我可以将自己的User对象推送到Spring的SecurityContext吗？

Question

I'm new to Spring Security and have followed some basic recipes to get Spring Security working in my application, but now I'm trying to see if there is a way to get my own User object added to Spring's SecurityContext upon login/authentication.

My security is currently configured to use the JdbcDaoImpl:

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="com.ia.security.SpringSecurityDao" />
</authentication-manager>

<beans:bean id="com.ia.security.SpringSecurityDao" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
    <beans:property name="usersByUsernameQuery">
        <beans:value>select username,password,enabled 
        from user 
        where username = ?
        </beans:value>
    </beans:property>
    <beans:property name="dataSource" ref="dataSource" />
    <beans:property name="enableGroups" value="true" />
    <beans:property name="enableAuthorities" value="false" />
    <beans:property name="groupAuthoritiesByUsernameQuery">
        <beans:value>SELECT R.ID, R.NAME, P.NAME
            FROM ROLE R
            JOIN USER_ROLE UR on R.id = UR.role_id
            JOIN USER U on U.id = UR.user_id
            JOIN ROLE_PERMISSION RP ON RP.role_id = R.id
            JOIN PERMISSION P ON P.id = RP.permission_id
            WHERE U.username=?
        </beans:value>
    </beans:property>
</beans:bean>

I realize that I can retrieve the Principal object from the SecurityContext and get the username and requery the DB given the username, but was thinking it would be easier to simple store the my entire User object in the SecurityContext to have it easily accessible whenever I need it throughout my application as opposed to just storing the username, password and enabled fields in the UserDetails object.

I've looked into the UserDetailsService, and more specifically the JdbcDaoImpl class, but not entirely sure of the best way to proceed. If I simply override/extend by calling super.loadUserByUsername the loadUserByUsername method to return my own UserDetails object is that sufficient? Then would I just be able to do SecurityContextHolder.getContext().getAuthentication().getDetails() and cast it to my own object?

I've found other posts on StackOverflow that relate to this, but most seem to be ignoring anything to do with Authorities and Roles that are retrieved from the DB, so I'm not sure if this is the best way to proceed.

Answer 1

The short answer: Yes you can do exactly as you planned. Keep in mind that some functionality like "hasRole" checks the authorities list and not the user details by default.

The long answer: Keeping a user object in the securitycontext, which is held in the session can have some side effects. This is particularly true when you are using hibernate. Lazy exceptions anyone? ;) We went this route first and several calls later some LIEs happend which was quite tricky to follow up. Using the OpenSessionInView filter, we thought we are safe, but that's just wrong as in the next request the session is gone. So we loaded more related objects from the user and it still happend. Just later :)

We had three options. Either merge the user object on each request, create a pojo holding just the neccessary security information in the userdetails, or just keep the principal (login) in the security context and load the user object once it's needed.

We went with the third solution as hibernate does a good job using the second level cache. As a side effect the security is now more reliable as spring security gets now the latest version of a user on each request and does not work with "stale" user roles.

So if you dont use hibernate or you can guarantee that no LIEs will happen go for solution one or two. Else i would recommend our approach.