I am developing an application using Spring. I have a trouble about login and logout. I logged in application using a login credentials(e.g. userName:john, pass: doe) and go to Admin page and than I logged out from application. But this time I used different login credentials(e.g. userName: jack, pass: white) for login. When I go to Admin page and debug my application #ModelAttribute(value = "myUser") User loggedInUser at AdminController shows old user value. I couldn't understand why this occurs. Anyone can help?
My source codes are below:
#Controller
#RequestMapping("/LoginController")
#SessionAttributes({"myUser"})
public class LoginController
{
private static String LOGIN_URL = "login/login_";
private static String INDEX_URL = "main/index";
#Autowired
private IUserService userService = null;
#RequestMapping("/login")
public ModelAndView login(#RequestParam(value="userName", required=false) String argUserName, #RequestParam(value="password", required=false) String argPassword, HttpServletRequest req)
{
ModelAndView modelAndView = new ModelAndView();
// Assume argUserName and argPassword not null
User loginUser = this.userService.getUser(argUserName, argPassword);
HttpSession ses = req.getSession();
// Assume loginUser not null
ses.setAttribute("myUser", loginUser);
modelAndView.setViewName(LoginController.INDEX_URL);
return modelAndView;
}
#RequestMapping("/logout")
public String logout(HttpServletRequest argReq, HttpServletResponse argResp) throws ServletException, IOException
{
HttpSession session = argReq.getSession(false);
Enumeration<?> attributeNames = session.getAttributeNames();
while(attributeNames.hasMoreElements())
{
String attrName = (String)attributeNames.nextElement();
if(session.getAttribute(attrName) != null)
{
session.setAttribute(attrName,null);
//session.removeAttribute(attrName);
attributeNames = session.getAttributeNames();
}
}
// close session
session.invalidate();
return LoginController.LOGIN_URL;
}
}
AdminController
#Controller
#RequestMapping("/AdminController")
#SessionAttributes({"myUser"})
public class AdminController
{
private static String SETTINGS_PAGE = "settings/index";
#RequestMapping("/index")
public ModelAndView index(#ModelAttribute(value = "myUser") User loggedInUser, HttpSession ses)
{
ModelAndView modelAndView = new ModelAndView();
Map<String, Object> map = new HashMap<String, Object>();
map.put("loggedInUserId", loggedInUser.getUserID());
map.put("userName", loggedInUser.getUserName());
modelAndView.addAllObjects(map);
modelAndView.setViewName(AdminController.SETTINGS_PAGE);
return modelAndView;
}
}
Remove this annotation
#SessionAttributes({"myUser"})
For starters #SessionAttributes isn't designed to store data in the session between different controllers. Its intended use is only to store data for the same controller in between requests. If you want to store items in the session between requests store them in the session yourself and don't rely on #SessionAttributes. This is also mentioned in the javadoc of the annotation (although a bit cryptic maybe).
If you want to remove object cached by #SessionAttributes you cannot simply clear the session but you would have to use the SessionStatus object (which you can add as an argument) to mark the use of these objects complete.
Your logout method is way to verbose, simply calling session.invalidate() should be enough, but I guess this was one of your attempts to fix things. Also when you are on a Servlet 3.0 container simply calling request.logout() could be enough (or call it in conjunction with session.invalidate())
My final advice would be to use Spring Security instead of trying to develop your own security solution.
Related
I'm using Thymeleaf with Springboot2.1.2 and I have problem accessing session attributes in the templates.
Here's the code:
This is one of the controllers:
#GetMapping("/profile")
public String getProfile(HttpServletRequest request) {
HttpSession session = request.getSession(false);
String email = (String) session.getAttribute("userId");
User user = userService.getProfile(email);
session.setAttribute("user", user);
return "user/profile";
}
And the corresponding view(html):
<body th:object="${session.user}">
//some code using the user object here...
