Java – What’s the “principal” in Spring Security

javaspringspring-security

I'm really new to Spring and Spring Security. I was reading about Spring Security and it came out the concept of principal, which should be the current logged user. But what if we have more than one current logged user? So, my question is, what exactly is then the principal in spring security?

I've read for example this tutorial:

http://www.mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/

and they seem to take into account that there's just one current logged user, which isn't often the case.

How do I retrieve a specific user? And how do I differentiate between users that are doing requests?

Best Answer

The principal is the currently logged in user. However, you retrieve it through the security context which is bound to the current thread and as such it's also bound to the current request and its session.

SecurityContextHolder.getContext() internally obtains the current SecurityContext implementation through a ThreadLocal variable. Because a request is bound to a single thread this will get you the context of the current request.

To simplify you could say that the security context is in the session and contains user/principal and roles/authorities.

How do I retrieve a specific user?

You don't. All APIs are designed to allow access to the user & session of the current request. Let user A be one of 100 currently authenticated users. If A issues a request against your server it will allocate one thread to process that request. If you then do SecurityContextHolder.getContext().getAuthentication() you do so in the context of this thread. By default from within that thread you don't have access to the context of user B which is processed by a different thread.

And how do I differentiate between users that are doing requests?

You don't have to, that's what the Servlet container does for you.

Related Solutions

Java – What are the differences between a HashMap and a Hashtable in Java

There are several differences between HashMap and Hashtable in Java:

Hashtable is synchronized, whereas HashMap is not. This makes HashMap better for non-threaded applications, as unsynchronized Objects typically perform better than synchronized ones.
Hashtable does not allow null keys or values. HashMap allows one null key and any number of null values.
One of HashMap's subclasses is LinkedHashMap, so in the event that you'd want predictable iteration order (which is insertion order by default), you could easily swap out the HashMap for a LinkedHashMap. This wouldn't be as easy if you were using Hashtable.

Since synchronization is not an issue for you, I'd recommend HashMap. If synchronization becomes an issue, you may also look at ConcurrentHashMap.

Java – When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean

If you are using Spring 3, the easiest way is:

 @RequestMapping(method = RequestMethod.GET)   
 public ModelAndView showResults(final HttpServletRequest request, Principal principal) {

     final String currentUser = principal.getName();

 }

Best Answer

Related Solutions

Java – What are the differences between a HashMap and a Hashtable in Java

Java – When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean

Related Topic