Skip to content

A mechanism to reloading principal #3849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
cemo opened this issue Apr 27, 2016 · 13 comments
Closed

A mechanism to reloading principal #3849

cemo opened this issue Apr 27, 2016 · 13 comments
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@cemo
Copy link

cemo commented Apr 27, 2016

What are the best practices to reload principal inside and outside (a cron application) of the application. This is a question originating by spring-projects/spring-session#398 (comment) and we have same problem. We have some workarounds to mitigate problem but it would be awesome to have a solution in the first place.

@rwinch
Copy link
Member

rwinch commented May 2, 2016

You would need to provide a custom SecurityContextRepository implementation

@rwinch rwinch added for: stackoverflow A question that's better suited to stackoverflow.com status: waiting-for-feedback We need additional information before we can continue labels May 2, 2016
@cemo
Copy link
Author

cemo commented May 2, 2016

Don't you think that this should be included in Spring Security?

@rwinch
Copy link
Member

rwinch commented May 2, 2016

@cemo I'm not sure I agree it needs to be in Spring Security, but should be in Spring. Spring Session provides a good way of doing this.

@cemo
Copy link
Author

cemo commented May 3, 2016

@rwinch I will be glad that If you can expand a little bid your statement. What should be approach exactly?

@rwinch
Copy link
Member

rwinch commented May 20, 2016

You can access the session and update the attribute to the updated principal.

@cemo
Copy link
Author

cemo commented May 22, 2016

I was considering an abstraction to mark user security context dirty by either a session or another approach and then reload it at first request. How does it sound? Does it worth being included in Spring Security Core?

@rwinch
Copy link
Member

rwinch commented May 23, 2016

How do you mark it as dirty? How do you reload the context?

@sambiomatters
Copy link

@rwinch This issue actually prevents our use of Spring Security. We have done workarounds in the past, but it becomes very unwieldy to workaround if you use any other AuthenticationTokens besides the UsernamePasswordAuthenticationToken. There really needs to be a way to reload the principal in an AuthenticationToken type agnostic way.

A solution would be to let the user details and authorities to be lazy loaded, or delegated. The issue now is that Authorities are copied at login to the AuthenticationToken so it is impossible to delegate access to those authorities to a database lookup.

@lglapinski
Copy link

lglapinski commented Jun 21, 2017

@rwinch Is good way of doing this mentioned by you better than presented here?

@IARI
Copy link

IARI commented Jun 24, 2020

The Issue mentioned by @lglapinski (and #849 plus several others linked there) all relate to Redis sessions.
Is it possible to achieve this with plain http-sessions as well?

@rwinch would a

custom SecurityContextRepository

be the way to go - and if so, can I just override HttpSessionSecurityContextRepository ?

And if i have done so and instantiated it in my WebSecurityConfigurerAdapter, Is it enough to register that as a bean? Does it need a special name?

@rwinch
Copy link
Member

rwinch commented Jun 29, 2020

You need to explicitly configure the repository

@Autowired
SecurityContextRepository securityContextRepository;

@Override
protected void configure(HttpSecurity http) throws Exception {
	http
		.securityContext()
			.securityContextRepository(securityContextRepository)
			.and()
		....
}

You can find a complete sample here https://github.com/rwinch/spring-security-sample/tree/gh-3849

@rwinch rwinch added waiting-for-feedback status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-feedback We need additional information before we can continue waiting-for-feedback labels Dec 8, 2020
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Dec 15, 2020
@spring-projects-issues
Copy link

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Dec 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Development

No branches or pull requests

6 participants