Suggestion for session management in a legacy app

[mauromol]

Hello,
I'm adding Spring Security to an application which is currently using its own security management implementation. This application is saving some information in the session upon a successful login. This information is needed by the other application pages and hence I need to do the same with Spring Security.

The SessionManagementFilter seems to be the perfect solution for me: I can add a sessionManagementFilter to my filter chain and add my session initialization custom code in the onAuthentication method.

The problem is that the SessionManagementFilter is invoked only when a non-interactive login has been performed. This means that if I login interactively (for instance through a username+password login form), the SessionManagementFilter.onAuthentication is not invoked and hence my session initialization code is not executed.
What I need to do is to call my code also in an AuthenticationSucessHandler.

However, this need to call the same code in two different places makes me think that there might be a better way to solve my problem, however I can't understand what it might be.

On the other hand, I still think the SessionManagementFilter nature should be perfect to perform such tasks, but my feeling is that the actual use-cases that led the Spring Security team to create and implement that filter in this way was just the ones for which implementations have been provided (i.e.: protection against session-fixation attacks and concurrent session control) and for these use cases the current SessionManagementFilter invocation scheme is just appropriate.

Any suggestions from the Spring Security experts would be really appreciated.

Thanks in advance,
Mauro.

[arthomps]

Hello,
I'm adding Spring Security to an application which is currently using its own security management implementation. This application is saving some information in the session upon a successful login. This information is needed by the other application pages and hence I need to do the same with Spring Security.

The SessionManagementFilter seems to be the perfect solution for me: I can add a sessionManagementFilter to my filter chain and add my session initialization custom code in the onAuthentication method.

The problem is that the SessionManagementFilter is invoked only when a non-interactive login has been performed. This means that if I login interactively (for instance through a username+password login form), the SessionManagementFilter.onAuthentication is not invoked and hence my session initialization code is not executed.
What I need to do is to call my code also in an AuthenticationSucessHandler.

However, this need to call the same code in two different places makes me think that there might be a better way to solve my problem, however I can't understand what it might be.

On the other hand, I still think the SessionManagementFilter nature should be perfect to perform such tasks, but my feeling is that the actual use-cases that led the Spring Security team to create and implement that filter in this way was just the ones for which implementations have been provided (i.e.: protection against session-fixation attacks and concurrent session control) and for these use cases the current SessionManagementFilter invocation scheme is just appropriate.

Any suggestions from the Spring Security experts would be really appreciated.

Thanks in advance,
Mauro.

You might take a look at a custom AuthenticationSuccessHandler using SimpleUrlAuthenticationSuccessHandler as a reference.

[mauromol]

Yes I know, and as I wrote this is what I am doing (i.e.: call the session initialization code in both a custom AuthenticationSucessHandler and in a custom SessionAuthenticationStrategy. My question was if there's a better way to do this, since I think this is a quite common use case and I was surprised to see that Spring Security seems not to cover it natively, so that I'm forced to do the initialization "twice" (based on the type of authentication that is taking place).