Accessing session scoped objects
I am really stumped on how to do this. I've developed my app with Spring, RichFaces, and Hibernate. I first developed without security. Now, I'm trying to go back and lock down the app and I've hit a brick wall.
I've got security configured and am able to simulate a pre-authenticated user (ie. username is in the request header). Spring security finds the user name and correctly calls my UserDetailsService.loadUserByUsername.
There is where I start to experience my problem. I could load the roles of the username passed in, but the security scenario for this app is not that simple. According to 2 other data points (lets just call them 'Region'), the security for a user changes. For example, in Region 1, jdoe can do x, y, z. In Region2 jdoe can do a, b, c, z and so on.
I have the Region information in a User object that is in the Spring container stored in the 'session' scope.
My issue is I have no way to get a hold of that session scoped User object into my UserService implementation.
private User user;
This does not work because it does not appear that security can reference anything in the session scope.
Any suggestions would be GREATLY appreciated!! I am really under the gun now!