Reload/Update custom UserDetails without logging out

[hprasanna84]

I'm using Spring Security 3 with CAS to manage my authentication.

I have a requirement where I need to update my custom UserDetails object. This currently holds the authorities and user information like name, address etc.

Is there a way to modify the UserDetails object and reload it in the context without forcing the user to log in again?

[djKianoosh]

I would think all you'd have to do is call loadUserDetails from user UserDetailsService. Maybe the only other piece to it is to update the Authentication object that's in the security context holder. But I'm not quite clear on that part of it. Luke, et al, am I on the right track?

[djKianoosh]

Here's a blog about doing this:

http://blog.lourish.com/2010/03/10/u...ity-in-grails/

Following on from my post on how to log in a user using the Grails Acegi/Spring Security plugin I stumbled into a new use for the same code when I tried to update a user’s own details while logged in. The security plugin caches the user’s domain object so any changes are not seen until the next login (wholly unhelpful when you’re trying to implement account management on a Website!).

it's from a grails perspective, but the concept should be the same.

[hprasanna84]

I would think all you'd have to do is call loadUserDetails from user UserDetailsService. Maybe the only other piece to it is to update the Authentication object that's in the security context holder. But I'm not quite clear on that part of it. Luke, et al, am I on the right track?

Thanks djKianoosh.

I did try calling loadUserDetails(), but it does not update the userdetails object in the securitycontext. Will look into the Grails implementation and get back...

[hprasanna84]

Here's a blog about doing this:

http://blog.lourish.com/2010/03/10/u...ity-in-grails/



it's from a grails perspective, but the concept should be the same.

The blog uses a simple new UsernamePasswordAuthenticationToken() to update the user. But in my case, I use CAS and I'm I do not think I can get/modify a CasAuthenticationToken to hold the updated userdetails.

Any pointers on how I can go about?

[Luke Taylor]

You can store any implementation of the Authentication interface you want in the SecurityContext. It doesn't have to be a CasAuthenticationToken.

[djKianoosh]

I dont use CAS, but if it's like any other PreAuth scenario, you can use PreAuthenticatedAuthenticationToken instead of UsernamePasswordAuthenticationToken

something like..

Code:

@Override
public UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException {
	final PreAuthenticatedAuthenticationToken userToken = (PreAuthenticatedAuthenticationToken) token;
	logger.debug("Loading userDetails for " + username);
	String username = userToken.getName();
	String password = (String) token.getCredentials();
	return new User(username,password,true,true,true,true,getRoles(username));
}

[hprasanna84]

You can store any implementation of the Authentication interface you want in the SecurityContext. It doesn't have to be a CasAuthenticationToken.

Hi Luke,

I tried to set my updated userdetails in the authentication object to do something like this..

SecurityContextHolder.getContext().setAuthenticati on( new someAuthentication());

Since I use Cas, I thought I would need to use a CasAuthenticationToken.

Let me know if I'm on the right path to add the updated userDetails to securityContext.

[pmularien]

That should be fine. Are you replacing the Authentication object that is already there? Or just updating the UserDetails attached to it?

Take care when replacing that you don't inadvertently introduce a security risk.