• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How to return domain records only for authenticated user?

 
Ranch Hand
Posts: 428
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a restful/json service that implements form based authentication. The default dialog box provided by spring pops up to prompt the user for username and password.

However, my java code does not know which user it is and returns all the domain records for all the users.

How do I enhance my java code in my REST server to retrieve the session cookie from the request header and look up the user name from this cookie so I can enhance my SQL query so it only returns records for that current user?

Thanks
Siegfried
 
Bartender
Posts: 1682
7
Android Mac OS X IntelliJ IDE Spring Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Be careful with header based authentication, its basically as good as having no security at all if you are not careful. Products like SiteMinder use this but it must be done carefully. What is doing the authentication? Where is the authentication token being stored?

I would use Spring Security for this purpose if you are not already, it will handle all of this for you. The user will authenticate with the form based authentication, and once the authentication details are verified the Authentication object is stored on the SecurityContextHolder which is simply a ThreadLocal making the information you require available to it if you need it. Internally Spring Security has a SecurityContextPersistenceFilter which stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request and clears the SecurityContextHolder when the request completes.

The session Id is passed along each request and is used to identify that user and the principal information is cached by the server for the duration of the session.

Honestly one of the advantages of using Spring Security though is that all these details are handled for you already and tested. Have a look at their webpage, documentation and sample projects for more information on getting started.



 
Siegfried Heintze
Ranch Hand
Posts: 428
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This seems to work. Thanks!

 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic