Results 1 to 3 of 3

Thread: HttpSession not to be used with Spring Security for storing values??

  1. Dec 1st, 2010, 12:55 PM #1
    logixplayer
    logixplayer is offline Senior Member
    Join Date
    Jun 2009
    Posts
    106

    Exclamation HttpSession not to be used with Spring Security for storing values??

    Hi everybody,

    I got a very simple question. I have scoured the internet but have not come up with anything concrete.

    I have applied Spring Security 3.0.5 to an existing Spring MVC web app. I used to store values/attributes in HTTPSession before. i.e. some String value OR a class.

    I understand now that I should not use HTTPSession to store any custom values.
    This is as per Spring documentation here:
    Code:
    "You shouldn't interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead. "
    http://static.springsource.org/sprin...-overview.html

    Question: How can I store my custom values in session with Spring Security? Do I need to store it in the SecurityContext OR can I still use HttpSession? I looked into that and I did not find any where where I can store values....
    Ultimately even Spring Security uses HTTPSession to store the SecurityContext


    Please advise. Thank you.
    Reply With Quote Reply With Quote
  2. Dec 1st, 2010, 01:53 PM #2
    Luke Taylor
    Luke Taylor is offline Senior Member Acegi Security System TeamSpring Team
    Join Date
    Aug 2004
    Location
    Glasgow, Scotland
    Posts
    3,449

    Default

    The section you are referring to is called "Storing the SecurityContext between requests". It's talking about accessing the SecurityContex object directly in the session.

    There's nothing to stop you storing your own data in the session separately.
    Spring - by Pivotal
    twitter @tekul
    Reply With Quote Reply With Quote
  3. Dec 1st, 2010, 02:57 PM #3
    logixplayer
    logixplayer is offline Senior Member
    Join Date
    Jun 2009
    Posts
    106

    Default

    that's good to know BUT what is the best practice with storing session attributes with respect to Spring Security.
    I heard from some colleauges that the "security context" is where you should ideally store session info because it would be more "secure".

    I mean, isn't that possible? Shouldnt Spring Security also encrypt or secure httpsession somehow? and then we save to that session....isnt that the point?

    seems like Spring security context is just a wrapper for the authentication object....

    OR are you saying that in a web app, there will be an HTTPSession established regardless that would contain the SpringSecurity as just one atttrubute of httpSession....essentially httpsession is one giant container with lots of stuff put in it, Spring Security also makes use of httpsession by puttings its own stuff in it...

    for any custom attributes, I will store it as I always have, directly to httpsession?
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules