Menu
I'm using Spring Security to manage authentication in my web app. With it I manage the access to some object based on the name of the User.
So, in my DAO level I have this method which gives me the List of Park objects for the User
public List<Park> findParkByUser(int offset) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
List<Park> parks = new ArrayList<Park>();
try {
if(auth != null){
String name = auth.getName();
User user = userService.findBySso(name);
int userId = user.getId();
Criteria criteria = createEntityCriteria();
criteria.createAlias("users", "u");
if(offset >= 0){
criteria.add(Restrictions.eq("u.id", userId)).setFirstResult(offset).setMaxResults(elementsPerPage);
}
criteria.setResultTransformer(Criteria.DISTINCT_ROOT_ENTITY);
parks = (List<Park>) criteria.list();
} else {
logger.debug("Auth error");
}
} catch (NullPointerException e) {
logger.error("Auth error",e);
}
return parks;
}
Now the problem is that when the session timeout or the cookie expire, I get a null auth. I would like to redirect the user to the login page, but I'm in the DAO level, not in the Controller. I thought I could get from the controller HttpServeletRequest and Response and using a custom logout manager
public void logout(HttpServletRequest request, HttpServletResponse response) {
CookieClearingLogoutHandler cookieClearingLogoutHandler = new CookieClearingLogoutHandler(AbstractRememberMeServices.SPRING_SECURITY_REMEMBER_ME_COOKIE_KEY);
SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
cookieClearingLogoutHandler.logout(request, response, null);
securityContextLogoutHandler.logout(request, response, null);
}
Is this a correct way to operate or there is a better solution?
Thanks
593
If the authentication and authorization is configured correctly, the Authentication object should not be null. Such a situation should be caught by the servlet filter (or whichever method you use for integrating Spring Security with your web-application environment).
If configured correctly, there are two possible situations:
Authentication object that represents this anonymous authentication.WebSecurityConfigurerAdapter in the application context.Assuming you allow anonymous access, but certain actions require authentication, the correct way of dealing with this (if you cannot detect it on the controller level) is by having your model throw an AccessDeniedException. This exception can then be handled by an ExceptionTranslationFilter that can take care of redirecting to the login page.
Please refer to the Spring Security Reference for detailed explanations about how to correctly setup the filters that are needed when using Spring Security in a web application.
Under no circumstances should you try accessing the HttpServletRequest or HttpServletResponse from your DAO. It violates the general contract that model code should not depend on the controller and makes the whole code harder to understand. For example, your DAO might later be used by different code (e.g. a webservice API, an application server, etc.) which handles authentication and authorization very differently and does not even have a HTTP request context. In this case, your DAO would not work correctly any longer. When only using the Authentication object and throwing an AccessDeniedException your DAO remains portable and can be used in any environment.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
