21

Is there any way under spring 3.0 to access the HttpSession without including it in the method signature? What I really want to do is be able to pass in values from an HttpSession that CAN BE null.

Something like this:

@RequestMapping("/myHomePage")
public ModelAndView show(UserSecurityContext ctx) {}

instead of this:

@RequestMapping("/myHomePage")
public ModelAndView show(HttpSession session) {
      UserSecurityContext ctx = (UserSecurityContext) session.getAttribute("userSecurityCtx");
}
skaffman
  • 398,947
  • 96
  • 818
  • 769
Mark
  • 837
  • 2
  • 9
  • 19
  • 1
    related: http://stackoverflow.com/questions/3621266/how-to-pass-a-session-attribute-as-method-argument-parameter-with-spring-mvc – Bozho Sep 01 '10 at 19:12
  • Here's Spring ticket [#SPR-4452](https://jira.springsource.org/browse/SPR-4452) for it. Upvote ticket for faster resolution. – Johan Sjöberg Sep 07 '11 at 12:18

3 Answers3

25

The @SessionAttribute annotation mentioned by @uthark is not suitable for this task - I thought it was too, but a bit of reading shows otherwise:

Session attributes as indicated using this annotation correspond to a specific handler's model attributes, getting transparently stored in a conversational session. Those attributes will be removed once the handler indicates completion of its conversational session. Therefore, use this facility for such conversational attributes which are supposed to be stored in the session temporarily during the course of a specific handler's conversation.

For permanent session attributes, e.g. a user authentication object, use the traditional session.setAttribute method instead. Alternatively, consider using the attribute management capabilities of the generic WebRequest interface.

In other words, @SessionAttribute is for storing conversation MVC-model objects in the session (as opposed to storing them as request attributes). It's not intended for using with arbitrary session attributes. As you discovered, it only works if the session attribute is always there.

I'm not aware of any other alternative, I think you're stuck with HttpSession.getAttribute()

skaffman
  • 398,947
  • 96
  • 818
  • 769
  • I actually ended up using part of @uthark solution. To guard against exceptions caused by a null user context object, I put a ServletFilter in front to make sure it was populated. I'm ok with this solution for this particular workflow but it does seem weird that you can't handle a null value yourself instead of Spring dealing with it for you. Thanks everyone for the help and insight. – Mark Feb 06 '10 at 20:26
  • @skaffman Is there a reason the documents don't come right out and say controller instead of using the term `handler`? – Kevin Bowersox May 26 '16 at 00:15
8

You can use a RequestContextHolder:

class SecurityContextHolder {
    public static UserSecurityContext currentSecurityContext() {
        return (UserSecurityContext) 
            RequestContextHolder.currentRequestAttributes()
            .getAttribute("userSecurityCtx", RequestAttributes.SCOPE_SESSION));
    }
}
...
@RequestMapping("/myHomePage")           
public ModelAndView show() {           
    UserSecurityContext ctx = SecurityContextHolder.currentSecurityContext();
}

For cross-cutting concerns such as security this approach is better because you doesn't need to modify your controller signatures.

axtavt
  • 239,438
  • 41
  • 511
  • 482
  • I kind of like this solution also. It's somewhat similar to a ThreadLocal pattern. Thanks! – Mark Feb 07 '10 at 17:41
5

Yes, you can.

@SessionAttributes("userSecurityContext")
public class UserSecurityContext {
}

@RequestMapping("/myHomePage")
public String show(@ModelAttribute("userSecurityContext") UserSecurityContext u) {
    // code goes here.
}

See for details:

  1. http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/bind/annotation/SessionAttributes.html

  2. http://static.springsource.org/spring/docs/3.0.x/javadoc-api/org/springframework/web/bind/annotation/ModelAttribute.html

uthark
  • 5,333
  • 2
  • 43
  • 59
  • Thanks for the response. I'm adding my security context initially with session.putAttribute(). When I try your code, the context object is null. – Mark Feb 06 '10 at 18:07
  • 3
    Sorry, this did end up working when I added @SessionAttributes("userSecurityContext") to the controller. Simply adding it to the actual UserSecurityContext pojo didn't do anything for me. However an exception is thrown from Spring when the attribute is null which is what I'm trying to avoid. org.springframework.web.HttpSessionRequiredException: Session attribute 'userSecurityContext' required - not found in session – Mark Feb 06 '10 at 18:51
  • @Mark If this answer is not appropriate, please move the accepted flag (or remove it), as suggested by the answer below (by *skaffman*). This is misleading as many people read only the accepted answer. (just read your comment below - your call!) – Déjà vu Feb 02 '11 at 09:02