Get Authentication Object using sessionid in SpringSession

Question

Get Authentication Object using sessionid in SpringSession

195 Views Asked by masty At 11 October 2023 at 10:23

in a springboot application with Basic Authentication I'm trying to authorize requests getting the sessionID from the url in the format ";jsessionid=xxx" I know that that's not a good practice to put session in URI but it's a requirement.

I'm using Spring-session-jdbc.

I tryed to make a filter named JSessionIDFilter

 http
      .addFilterBefore(new JSessionIDFilter(), UsernamePasswordAuthenticationFilter.class)

In the filter:

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
            
            // Get sessionID from URI
            String requestURI = request.getRequestURI();
            String sessionID = "";
            int index = requestURI.indexOf(";jsessionid=");
            if (index >= 0)
            {
                sessionID = requestURI.substring(index+12);
                
                //If session ID is valid I would like to retrive the Authentication by sessionid and associate to the current request
                Authentication authentication = ....
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
    }

Original Q&A

There are 1 best solutions below

**masty** · Answer 1 · 2023-10-13T10:32:27.427000

After some research I found a solution to my problem I would share:

I haven't used filter but I create a different custom HttpSessionIdResolver in the SpringBoot configuration:

@Bean
public HttpSessionIdResolver httpSessionIdResolver() {
    return new CustomCookieAndHeaderHttpSessionIdResolver();
}

Here is the new class:

public class CustomCookieAndHeaderHttpSessionIdResolver implements HttpSessionIdResolver {

    CookieHttpSessionIdResolver cookieHttpSessionIdResolver = new CookieHttpSessionIdResolver();
    
    @Override
    public List<String> resolveSessionIds(HttpServletRequest request) {

        List<String> myList = cookieHttpSessionIdResolver.resolveSessionIds(request);
        String requestURI = request.getRequestURI();

        String sessionFromUri = "";
        if(myList.size() == 0)
        {
            int index = requestURI.indexOf(";jsessionid=");
            if (index >= 0)
            {   
                sessionFromUri = requestURI.substring(index+12);
                byte[] decodedBytes = Base64.getDecoder().decode(sessionFromUri);
                String sessionFromUri_Guid = new String(decodedBytes);
                myList.add(sessionFromUri_Guid);
            }
        }

        return myList;
    }

    @Override
    public void setSessionId(HttpServletRequest request, HttpServletResponse response, String sessionId) {
        this.cookieHttpSessionIdResolver.setSessionId(request, response, sessionId);
    }

    @Override
    public void expireSession(HttpServletRequest request, HttpServletResponse response) {
        this.cookieHttpSessionIdResolver.expireSession(request, response);
    }
}

Get Authentication Object using sessionid in SpringSession

There are 1 best solutions below

Related Questions in SPRING-BOOT

Related Questions in SPRING-SESSION

Related Questions in JSESSIONID

Trending Questions

Popular # Hahtags

Popular Questions