I have a restful/json service that implements form based authentication. The default dialog box provided by spring pops up to prompt the user for username and password.
However, my java code does not know which user it is and returns all the domain records for all the users.
How do I enhance my java code in my REST server to retrieve the session cookie from the request header and look up the user name from this cookie so I can enhance my SQL query so it only returns records for that current user?
Be careful with header based authentication, its basically as good as having no security at all if you are not careful. Products like SiteMinder use this but it must be done carefully. What is doing the authentication? Where is the authentication token being stored?
I would use Spring Security for this purpose if you are not already, it will handle all of this for you. The user will authenticate with the form based authentication, and once the authentication details are verified the Authentication object is stored on the SecurityContextHolder which is simply a ThreadLocal making the information you require available to it if you need it. Internally Spring Security has a SecurityContextPersistenceFilter which stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request and clears the SecurityContextHolder when the request completes.
The session Id is passed along each request and is used to identify that user and the principal information is cached by the server for the duration of the session.
Honestly one of the advantages of using Spring Security though is that all these details are handled for you already and tested. Have a look at their webpage, documentation and sample projects for more information on getting started.