</body>
When I run the application, I got the exception:
java.lang.IllegalStateException: Neither BindingResult nor plain target object for bean name 'session' available as request attribute
I've also tried for #session and something else, they didn't work. However, in another controller, I can access the object by using Model:
#GetMapping("/register/user")
public String registerUser(Model model) {
model.addAttribute("user", new User());
return "user/register";
}
And the view is like:
<form th:object="${user}" method="post" action="#" th:action="#{/register/user}">
//some code using the user object...
</form>
It's driving me crazy since all the tutorials I can find tell me I can access session attributes by ${session.something}, in reality, it doesn't work.
Could you help me?
You are saving the information in the session, this is not visible by thymeleaf. you need to create a model for your thymeleaf template and add the attribute (or the session) to the model and then return that.
#GetMapping("/profile")
public ModelAndView getProfile(HttpServletRequest request) {
User user = userService.getProfile(email);
ModelAndView model = new ModelAndView(NAME_OF_THYMELEAF_PROFILE_FILE);
model.addObject("user",user);
return model;
}
Beware that for the thymeleaf to see the template it needs to be in a default path (resources/templates) or you need to define where your templates are stored.
If you want to use session again the solution is similar.
#GetMapping("/profile")
public ModelAndView getProfile(HttpServletRequest request) {
HttpSession session = request.getSession(false);
User user = userService.getProfile(email);
session.setAttribute("user", user);
ModelAndView model = new
ModelAndView(NAME_OF_THYMELEAF_PROFILE_FILE);
model.addObject("session",session);
return model;
}
UPDATE use model and return String:
#GetMapping("/profile")
public String getProfile(HttpServletRequest request, Model model) {
HttpSession session = request.getSession(false);
String email = (String) session.getAttribute("userId");
User user = userService.getProfile(email);
session.setAttribute("user", user);
model.addAttribute("session", session);
return "user/profile";
}
I used ModelAndView, you can do the same with Model, just instead of addObject() you must use addAttribute().
You should be using Spring-Security with thymeleaf extensions to accomplish what you want. Here is an example of what you want to do. If you follow the example you can access user information as follows:
<div sec:authentication="name"><!-- Display UserName Here --></div>
Please note that for spring-boot 2.1.X you should use the following dependency:
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity4</artifactId>
</dependency>
In this Spring Boot application there is a web service, which returns some data for a logged-in user:
#RequestMapping("/resource")
public Map<String, Object> home() {
Map<String, Object> model = new HashMap<String, Object>();
model.put("id", UUID.randomUUID().toString());
model.put("content", "Hello World");
return model;
}
Imagine, the return value of the method depends on what user is currently logged in.
How can I find out, which user is logged in in that method?
As per request:
Spring Boot which uses Spring Security internally provides a SecurityContextHolder class which allows the lookup of the currently authenticated user via:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
The authentication instance now provides the following methods:
Get the username of the logged in user: getPrincipal()
Get the password of the authenticated user: getCredentials()
Get the assigned roles of the authenticated user: getAuthorities()
Get further details of the authenticated user: getDetails()
Since Spring Security 3.2 you can get currently logged in user (your implementation of UserDetails) by adding a parameter inside your controller method:
import org.springframework.security.web.bind.annotation.AuthenticationPrincipal;
#RequestMapping("/resource")
public Map<String, Object> home(#AuthenticationPrincipal User user) {
..
}
Replace User with the name of your class which implements UserDetails interface.
Edit:
Since Spring Security 4.0 annotation was moved to a different package:
import org.springframework.security.core.annotation.AuthenticationPrincipal;
Addendum:
This will work even in WebFlux reactive environment versus the SecurityContextHolder.getContext().getAuthentication() which won't work because of paradigm shift from thread per request model to multiple requests per thread.
You can simply use HttpServletRequest also to get user principle,
using HttpServletRequest request,
String user=request.getUserPrincipal().getName();
One way is to add java.security.Principal as a parameter as follows:
#RequestMapping("/resource")
public Map<String, Object> home(Principal principal) {
Map<String, Object> model = new HashMap<String, Object>();
model.put("id", UUID.randomUUID().toString());
model.put("content", "Hello " + principal.getName());
return model;
}
Since version 5.2 you can use CurrentSecurityContext annotation:
#GetMapping("/hello")
public String hello(#CurrentSecurityContext(expression="authentication?.name")
String username) {
return "Hello, " + username + "!";
}
In Spring boot v2.1.9.RELEASE if you are trying to get the name, email, given_name you can get those details from Pricipal.
Note: I am using spring security with google oauth2.
Map<String , Object> userDetails = ((DefaultOidcUser)SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getAttributes();
System.out.println(userDetails.get("name"));
System.out.println(userDetails.get("email"));
System.out.println(userDetails.get("given_name"));
Recently using Keycloak authentication server and accessing currently logged-in user data is accessible like this
String userID;
KeycloakPrincipal kcPrincipal = getPrincipal();
KeycloakSecurityContext ksContext = kcPrincipal.getKeycloakSecurityContext();
IDToken idToken = ksContext.getToken();
userID = idToken.getName();
Im using spring boot 2.0 with OAuth so I'm doing it like this
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
Object pricipal = auth.getPrincipal();
String user="";
if (pricipal instanceof DefaultOidcUser) {
user = ((DefaultOidcUser) pricipal).getName();
}
You can find the currently logged in user name without using any spring Security features.
All you need is a jdk 1.8
Do the following :
#RequestMapping("/login")
#Override
public ModelAndView AuthChecker(#RequestParam("email") String email, #RequestParam("password") String password, Customers cust) {
ModelAndView mv = new ModelAndView("index");
if((repo.findByEmail(email)!=null) && (repo.findByPassword(password)!=null)) {
List<Customers> l= repo.findAll();
cust = (Customers) l.stream()
.filter(x -> email.equals(x.getEmail()))
.findAny()
.orElse(null);
mv.addObject("user",cust.getName());
mv.setViewName("DashBoardRedirect");
return mv;
Once name fetched successfully, you can use the same in any jsp/thymeleaf view.
How do I enhance the Controller below to utilize Spring MVC's Flash Attributes? The use case is a copy function.
POST/REQUEST/GET implementation:
client clicks "copy" button in the UI
server sets the response "Location" header
client redirects to "path/to/page?copy"
server provides ModelAndView
client (jQuery success function) sets window.location
FooController redirect method:
#RequestMapping(value = "{fooId}", method = POST, params = { "copy" })
#Transactional
#ResponseStatus(CREATED)
public void getCopyfoo(#PathVariable String fooId,
HttpServletResponse response, RedirectAttributes redirectAttrs) {
response.setHeader("Location", uriPath);
//no worky?!:
redirectAttrs.addFlashAttribute("barKey", "barValue");
}
FooController get method:
#RequestMapping(value = "{fooId}", method = GET)
#Transactional(readOnly = true)
public ModelAndView findFooById(#PathVariable String fooId,
HttpServletRequest request){
Map<String, ?> map = RequestContextUtils.getInputFlashMap(request);
// map is empty...
return modelAndViewFromHelperMethod();
}
I'm affraid that RedirectAttributes work only with RedirectView,
so Your controller should return for example:
1. String: "redirect:/[uriPath]"
2. new RedirectView([uriPath])
If you realy need to handle server response with JS, then maybe handling HTTP status 302 would help.
An item is displayed at this URL:
/item/10101
using this Controller method:
#RequestMapping(value = "/item/{itemId}", method = RequestMethod.GET)
public final String item(HttpServletRequest request, ModelMap model,
#PathVariable long itemId)
{
model = this.fillModel(itemId);
return "item";
}
The page contains a form that submits to the following method in the same controller:
#RequestMapping(value = "/process_form", method = RequestMethod.POST)
public final String processForm(HttpServletRequest request,
#ModelAttribute("foo") FooModel fooModel,
BindingResult bindResult,
ModelMap model)
{
FooModelValidator validator = new FooModelValidator();
validator.validate(FooModel, bindResult);
if (bindResult.hasErrors())
{
model = this.fillModel(fooModel.getItemId());
return "item";
}
return "account";
}
If the validator finds errors in the form, it redisplays the item but instead of displaying it at the original url:
/item/10101
it displays it at its own url:
/process_form
Is it possible to redisplay the form at the original URL?
