1

We are developing a web application, we're using Spring MVC (along with Spring Boot and Spring Security) and AngularJS. Therefore, we have two distinct servers running for the application.

We are trying to store the user session backend, to ensure a proper level of security, so we tried to use the HttpSessionobject, but every time we want to retrieve the existing session, a new instance is created (we've checked the session ids).

Here's what we're doing to login :

$scope.authenticate = function () {

  var postObject = new Object();
  postObject.mail = $scope.userName;
  postObject.password = $scope.userPassword;

  $http({
    url: "http://localhost:8080/login",
    method: "POST",
    dataType: "json",
    data: postObject,
    headers: {
      "Content-Type": "application/json"
    }
  }).success(function successCallback(response, status) {
      if (status == 200) {
        $scope.messageAuth = "Login successful"
        $scope.go('/services');
      }
    })
    .error(function errorCallback(error, status) {
        $scope.messageAuth = "Error " + response;
    });
};

Then, we check the credentials, if they are correct, we store the user information into a new session :

@RestController
public class UserController {

@Resource
UserService userService;

@CrossOrigin
@RequestMapping(value = "/login", method = RequestMethod.POST, produces = "application/json")
public ResponseEntity<User> loginSubmit(@RequestBody User user, HttpServletRequest request, HttpSession session) {
    if (isAuthorized(user)) {
        User authenticatedUser = this.userService.getUserByMail(user.getMail());
        authenticatedUser.setPassword(null);

        session.invalidate();
        HttpSession newSession = request.getSession(true);
        newSession.setAttribute("USER_ROLE", authenticatedUser.getRole());

        System.out.println("/login : SESSION ID = " + newSession.getId());
        System.out.println("/login : " + newSession.getAttribute("USER_ROLE"));

        return ResponseEntity.ok(authenticatedUser);
    } else {
        return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
                .body(null);
    }
}

@RequestMapping("/user")
public String user(Principal user, HttpServletRequest request, HttpSession session) {
    System.out.println("/user : SESSION ID = " + session.getId());
    System.out.println("/user : " + (String) request.getSession(false).getAttribute("USER_ROLE"));
    return (String) session.getAttribute("USER_ROLE");
}

And finally, from the Angular app, we'd like to get the user information by calling /user like this :

var f = function() {
    $http.get('http://localhost:8080/user').success(function successCallback(response) {
      console.log(response);
    }).error(function() {
      console.log('error');
    })
};

We've already tried pretty much every we found about how to manage a session with Spring Security, maybe the problem comes from the Angular part?

Any help would be greatly appreciated,

Thanks in advance

Improve this question
4
  • You aren't using Spring Security you are actually working around it... Commented Jun 1, 2016 at 9:42
  • Thanks for the feedback, and you think it is part of the problem? We should be able to use HttpSession anyway, right? Commented Jun 1, 2016 at 9:55
  • If you use Spring Security and use the defaults /login is intercepted by Spring Security and your controller doesn't do anything. There should be nothing preventing you from using a HttpSession (we use a similar setup on my current project). Commented Jun 1, 2016 at 10:11
  • I tried to change /loginby /authent, same result. It doesn't seem to be related to Spring Security, because when I disable it, the problem persists (still new instances of HttpSession) Commented Jun 1, 2016 at 11:26

1 Answer 1

Reset to default
1

We found the solution, we just needed to add a few config lines in our app.js file :

$httpProvider.defaults.useXDomain = true;
$httpProvider.defaults.withCredentials = true;

More information here : link

Hopefully it will help someone, someday!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.