A Practical Guide to Safely Obtaining Session Objects in Spring Framework

Keywords: Spring Security | Session Management | RequestContextHolder

Abstract: This article provides an in-depth exploration of how to properly obtain HttpSession objects within Spring Security authentication flows. By analyzing two core mechanisms—RequestContextHolder and SecurityContextHolder—it details best practices for accessing sessions in CustomAuthenticationProvider implementations. The discussion extends to Spring Session modules for enhanced session management, including clustered session support and container-neutral implementations.

Session Management in Spring Security Authentication Flow

In custom authentication provider implementations within Spring Security, developers often need to access the HttpSession object after successful user authentication. The following example illustrates this scenario using a typical CustomAuthenticationProvider:

public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider{
    @Override
    protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken)
                    throws AuthenticationException
    {
        System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated());
    }

    @Override
    protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication) throws AuthenticationException 
    {
        System.out.println("Method invoked : retrieveUser");
        // After authentication logic, access to Session object is required
    }
}

Using RequestContextHolder to Access Session

Spring Framework provides org.springframework.web.context.request.RequestContextHolder for safely obtaining the current request's session object:

public static HttpSession session() {
    ServletRequestAttributes attr = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
    return attr.getRequest().getSession(true); // true allows session creation
}

This approach relies on Spring MVC's DispatcherServlet to automatically initialize RequestContextHolder. When using alternative web frameworks, configure the org.springframework.web.filter.RequestContextFilter in web.xml.

Alternative Approach with SecurityContextHolder

While direct HttpSession manipulation is possible, Spring Security recommends using SecurityContextHolder for security-related session data:

public static UserDetails currentUserDetails(){
    SecurityContext securityContext = SecurityContextHolder.getContext();
    Authentication authentication = securityContext.getAuthentication();
    if (authentication != null) {
        Object principal = authentication.getPrincipal();
        return principal instanceof UserDetails ? (UserDetails) principal : null;
    }
    return null;
}

Spring Security automatically stores UserDetails objects in the session. Utilizing SecurityContextHolder avoids direct HttpSession operations, leveraging security features like session fixation protection.

Extended Support with Spring Session

The Spring Session module offers advanced session management capabilities, enabling HttpSession replacement in a container-neutral manner. Key features include:

Clustered session support independent of application containers
Session ID transmission via HTTP headers for RESTful API compatibility
HttpSession keep-alive during WebSocket message reception
Multiple backend storage options: Redis, relational databases, Hazelcast, MongoDB

Core modules include Spring Session Core for basic APIs, Spring Session Data Redis for Redis-backed SessionRepository, and other database-specific implementations.

Practical Recommendations and Best Practices

Within the retrieveUser method of CustomAuthenticationProvider, prioritize SecurityContextHolder for accessing user authentication details. If custom object storage in session is necessary, use:

@Override
protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) {
    // Execute user authentication logic
    UserDetails userDetails = ...;
    
    // Obtain session and store custom object
    HttpSession session = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes())
                        .getRequest().getSession();
    session.setAttribute("userObject", myUserObject);
    
    return userDetails;
}

Additionally, consider using Spring's session-scoped beans for session data management, leveraging dependency injection to handle session lifecycle automatically and reduce direct HttpSession manipulation.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.

Session Management in Spring Security Authentication Flow

Using RequestContextHolder to Access Session

Alternative Approach with SecurityContextHolder

Extended Support with Spring Session

Practical Recommendations and Best Practices

Cite this article