similiar in the forum. Would be glad if someone could answer and just give me hint. :-)

    Comment


    • #3
      Acegi (older version of Spring Security) had a concept of Anonymous users, have you looked it up in the Spring Security documentation? Typically a new session is created for each anonymous user, and your user-specific details can be added to the session.

      We are currently using an anonymous user to allow users to test drive our site.

      Comment


      • #4
        thank you for answering me!
        I can see that there is a session-id for an anonymous user, but I cant use the UserDetailsImpl-Obj for him, as far as I see.

        so you would recommend to directly add HttpSessionAttributes for adding informations to anonymous sessions? (If I do this, why should I change this behaviour for registered users? Why should I use then a UserDetailsImpl-Obj to add additional informations and not just the HttpSession attribute?)

        Comment


        • #5
          Originally posted by jeeper View Post
          thank you for answering me!
          I can see that there is a session-id for an anonymous user, but I cant use the UserDetailsImpl-Obj for him, as far as I see.

          so you would recommend to directly add HttpSessionAttributes for adding informations to anonymous sessions? (If I do this, why should I change this behaviour for registered users? Why should I use then a UserDetailsImpl-Obj to add additional informations and not just the HttpSession attribute?)
          Not a 100% certain, but i think the Spring Security docs did mention that the goal is to create an Authentication object for Anonymous users as well as Authenticated users. Read here - http://static.springsource.org/sprin...anonymous.html. From here it sounds like the Principal is null for anonymous users.

          You might be better off leveraging the userDetails object as you seem to have done for authenticated users.

          Comment


          • #6
            Thank you for answering! I read through the doc you gave me and I wrote some test. I understand too that the goal is to authenticate even anonymous Users (with an AnonymousAuthenticationToken), so that you can have security rules for them. (accessible by Role_Anonymous)

            I also found out the following:

            1.
            Code:
            Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
            For Anonymous Users the principal is NOT an instance of UserDetails (or UserDetailsImpl), principal.getClass() tells that the class is java.lang.String. The string is "anonymousUser". So the principal is not empty, but a string.

            2. Just like we said, the anonymous user is authenticated=true with ROLE_ANONYMOUS.

            You might be better off leveraging the userDetails object as you seem to have done for authenticated users.
            Sorry, if I dont understand this correct, english is not my mothertongue. Does this mean that I shall go on using the UserDetails-Object for ROLE_USER, as I already did and that I should add HttpSession-Attributes for anonymous Users when I want to add informations to them?

            (As I first read it, I thought you meant I should use the UserDetails Object for anonymous Users as well, but this is not possible, so surely you didnt mean it :-)) thank you!

            Comment

            Working...
            X