How to ensure the user is logged into the system at the controller level?

I'm using spring MVC, and I have a custom authentication/security system that I had to build.

NOTE:  I know of spring security, but my requirements were to do this in a custom way so please not looking for suggestions about using spring's security modules.

When the user logs into the system, it creates a session cookie. When the user visits a page, a interceptor looks for the existance of that cookie, and looks up the session guid in mysql and if it is present that it loads some data and stores it in the request's attributes.

Now for pages where the user has to be logged in, how can I restrict access at the controller level?

I could do this in an interceptor:

if url.contains("projects/") ...

If I want to restrict access to only logged in users in the ProjectController, but this isn't really something I want to do.

But I am looking for maybe a annotation I could add at the controller level, or maybe somehow create a BaseController that all controllers that require a loggedin user will inherit from.

What are my options for something like this?

In ASP.NET, I created a baseController, and the controller has an event cycle, and in the before-action fired event I checked to see if the user was logged in.

So looking for suggestions for spring mvc?

Update

For example, in ASP.NET you have 2 methods, 1 that fires just before the controller's action method and one that fires after:

Controller.OnActionExecuting 
Controller.OnActionExecuted

http://msdn.microsoft.com/en-us/library/system.web.mvc.controller.onactionexecuting.aspx

So in the OnActionExecuting, I can actually see exactly which controller I am in, and which action is about to get called in a programatic way, not by looking at the request URL and then doing string compares to see if it is a particular controller etc.

So in this event, I can simply check for things in cookies or in my request attributes etc.

This is a much more stable way to do it, does spring have anything similiar?

Answers


If you need this at the controller level, you could:

1) declare a java.security.Principal parameter in the controller method signature, which Spring will fill in with a Principal object, or

2) implement a PermissionEvaluator, which can be called on a controller method using the @PreAuthorize annotation, and which would have access to a Authentication object.


Similar to what you did in ASP.NET, you can take advantage of OncePerRequestFilter and chain it to the chain of filters you have in web.xml or Spring application context. The good point about this filter is that it's independent of the MVC approach that you take and no need for a "base controller".

On the other hand, if you're also using Spring security module, you can use a custom filter configuration and place it in the correct place that it should be.

If the check fails, then you'd probably want to raise exceptions or redirect user to the correct navigation.

Based on the last comment, you can also use mapped interceptors:

<mvc:interceptors>
    <mvc:interceptor>
        <mapping path="/myFirstPath/*"/>
        <mapping path="/mySecondPath/*"/>
        <bean class="org.example.SomeInteceptor" />
    </mvc:interceptor>
    <mvc:interceptor>another one</mvc:interceptor>
</mvc:interceptors>

Need Your Help

Polyglot Programming: Is building applications with multiple languages a good practice?

architecture polyglot

I am considering building an application that is a blend of a dynamic language (python or ruby) and compiled language and need some help getting convincing myself that this is a good idea.