Spring MVC3 @SessionAttributes and @ModelAttribute will automatically get value from request
I am trying to develop a Spring MVC application, now I have a question. On successful login, I add a User object to the session and call http://localhost:8080/user
to get the user of the session. Everything is all right here. But if I name the url like this http://localhost:8080/user?username=testuser
then the username of the user's session changes to testuser. What should I do to just get the current user out of the session?
Code below
Entity:
@Entity
public class User {
private Long id;
private String username;
// ...Getter and Setter...
}
Controller:
@Controller
@RequestMapping("user")
@SessionAttributes("current_user")
public class UserController {
@RequestMapping(method=RequestMethod.GET)
@ResponseBody
public User testSession(@ModelAttribute("current_user") User user) {
return user;
}
}
Answer http://localhost:8080/user
[{"id":1,"username":"aaa111"}]
Answer http://localhost:8080/user?username=testuser
; it should be the same as above but
[{"id":1,"username":"testuser"}]
source to share
Annotation is @SessionAttributes
not intended for this. Its purpose is to store objects in session during HTTP requests. Imagine a long database call to fetch an object that you don't want to fetch that object every time, but maybe reuse an existing one. The object should be used like @ModelAttribute
this annotation indicates that you want to use this object for binding (i.e. you have a form to change the attributes of an object). When you're done editing the object, you must do so by calling setComplete()
on the object SessionStatus
. See also here .
You want to keep the object in session and retrieve it when you need it. To do this, use the HttpSession
usual way of calling setAttribute
and getAttribute
. To get the current one HttpSession
, you can simply add an argument to the type method HttpSession
and it will be injected for you. (See here for a list of supported method arguments).
public void myRequestHandlingMethod(HttpSession session) {
User currentUser = (User) session.getAttribute("currentUser");
}
Or, since you are already using Spring, you can use WebUtils
for convenience. You can use methods getSessionAttribute
or getRequiredSessionAttribute
to get the value from the session.
public void myRequestHandlingMethod(HttpServletRequest request) {
User currentUser = (User) WebUtils.getSessionAttribute("currentUser", request)
}
Another solution would be extending Spring MVC. Spring MVC uses HandlerMethodArgumentResolver
to handle all different types of method arguments. This mechanism is connected. You can create an annotation @CurrentUser
and create CurrentUserHandlerMethodArgumentResolver
one that will fetch the user from the session and inject it at that location. Then you can simply add your current user to your method signature.
public void myRequestHandlingMethod(@CurrentUser User user) { ... }
Configure custom argument arguments
<mvc:annotation-driven>
<mvc:argument-resolvers>
<bean class="com.yourcomponany.app.web.CurrentUserHandlerMethodArgumentResolver />
</mvc:argument-resolvers>
</mvc:annotation-driven>
It also looks like you are creating your own security system, which I would recommend. I would suggest Spring Security instead . The advantage of this is that it provides an integration with the Servlet API, allowing you to retrieve the current one Principal
, either yourself or (t220>), or simply by adding a type method argument java.security.Principal
. It also comes with a custom HandlerMethodArgumentResolver
one that lets you get the current Spring Security bean Authentication
.
source to share
try to get session value in controller from servlet request like below
@Controller
@RequestMapping("user")
@SessionAttributes("current_user")
public class UserController{
@RequestMapping(method=RequestMethod.GET)
@ResponseBody
public User testSession(HttpServletRequest request){
//false means do not create new session
HttpSession session = request.getSession(false);
return session != null?session.getAttribute("current_user"):null;
}
}
source to share