How to get username from JSP and to put it into http session for using it in SQL queries

Question

I need to take a username from my JSP page when user authenticated, and put it into Http Session, and after that putting this username into SQL query to get user's info!

Here is my login.JSP page

    <%@taglib uri="http://www.springframework.org/tags/form" prefix="form"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%@page language="java" session="true" %>
<html>
<head>
<title>Login </title>
</head>
<body>

        <br /> <br /> <br />
        <div style="border: 1px solid black; width: 300px; padding-top: 10px;">
            <br /> Please enter your username and password to login ! <br /> <span
                style="color: red">${message}</span> <br />
            <form:form method="post" action="j_spring_security_check"
                modelAttribute="users">
                <table>
                    <tr>
                        <td>Username:</td>
                        <td><form:input type="text" path="username" /></td>
                    </tr>
                    <tr>
                        <td>Password:</td>
                        <td><form:input path="password" type="password" /></td>
                    </tr>
                    <tr>
                        <td>&nbsp;</td>
                        <td><input type="submit" /></td>
                    </tr>
                </table>
            </form:form>
        </div>


</body>
</html>

Here is my login controller

    package com.vandh.app.controller;

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpSession;

import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.servlet.ModelAndView;

import com.vandh.app.models.Users;


@Controller
public class LoginController {


    @RequestMapping(value = { "/", "/home" })
    public String getUserDefault() {
        return "home";
    }



    @RequestMapping("/login")
    public ModelAndView getLoginForm(
            @ModelAttribute Users users,
            @RequestParam(value = "error", required = false) String error,
            @RequestParam(value = "logout", required = false) String logout)
    {
        String message = "";
        if (error != null) {
            message = "Incorrect username or password !";
        } else if (logout != null) {
            message = "Logout successful !";
        }

        return new ModelAndView("login", "message", message);
    }

    @RequestMapping("/admin**")
    public String getAdminProfile() {
        return "admin";
    }



    @RequestMapping("/403")
    public ModelAndView getAccessDenied() {
        Authentication auth = SecurityContextHolder.getContext()
                .getAuthentication();
        String username = "";
        if (!(auth instanceof AnonymousAuthenticationToken)) {
            UserDetails userDetail = (UserDetails) auth.getPrincipal();
            username = userDetail.getUsername();
        }

        return new ModelAndView("403", "username", username);
    }
}

Here is my DAO method

    @Repository("loginDao")
public class LoginDaoImpl implements LoginDao {
    public static String nick;
    @Autowired
    SessionFactory sessionFactory;
    //public String userLogIn; // checking username in auth. process
    Session session = null;
    Transaction tx = null;
    @Override
    public Users findByUserName(String username) {

        session = sessionFactory.openSession();
        tx = session.getTransaction();
        session.beginTransaction();
        Users user = (Users) session.load(Users.class, new String(username));
        tx.commit();
        return user;

    }
}

I need to put username into SQL query in the userInfo method!

   @Repository("usersDao")
public class UsersDaoImpl implements UsersDao {

    @Autowired
    private SessionFactory sessionFactory;

    public SessionFactory getSessionFactory() {
        return sessionFactory;
    }

    public void setSessionFactory(SessionFactory sessionFactory) {
        this.sessionFactory = sessionFactory;
    }

    @SuppressWarnings("unchecked")
    @Override
    public List<Users> userInfo(String username) {
        Session session = null;
        session = sessionFactory.openSession();

        String query = "select users.username, users.password, users.name, users.enabled, users.surname, users.email, users.gender, users.age, users.weight, users.height, users.sport, users.place from users where users.username LIKE '%s'";
        List<Users> userInfoList = session.createSQLQuery(String.format(query, username)).addEntity(Users.class).list();
        session.close();
        session = null;
        for (int i = 0; i < userInfoList.size(); i++) {
            System.out.println(userInfoList.get(i).getName());
        }
        return userInfoList;
    }

}

Answer 1

I am not sure to understand your problem but if it is just a problem of parametrizing a query use parameter to create your query instead of formating a String :

String query = "select users.username, users.password, users.name, users.enabled, users.surname, users.email, users.gender, users.age, users.weight, users.height, users.sport, users.place from users where users.username LIKE :paramName";
Query query = session.createSQLQuery(query );
query.setParameter("paramName", username);
List<Users> userInfoList = query.addEntity(Users.class).list();