spring security session throws an error when instantiated

Question

I am using Spring security in a web app I am creating and am having issues with how to use the session.

I sign in and everything works like a charm but when i try to use the session it always throws an error.

When the sixth line in this code gets called:

@POST
@Path("PostUserData/{userId}")
@Produces(MediaType.APPLICATION_JSON + ";charset=UTF-8")
public final Response postUserData(@PathParam("userId") String userId, String input){
    Response response;
    ServletRequestAttributes attr = (ServletRequestAttributes)RequestContextHolder.currentRequestAttributes();
    HttpSession session= attr.getRequest().getSession(true); // true == allow create

    response = Response.created(null).build();
    return response;
}

This error comes:

java.lang.IllegalStateException: No thread-bound request found: Are you referring to request attributes outside of an actual web request, or processing a request outside of the originally receiving thread? If you are actually operating within a web request and still receive this message, your code is probably running outside of DispatcherServlet/DispatcherPortlet: In this case, use RequestContextListener or RequestContextFilter to expose the current request.
    at org.springframework.web.context.request.RequestContextHolder.currentRequestAttributes(RequestContextHolder.java:131)

I am following the instructions from http://www.baeldung.com/spring-security-session .

What matters in my security application context xml file is:

<http pattern="/**" use-expressions="true" create-session="always">
    <intercept-url pattern="/**" access="permitAll" />
    <form-login
            username-parameter="username"
            password-parameter="password" login-processing-url="/login"
            login-page='/login.jsp'
            default-target-url='/View/Login/SelectUser.html'
            always-use-default-target='true'
            authentication-failure-url="/login.jsp"/>
    <logout logout-url="/logout/" logout-success-url="/" />
    <session-management invalid-session-url="/">
        <concurrency-control expired-url="/" max-sessions="2" />
    </session-management>
</http>

and I have added in my web.xml

<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">
    <welcome-file-list>
        <welcome-file>/</welcome-file>
    </welcome-file-list>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/security-app-context.xml
        </param-value>
    </context-param>

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

    <welcome-file-list>
        <welcome-file>login.jsp</welcome-file>
        <welcome-file>login.html</welcome-file>
        <welcome-file>login.htm</welcome-file>
    </welcome-file-list>

    <listener>
        <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    </listener>

</web-app>

Does anybody have a clue what might be wrong? Do i maybe need to instantiate the session or something?

Answer 1

Why don't you simply add the HttpSession as a parameter of your method?

Like this:

@POST
@Path("PostUserData/{userId}")
@Produces(MediaType.APPLICATION_JSON + ";charset=UTF-8")
public final Response postUserData(@PathParam("userId") String userId, 
        String input, HttpSession session){

    // Your method here
    return Response.created(null).build();
}