I got a very simple question. I have scoured the internet but have not come up with anything concrete.
I have applied Spring Security 3.0.5 to an existing Spring MVC web app. I used to store values/attributes in HTTPSession before. i.e. some String value OR a class.
I understand now that I should not use HTTPSession to store any custom values.
This is as per Spring documentation here:
"You shouldn't interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead. "
Question: How can I store my custom values in session with Spring Security? Do I need to store it in the SecurityContext OR can I still use HttpSession? I looked into that and I did not find any where where I can store values....
Ultimately even Spring Security uses HTTPSession to store the SecurityContext
Please advise. Thank you.