Skip to main content

SecurityContextPersistenceFilter

This bean is configured as shown below:
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
This bean has two main tasks and they are very important
  • In a typical web application like Skyphoto the user will login once and then subsequently do several operations or click several links and buttons generating several authenticated requests to the server. Since the user was authenticated once it is important to store the security context somewhere and by some means. Otherwise he/she has to authenticate for each request and will sooner or later never use Skyphoto. In a typical web application you will store an user object in HttpSession and each time a request comes in, the server identifies this session with a session id and you get the user object. It is the responsibility of the server to cache/store and manage these session objects during the lifetime of the session.
“In Spring Security, the responsibility for storing the SecurityContext between requests falls to the SecurityContextPersistenceFilter, which by default stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request….”
  • The SecurityContextPersistenceFilter stores the security context in ThreadLocal for the current execution. Hence it is essential to clear this thread local object in a web application as the server uses a pool of thread and chances are that this thread will be reused. If this security context is not cleared there is a high possibility that the set information will be used for request from a different user leading to unpredictable results and possible violation of security.
The SecurityContextPersistenceFilter takes care of clearing the security context object from thread local once the request completes.
This filter MUST be executed BEFORE any authentication processing filter. Authentication processing mechanisms used in those filters expect the SecurityContextHolder to contain a valid SecurityContext by the time they execute.
The task of saving and retrieving the security context is delegated to a separate strategy interface SecurityContextRepository. The interface is shown below:
public interface SecurityContextRepository {
  SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
  void saveContext(SecurityContext context, HttpServletRequest request,
         HttpServletResponse response);
}
“The HttpRequestResponseHolder is simply a container for the incoming request and response objects, allowing the implementation to replace these with wrapper classes. The returned contents will be passed to the filter chain.”
The default implementation of SecurityContextRepository is the HttpSessionSecurityContextRepository class. As the name suggests it stores the security context as an HttpSession attribute.This class has an important attribute - allowSessionCreation  which by default is set to true. Hence this class can create a new session if it needs to for storing security context of an authenticated user. Note that session is only created after authentication is done and contents of security context now has been changed with authenticated user information. If you want to prevent session creation, then set this parameter to false. A sample configuration is shown below.
<bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> <property name='securityContextRepository'>
<bean class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'> <property name='allowSessionCreation' value='false' />
</bean>
</property>
</bean>
Labels:

Comments

Post a Comment

Popular posts from this blog

Breaking down the CRM monolith

In my previous posts, I have shared some theory regarding microservices. But it's time to start some implementation. I love to write code and see and feel things working. So I will start a series to refactor a monolithic CRM system and transform it into microservices based flexible software. Big ball of mud. Customer Relationship Management(CRM) is that giant software which existed since time immemorial and is used by all companies in some form or shape. Big enterprises will buy CRM software (also known as packages) from top CRM vendors like Oracle, SAP, Salesforce etc and then employ an army of consultants to try and implement it. Most of the classic CRM systems in the market today, even if deployed on the cloud are the big monolithic ball of mud. They are the gigantic piece of software with the huge feature set. Most often those requirements are surplus to the requirement or they will not fit into the processes of the company. So the company has to hire these certified consu...
1 comment
Read more

Part 3 - Integrating Tiles, Thymeleaf and Spring MVC 3

In this post I will demonstrate how to integrate Apache Tiles with Thymeleaf. This is very simple. The first step is to include the tiles and thymeleaf-tiles extension dependencies. I will include them in the pom.xml. Note we wil lbe using Tiles 2.2.2 Listing 1 - parent/pom.xml --- thymeleaf-tiles and tiles dependencies <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <!-- Tiles --> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <dependency> <groupId>org.apache.tiles</groupId> <artifactId>tiles-core</artifactId> <version>${tiles.version}</version> <scope>compile</scope> </dependency> <dependency> <groupId>org.apache.tiles</groupId> <artifactId>tiles-template</artifactId> <version>${tiles.version}</version> <scope>compile</s...
5 comments
Read more

CKEDITOR 3.x - Simplest Ajax Submit Plugin

  I have assumed that you have downloaded and got started with CKEDITOR. Step 1 – The html file is shown below: <html> <head> <title>Writer</title> <meta content="text/html; charset=utf-8" http-equiv="content-type" /> <script type="text/javascript" src="ckeditor/ckeditor.js"></script> <script type="text/javascript" src="js/jquery-1.4.2.min.js"></script> <style> .cke_contents { height: 400px !important; } </style> </head> <body> <form action="sample_posteddata.php" method="post"> <textarea id="editor" > </textarea> <script type="text/javascript"> //<![CDATA[ CKEDITOR.replace( 'editor', { fullPage : true, uiColor : '#9AB8F3', toolbar : 'MyToolbar' }); //]]> </script> </form> </body> </html> Note that the jquery js...
3 comments
Read more