How to ensure the user is logged into the system at the controller level?

I'm using spring MVC, and I have a custom authentication/security system that I had to build.

NOTE:  I know of spring security, but my requirements were to do this in a custom way so please not looking for suggestions about using spring's security modules.

When the user logs into the system, it creates a session cookie. When the user visits a page, a interceptor looks for the existance of that cookie, and looks up the session guid in mysql and if it is present that it loads some data and stores it in the request's attributes.

Now for pages where the user has to be logged in, how can I restrict access at the controller level?

I could do this in an interceptor:

if url.contains("projects/") ...

If I want to restrict access to only logged in users in the ProjectController, but this isn't really something I want to do.

But I am looking for maybe a annotation I could add at the controller level, or maybe somehow create a BaseController that all controllers that require a loggedin user will inherit from.

What are my options for something like this?

In ASP.NET, I created a baseController, and the controller has an event cycle, and in the before-action fired event I checked to see if the user was logged in.

So looking for suggestions for spring mvc?

Update

For example, in ASP.NET you have 2 methods, 1 that fires just before the controller's action method and one that fires after:

Controller.OnActionExecuting 
Controller.OnActionExecuted

http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.onactionexecuting.aspx

So in the OnActionExecuting, I can actually see exactly which controller I am in, and which action is about to get called in a programatic way, not by looking at the request URL and then doing string compares to see if it is a particular controller etc.

So in this event, I can simply check for things in cookies or in my request attributes etc.

This is a much more stable way to do it, does spring have anything similiar?

Answers


If you need this at the controller level, you could:

1) declare a java.security.Principal parameter in the controller method signature, which Spring will fill in with a Principal object, or

2) implement a PermissionEvaluator, which can be called on a controller method using the @PreAuthorize annotation, and which would have access to a Authentication object.


Need Your Help

Angular - Call function when all JS has been loaded

javascript angularjs oclazyload

I want to call a function when all my files (JS) are loaded (because I would like to call a function that's inside one of these files).

PRIMARY and INDEX keys for one FOREIGN column in MySQL

mysql foreign-keys primary-key

I used MySQL Workbench to prepare a database layout and exported it to my database using phpMyAdmin. When looking at one table, I got the following warning:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.