HttpSession Management using Spring Security 2.0.2

[mail2bansi]

With the introduction of Spring Security 2.0.2 we are revisiting the way we coded Session Management i.e.

We retrieve the user credentials from the database and store in HttpSession object . We also store the same info in Thread Local variable so that its available to Spring beans in the business layer. We use JSF in the presentation layer. Here is the code snippet

Code:

final HttpSession userSession = (HttpSession) FacesContext.getCurrentInstance().getExternalContext()
                .getSession(true);

//userInfo is lightweight pojo with attributes userId, userRoles
this.userInfo.setUserId(this.userId);
this.userInfo.setUserRoles(this.userRoles);

userSession.setAttribute("userInfo", this.userInfo);

// UserInfoHolder is Thread Local Variable
UserInfoHolder.setUserInfo(this.userInfo);

Any pointers/suggestions on how to rewrite this code using Spring Security 2.0.2 framework will be highly appreciated. Currently i am able to get user credentials from User class which implements UserDetails. But if i replace my old code with User class how to handle session timeouts , session management etc.

[Luke Taylor]

Could you explain what you mean by session management in this context? The code you've shown doesn't seem to have anything to do with session timeouts etc.

[mail2bansi]

Could you explain what you mean by session management in this context

I am excited looking at HttpSessionIntegrationFilter and ConcurrentSessionFilter. Wondering if it creates/destroys HttpSession object
I am interested to know how exactly they work behind the scenes. This will help me make a decision to replace exisisting code with spring security filters