Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How to get started with user auth and session management

See original GitHub issue

Hi,

I’ve started using Javalin and found it really useful so far. However I’ve gotten stuck when adding real authentication and session handling. I’ve not used Jetty before, which I think is why I find the existing docs on that topic a bit on the short side.

I added an AccessManager according to tutorial https://javalin.io/tutorials/auth-example, and a SessionManager according to tutorial https://javalin.io/tutorials/jetty-session-handling-kotlin.

I also need to make sure that SessionManager does something useful to my requests. Now, I see that the Context keeps a Request object, which has a lot of methods that I suspect I should use.

So, in my login endpoint, I added this:

BasicAuthCredentials creds = ctx.basicAuthCredentials();
ctx.req.login(creds.getUsername(), creds.getPassword());`

As it is, the above gives me [qtp1635546341-22] WARN io.javalin.core.ExceptionMapper - Uncaught exception org.eclipse.jetty.server.Authentication$Failed: Authenticated failed for username 'user1'. Already authenticated as null

What do I need to set up to make login() work?

I also figure I should use a SessionManager to remember who is logged in. Does it also handle reading session cookies for me? The tutorial at tells me how to configure the SessionManager, but not what it will do, or how to use it. I notice I can probably log out a session with ctx.req.getSession().invalidate() but what do I do to for example check whether the Context is for a logged in Session is for a certain user or Role?

HttpSession sess = ctx.req.getSession();

I looked around at the Jetty docs but they are very focused on configuring a web.xml and not so useful for a Javalin user.

It would have been really cool to see an example project that implements Session handling!

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:5 (3 by maintainers)

github_iconTop GitHub Comments

3reactions
david-wg2commented, Apr 10, 2019

I’m not all that familiar with how login is handled in Servlets/Jetty either, but luckily this isn’t required for auth in Javalin. Once you have a session manager configured (the default one is fine too), you can trust Jetty to keep track of the session cookie which binds the user to the server side session. Handle login however you want (basic auth, google signing, etc), then do ctx.sessionAttribute("logged-in-user", loggedInUser). If logged-in-useris set, then the user is logged in.

2reactions
tipsycommented, Apr 10, 2019

I don’t really know much about remoteUser and isUserInRole. Why do you need to use them? This is how I usually make my access managers:

fun manage(handler: Handler, ctx: Context, roles: Set<Role>) = when {
    roles.contains(Role.ANY) -> handler.handle(ctx)
    ctx.currentUser == null -> redirectToLogin(ctx)
    ctx.currentUser != null && roles.contains(Role.LOGGED_IN) -> handler.handle(ctx)
    ctx.currentUser != null && userHasMatchingRole(ctx, roles) -> handler.handle(ctx)
    else -> throw UnauthorizedResponse()
}

Edit: ctx.currentUser is just ctx.attribute<String>("current-user")

Read more comments on GitHub >

github_iconTop Results From Across the Web

Session Management and User Authentication
Problem: cs155 expects session-id from login.site.com; ... Network attacker can inject into response ... users would have to constantly re-authenticate.
Read more >
How to get started with user auth and session management
Hi,. I've started using Javalin and found it really useful so far. However I've gotten stuck when adding real authentication and session ......
Read more >
Application Session Management - Auth0
Let's see how to maintain application sessions in different scenarios.
Read more >
Mastering Session Authentication - ITNEXT
A complete walkthrough on how to build a session-based authentication ... This is a step-by-step guide/tutorial, as I will go into as much...
Read more >
What is User Session Management? - LoginRadius Blog
Implementing proper session management usually increases the strength and security of the session token. And if you have not implemented it, ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Trouble understanding how to use the templating engines in Javalin?

Next page

before-handler and accessmanager for custom servlets?