/item/10101
(I've tried getting the referrer and redirecting to it in processForm but then all of the model contents end up displayed as URL name/value pairs:)
#RequestMapping(value = "/process_form", method = RequestMethod.POST)
public final String processForm(HttpServletRequest request,
#ModelAttribute("foo") FooModel fooModel,
BindingResult bindResult,
ModelMap model)
{
String referrer = request.getHeader("referer");
FooModelValidator validator = new FooModelValidator();
validator.validate(FooModel, bindResult);
if (bindResult.hasErrors())
{
model = this.fillModel(fooModel.getItemId());
return "redirect:" + referrer;
}
return "account";
}
Short answer: No.
What happens is a server-side redirect (forward), which is within the same request, and so the submitted values are preserved (and displayed in the form)
The url will change if you use a client-side redirect (return "redirect:item";), but in that case a new request will come and the submitted values will be lost.
But here are two options that you have:
use the same URL in the mappings for both methods and distinguish them based on request method - GET for the former, POST for the latter. This might be confusing, so document it.
find / implement flash scope for spring-mvc. There's nothing built-in. The flash scope means that values are preserved (in the session usually) for a submit and the subsequent redirect. This option includes the manual handling, by putting the submitted object in the session, and later retrieving & removing it
I'm using Spring Security 3 and Spring MVC 3.05.
I would like to print username of currently logged in user,how can I fetch UserDetails in my Controller?
#RequestMapping(value="/index.html", method=RequestMethod.GET)
public ModelAndView indexView(){
UserDetails user = ?
mv.addObject("username", user.getUsername());
ModelAndView mv = new ModelAndView("index");
return mv;
}
If you already know for sure that the user is logged in (in your example if /index.html is protected):
UserDetails userDetails =
(UserDetails)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
To first check if the user is logged in, check that the current Authentication is not a AnonymousAuthenticationToken.
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (!(auth instanceof AnonymousAuthenticationToken)) {
// userDetails = auth.getPrincipal()
}
Let Spring 3 injection take care of this.
Thanks to tsunade21 the easiest way is:
#RequestMapping(method = RequestMethod.GET)
public ModelAndView anyMethodNameGoesHere(Principal principal) {
final String loggedInUserName = principal.getName();
}
If you just want to print user name on the pages, maybe you'll like this solution. It's free from object castings and works without Spring Security too:
#RequestMapping(value = "/index.html", method = RequestMethod.GET)
public ModelAndView indexView(HttpServletRequest request) {
ModelAndView mv = new ModelAndView("index");
String userName = "not logged in"; // Any default user name
Principal principal = request.getUserPrincipal();
if (principal != null) {
userName = principal.getName();
}
mv.addObject("username", userName);
// By adding a little code (same way) you can check if user has any
// roles you need, for example:
boolean fAdmin = request.isUserInRole("ROLE_ADMIN");
mv.addObject("isAdmin", fAdmin);
return mv;
}
Note "HttpServletRequest request" parameter added.
Works fine because Spring injects it's own objects (wrappers) for HttpServletRequest, Principal etc., so you can use standard java methods to retrieve user information.
That's another solution (Spring Security 3):
public String getLoggedUser() throws Exception {
String name = SecurityContextHolder.getContext().getAuthentication().getName();
return (!name.equals("anonymousUser")) ? name : null;
}
if you are using spring security then you can get the current logged in user by
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String name = auth.getName(); //get logged in username
You can use below code to find out principal (user email who logged in)
org.opensaml.saml2.core.impl.NameIDImpl principal =
(NameIDImpl) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
String email = principal.getValue();
This code is written on top of SAML.