Announcement Announcement Module
No announcement yet.
simple security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • simple security


    I would like to create a basic security model, in which users can login and
    When a user is logged in, I want to somehow save this logged on state to this particular user's sessions so that when a user makes a request for some page, the system will verify that this user is actually logged in and the controller will redirect the user to that particular view. or to another view if the user is not logged in.

    Please note that I am aware of the existence of Acegi/Spring security, but I would like to create something simple myself for the moment.
    I was thinking about applying some before method advice to every request, that will check if the user is logged in before proceeding.
    But how do you manage the different user sessions ?

    What is the best approach to this, can you help me get on the right track for this please?


  • #2
    I have thought out a simple security mechanism.
    The fact is that all requests from clients go through a controller and the controller decides which ModelAndView instance is created.
    Hence I created a Secured interface that all controllers that are restricted implement;

    An example:

    public class CarsController extends AbstractController implements Secured {
    	private ModelAndView homeView;
    	public CarsController() {
    		homeView = new ModelAndView("home");
    	protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
    		HttpSession session = request.getSession();
    		if (checkAuthentication(session)) {
    			return new ModelAndView("cars");
    		return homeView;
    	public boolean checkAuthentication(HttpSession session) {
    		User user = SecuritySupport.getCurrentUser(session);
    		return user != null;
    The inherited checkAuthentication method is used to determine if the current user will be directed to the requested page or to the home page,
    with the help of the SecuritySupport class which provides a few handy static methods.

    This works nicely, but there is one more thing that still bothers me.
    The SecuritySupport class needs an HttpSession object for most of its functionality, that is why I'm always passing the HttpSession object that I get from the handleRequestInternal(HttpServletRequest request, HttpServletResponse response) as an argument.

    It would be much better if the HttpSession doesn't have to be passed aroubd each time as an argument, but that the SecuritySupport class can get the session object itself from somewhere.

    Can this be done?


    • #3
      if only Spring had a security project that could do this type of thing...

      seriously, use it, it's pretty slick.


      • #4
        Or you could create a Interceptor which is executed automatically by Spring just before the Controller. In Interceptor you can decide it the user authenticated or not.

        Spring / Acegi Security is still not that hard to implement. The learning curve is a bit high in the beginning though.


        • #5
          Originally posted by Clay View Post
          if only Spring had a security project that could do this type of thing...

          seriously, use it, it's pretty slick.
          I'm aware of Spring Security (Acegi), but frankly, I find it a bit too complicated for the basic authentication I need at the moment.
          Any time soon I will certainly read up on Spring security, so I fully understand it and can use it.

          For now, I just need to get going quickly.


          • #6
            spring security 2.0 is significantly simpler than the old acegi stuff was.