Session per user

**lowerymb77** · Oct 15th, 2009, 12:55 PM

I have a requirement that session.login be called with the user that is logged into a web application. (The web application uses Spring Security.) The password is not important as the web application has already authenticated the user. But passing in the user on login is important as it enables features like auditing the user's behavior. I can envision a configurable credentials "strategy" in SE-JCR's SessionFactory implementation. One strategy implementation would be to get the current user from Spring Security and create a SimpleCredentials from it. Another strategy implementation would simply return a hard coded Credentials instance. From what I can tell, this approach will work however I am concerned that the presence of transactions might cause problems. For example, is it ever possible that UserB would get a session from a transaction in progress with a session for UserA? I would be more comfortable if I could have an assert that checks the user on a session before using it but where would that code go?

In general, SE-JCR assumes that sessions are created by logging in as a "master" user much like is done for JDBC. Do you find this to be a common paradigm? Has no one asked for per-user sessions yet?

Thanks for any feedback!

CredentialsStrategy:

Code:

public interface CredentialsStrategy {
  Credentials getCredentials();
}

SpringSecurityCredentialsStrategy:

Code:

public class SpringSecurityCredentialsStrategy implements CredentialsStrategy {

  public Credentials getCredentials() {
    String username = getUsername();
    return new SimpleCredentials(username, "ignored".toCharArray());
  }

  private String getUsername() {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();

    if (auth.getPrincipal() instanceof UserDetails) {
      return ((UserDetails) auth.getPrincipal()).getUsername();
    } else {
      return auth.getPrincipal().toString();
    }
  }
}

ConstantCredentialsStrategy:

Code:

  private Credentials credentials;

  /**
   * Null credentials.
   */
  public ConstantCredentialsStrategy() {
    super();
  }
  
  public ConstantCredentialsStrategy(final Credentials credentials) {
    super();
    this.credentials = credentials;
  }

  public Credentials getCredentials() {
    return credentials;
  }

CredentialsStrategySessionFactory:

Code:

public class CredentialsStrategySessionFactory implements InitializingBean, DisposableBean, SessionFactory {
// rest omitted

  public Session getSession() throws RepositoryException {
      Session session = repository.login(credentialsStrategy.getCredentials(), workspaceName);
      return addListeners(session);
  }

// rest omitted
}

**Monkiki** · Oct 16th, 2009, 02:35 AM

I have the same problem and I have no seen any good solution in months. Spring-jcr handle a JCR connection like a JDBC one, but I don't believe this is a good choice because in Jackrabbit the access to the repository nodes or properties are managed by an AccessManager, and this it not possible if all web users log into a Jackrabbit repository with the same credentials.

**SalvatoreIncandela** · Oct 21st, 2009, 07:26 AM

You're right, we absolutely must do this otherwise useless. I open an issue so quickly track them down and release it soon, if you need this patch I can create a snapshot before the release of version 1.0 with COM and Jackrabbit 2.0. What do you think?

**lowerymb77** · Oct 21st, 2009, 09:17 AM

I don't need this patch immediately but thank you for the quick response.

**Monkiki** · Oct 22nd, 2009, 10:49 AM

Salvatore, post the issue url so I can subscribe and be notified when changes. Cheers!

**SalvatoreIncandela** · Dec 14th, 2009, 11:30 AM

http://jira.springframework.org/browse/SEJCR-22

**hipparco** · Mar 22nd, 2010, 03:56 PM

Salvatore,

is this patch in the repository now ?

could you include it into maven to take a look on it?

thanx

Thread: Session per user

Thread Tools

Display

Session per user

Patch

Posting Permissions