Session management using spring security

Question

I have created a basic spring security authentication using UserDetailsService and now I am able to validate user. However, I don't understand how to achieve below things:

1. Once a user is logged in, when next request comes how and where do I check if the request is coming from the same logged in user or other logged in user?

I know the concept of Spring interceptors where I can intercept all incoming request. But is there something in spring security that does this?

2. How can I start a session after logging in and store values in session for that user?

I browsed through existing answers but most of examples are for logging in.

I would appreciate if someone can give me examples.

EDIT: I think I should use session scoped beans in order to maintain user's session contents rather than manipulating httpsession directly.

Answer 1

At first you need to create an Authentication object using current HttpRequest as below:

 public class SessionService{

    public Authentication getSession(HttpServletRequest request) {
        HttpSession session=request.getSession();
        SecurityContext ctx= (SecurityContext) session.getAttribute("SPRING_SECURITY_CONTEXT");
        Authentication auth=ctx.getAuthentication();
        return auth;
    }
}

Then, you can retrieve the session details from this Authentication object by passing the current HttpRequest as follows:

Authentication auth = sessionService.getSession(request);

The above auth object contains the details that you need.

Answer 2

I think you really need to spend some time reading the Spring security documentation and over all JSP, servlet and MVC architecture. You have several misunderstandings,

1. After authentication, you don't need to start a session it was already there when the request came. Remember request.getSession() we get the session from the request and I am really NOT aware of any other way ie instantiating session object and assigning it to request/response. After successful authentication spring automatically sets a SPRING_SECURITY_CONTEXT attribute in session and this variable is later used to determine whether user is already authenticated or not (Spring does that for you, you don't need to use this attribute).

2. In spring security we set an authentication entry point which has information about login page url and FORM_LOGIN_FILTER which has information about login processing url, login success url and login failure url among few other things.Every request whose session doesn't have SPRING_SECURITY_CONTEXT and auth attribute gets redirected to login page url.

I could give the code directly but it would be great if you read at least few pages of Spring documentation here . Once you understand the concepts and are still not able to solve the problem. Edit your question with detailed problem and we will try to fix it.