Get Authenticated User
This page describes how to get hold of info for an authenticated (logged in) user. This document is part of the delivery tier security information however the first part with respect to getting hold of a SessionUser object the holds true for the CMS application as well
Getting Hold of the SessionUser
The SessionUser is an object containing all kind of information for the user behind the JCR Session, like
- First name
- Last name
- Memberships (which groups it is in)
- Userroles
- and more, see User
Getting hold of if once you have the JCR Session for the user is trivial:
final Session userSession = ... final SessionUser sessionUser = ((HippoSession)userSession).getUser();
(and SessionUser extends User)
Getting Hold of the User JCR Session in CMS
Getting hold of the User JCR Session in the CMS context can be simply achieved through Wicket Code
UserSession.get().getJcrSession()
but since the HST (delivery tier) is also used for handling CMS requests, you can alternatively also use
RequestContextProvider.get().getSession();
Getting Hold of the User JCR Session in Delivery Tier
Getting hold of the JCR Session that is rendering the page is trivial and is just like above just
RequestContextProvider.get().getSession();
However the JCR Session that is rendering the page is in general not the same as the JCR Session of the authenticated user! This is namely only the case when the hst:mount is configured with
hst:subjectbasedsession = true
which is in general discouraged because it doesn't use session pools for rendering then, implying a higher CPU load and memory footprint and less scalability. See Delivery Tier Authentication and Authorization Support for the property hst:subjectbasedsession.
User JCR Session when HST User Renders Page
This is the case when a User requires to Authenticate for a certain channel or page, but the actual rendering is done with a delivery tier session, like the liveuser (from a pool). Hence you need some extra steps to get hold of the UserSession for the authenticated user. This can (best) be done as follows (including caching on http session):
final HstRequestContext requestContext = RequestContextProvider.get(); final HttpServletRequest request = requestContext.getServletRequest(); User user = (User) request.getSession().getAttribute("user"); if (user == null) { try { final Session userSession = requestContext.getSession() .impersonate(new SimpleCredentials(request.getUserPrincipal().getName(), "".toCharArray())); user = ((HippoSession) userSession).getUser()); request.getSession().setAttribute("user", user); } catch (RepositoryException e) { log.error("Failed to retrieve user from repository", e); } } if (user != null) { request.setAttribute("user", user); }
Note that you do not have to log out the newly created userSession since if created by impersonating from a pooled delivery tier session, the created session will be automatically logged out when the delivery tier does the cleanup at the end of the request processing. Also note that requestContext.getSession() returns pooled session in case hst:subjectbasedsession is not true.