Hi,
I'm working in a J2EE Web project and dealing with the Framework base and Auth of the application.

I read some patterns about authentication and authorization but I couln't solve a problem to set up the current user logged into the application.

Like a pattern, I tried to keep the current user in a ThreadLocal object, but it didn't work, because the same thread was used in different sessions with different users.

One good option is to keep the user in the web session, but that brings me another problem... how to load the user in session into the persistent classes?

Thanks.
Ricardo Costa

I works without problems, but you need to set ThreadLocal for each request, a good way to do it is to use Filter :


or


Probably JAAS can help, but it too complex for trivial things.

So the problem could be that I'm just setting once the thread local... If it's already set I don't set it again.

Because the requests mix the informations... probably the server use the same thread for the diffent requests.

Thanks, I'll try it.

Ricardo Costa

Basically a J2EE Web app stores the Principal within the HttpRequest only when you are in a secure context. Read this article in about matter. This is the case if you use Tomcat 4. I have not tried tomcat 5.x? I haven't tried other web containers, but I guess this is rather a fact in the Servlet world (you can only authentificate by forms or via basic in real world and so you have to use either declarative security or JAAS).

You can easliy check your situation this by



(if you using JSDK 1.4 of course and enable assertions)

If Declarative Security is not an option you have ot use JAAS to sign on your user to the WebContainer (and the EJB Container if used in conjunction). This normally means to write a own login module in which you have to check all credentical (login, password) againgst database using hibernate. And then you have to store the Principal and if necessary the role in HttpSession. In some cases the web container may catch the princpal from JAAS and adds it to all requests done in the started HTTP Session, but this is not the case for Tomcat 4.1 as far as I know.
If you have a web framwork you have to extract the login and password data directly an pass the to JAAS Login Module which can be base on top of Hibernate.

The webapp based filter managing the thread local certainly does work (I have used that approach numerous times).

The new thing I like doing is to have an interface named UserResolver with different implementations based on the context in which my code is running. Any classes which needs to know about the currently executing user get a reference to the implementation of this interface through IoC (using Spring or whatever). The cool part about this approach? Its easy to swap out how the current user should be obtained without changing any of the code dependent upon knowing the current user.

The reason I even started doing this is because I realized that most of the time my code is running inside a container and these containers already have hooks to manage the currently executing user as well as hooks for app code to query who the current user is. So why manage this reduntantly myself?


Anyway, it has worked well for me.

I could get the user through "request.getUserPrincipal()", this would work for me... but I don't know how to get the user in my persistent classes.

I can't have the object Request in all my persistent classes. My solution was to set a ThreadLocal with the current user in the User.java, and implement a static User.getCurrentUser().

I can't see any other way...

Thanks.