3

I need to put some values (String and Integer values) in user session after successful login.

I'm using Spring MVC + Spring Security (both v3.2.x) in my web app.

Is there some common approach with Spring to intercept session start? Is it correct to implement a HttpSessionListener and register it in my application?

davioooh
  • 23,742
  • 39
  • 159
  • 250
  • You can register HttpSessionListener. Another, maybe worse way is to use @PostConstruct in your session class. – sandris Jul 22 '14 at 08:10
  • A simple and commonly used approach is, once login is successful, get session object and put key value pair in session object. I am not sure this approach is applicable to your code or not. If not kindly add method where login logic is written. – Rais Alam Jul 22 '14 at 08:15
  • How are you authenticating user? Is it acceptable for you to pass those values to principal object? – kamil Jul 22 '14 at 08:23
  • The accepted answer here has some ideas: http://stackoverflow.com/questions/18791645/how-to-use-session-attributes-in-spring-mvc – JamesB Jul 22 '14 at 08:31
  • 2
    A common way is to use a custom `AuthenticationSuccessHandler` http://docs.spring.io/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/web/authentication/AuthenticationSuccessHandler.html – Andreas Jul 22 '14 at 08:53

2 Answers2

4

I finally decided to implement a custom ApplicationListener to handle user login:

public class LoggedUserListener implements
        ApplicationListener<AuthenticationSuccessEvent> {

    @Autowired
    private HttpSession session;

    @Override
    public void onApplicationEvent(AuthenticationSuccessEvent event) {
        session.setAttribute("key", "value");

    }

}

and declared a bean in my Spring config:

<bean class="it.webapp.LoggedUserListener" />

It works perfectly.

davioooh
  • 23,742
  • 39
  • 159
  • 250
3

If you are using Spring MVC + Spring Security, it might be worth checking out org.springframework.security.web.session.HttpSessionEventPublisher

The javadoc for the class says:

Publishes HttpSessionApplicationEvents to the Spring Root WebApplicationContext.

Maps javax.servlet.http.HttpSessionListener.sessionCreated() to HttpSessionCreatedEvent.

My understanding is that you need to add:

  <listener>
    <listener-class>
      org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
  </listener>

And your class needs to extend ApplicationListener in order to receive these events

public class SessionPopulatorThing implements ApplicationListener<HttpSessionCreatedEvent>{

//repository, service attributes go here

public void onApplicationEvent(HttpSessionCreatedEvent httpSessionCreatedEvent){
//populate with defaults 
}

}

The main benefit is that it's compatible with Spring Core + Spring Security and with a little bit of extra configuration on top of this you can get concurrency management features in session management with Spring Security as well. There's more about this in the spring security reference documentation:

Shiraaz.M
  • 3,073
  • 2
  • 24
  • 40