0

How would I know for sure what the following line would return today and in future versions of Spring? I didn't find documentation about this. How can I know for sure what would Spring decide to assign to this field?

SecurityContextHolder.getContext().getAuthentication().getDetails()

According to this you can expect the Spanish Inquisition

Portable
  • 323
  • 1
  • 9

3 Answers3

5

Expect null unless you put something there.

It depends only on the chosen implementation and your actions. You provide this information, not Spring. Spring just made a field to keep additional data related to an authentication instance and allowed you to set everything you want to.

EDIT:
There is one subclass of the Authentication - the AbstractAuthenticationToken which defines the getDetails() and neither of its known implementing classes overrides this method. It implies that the setDetails is one way to change these details externally. Therefore, all the work is moved to a mechanism which fills an authentication (e.g. AuthenticationManager) which normally is controlled by you.

Andrew Tobilko
  • 48,120
  • 14
  • 91
  • 142
3

Java Spring is not clear about what should one expect from getDetails of SecurityContext

We cannot say this, because I think Spring developers has given this choice to the security provider implementation.

If you have custom implementation, your security provider has to use one of AbstractAuthenticationToken. As part of AbstractAuthenticationToken you can set the details. AbstractAuthenticationToken.setDetails(details);

For Example, I use CAS(Central Authentication Service). CAS uses UsernamePasswordAuthenticationToken and set the details with DefaultServiceAuthenticationDetails

Which consists below details:

Details: org.springframework.security.cas.web.authentication.DefaultServiceAuthenticationDetails@950d14e5: RemoteIpAddress: xxx.xx.xx.xxx; SessionId: A0A0A0A0BB1B1B1B1ServiceUrl: https://local.example.com/test_application/j_spring_cas_security_check

ranafeb14
  • 437
  • 1
  • 7
  • 12
  • 1
    Here is the proof, check line#109 http://grepcode.com/file/repo1.maven.org/maven2/org.springframework.security/spring-security-cas-client/3.0.6.RELEASE/org/springframework/security/cas/web/CasAuthenticationFilter.java – ranafeb14 May 29 '17 at 06:29
  • If I understand your comment and the code correctly, this is the proof that Spring **does** change\initialize the value of **details**, in contrary to what everyone else have answered. – Portable May 29 '17 at 06:43
  • @Portable, these values are changed by a manager/filter and its implementation is known to you. Depends on this implementation, you will be expecting a particular `details`. – Andrew Tobilko May 29 '17 at 07:20
  • So I should read the code not the documentation, when using Spring – Portable May 29 '17 at 07:40
  • @Portable, in this case, yes. I would say "be aware of the implementation you're using" – Andrew Tobilko May 29 '17 at 12:25
0

That's the way we use details object 


public class CustomAuthentication implements Authentication {
    private Object details;


@Override
public Object getDetails(){
    return details;
}

/** Sets the details */
public void setDetails(Object details){
    this.details = details;`enter code here`
}}

You can see that, Spring just support getDetails() function, we can set anything to this object, and getDetails() will return exactly that data.

BIZ
  • 113
  • 6