security concepts.
I have used spring mvc and thymeleaf as view technology and enabled spring security by extending WebSecurityConfigurerAdapter.
I have two table in db :
User and VerificationToken.
User can login with social login or custom login.
After Successfully logged in, user will be redirect to a dashboard page.
Untill now i dont show user id in the url.
In fact i used a controller class with @ModelAttribute method that check user is logged in or not with SecurityContextHolder.getContext.getAuthentication.getName
then this method check this name exist in database and its token in database is expired or not.
Then i will use this user object in other @RequestMapping method to check if the user object is null or not.
If the user is null so redirect to 403 or login page.
And if user is not null let to continue in that method.
Is true this scenario?
I think Spring Security managed this scenario automatically just you can add a filter chain for managing verification token you can see this mkyong.com link.x
No need to check null user, spring sec filter will handle this.
As gyus already said, spring security already does that for you. Let me explain in more detail. The backbone of all interactions with your app is Servlet. Spring uses "jsessionid" to distinguish connected clients (another word to not use "user"), to distinguish http sessions in other words. Another layer of your app is database and User, Role, UserRole entities. Spring security maps jsessionid (for the most simple case, any other thing also may be used, like token) to the actual User+Role from db, and applies access rules (expressed with spring security filters). This mechanism already performs what you are trying to achieve by storing userid in http session or in views. I see that you have a "dashboard" page and assume that you are building an spa app. Try googling "spring security spa" or "srping security rest", this is another topic.
Обсуждают сегодня