Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

How to return domain records only for authenticated user?

 
Ranch Hand
Posts: 420
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a restful/json service that implements form based authentication. The default dialog box provided by spring pops up to prompt the user for username and password.

However, my java code does not know which user it is and returns all the domain records for all the users.

How do I enhance my java code in my REST server to retrieve the session cookie from the request header and look up the user name from this cookie so I can enhance my SQL query so it only returns records for that current user?

Thanks
Siegfried
 
Bartender
Posts: 1682
7
Android Mac OS X IntelliJ IDE Spring Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Be careful with header based authentication, its basically as good as having no security at all if you are not careful. Products like SiteMinder use this but it must be done carefully. What is doing the authentication? Where is the authentication token being stored?

I would use Spring Security for this purpose if you are not already, it will handle all of this for you. The user will authenticate with the form based authentication, and once the authentication details are verified the Authentication object is stored on the SecurityContextHolder which is simply a ThreadLocal making the information you require available to it if you need it. Internally Spring Security has a SecurityContextPersistenceFilter which stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request and clears the SecurityContextHolder when the request completes.

The session Id is passed along each request and is used to identify that user and the principal information is cached by the server for the duration of the session.

Honestly one of the advantages of using Spring Security though is that all these details are handled for you already and tested. Have a look at their webpage, documentation and sample projects for more information on getting started.



 
Siegfried Heintze
Ranch Hand
Posts: 420
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This seems to work. Thanks!

 
    Bookmark Topic Watch Topic
  • New Topic