Spring Security - retrieve user IP, browser info and requested page

Question

We use RequestHeaderAuthenticationFilter as to implement pre-authentication strategy and PreAuthenticatedAuthenticationProvider as the authentication p

Answer 1

This might be a good approach:

1) Create a class that extends SavedRequestAwareAuthenticationSuccessHandler

public class MyCustomSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws ServletException, IOException {

2) Assign the "success handler" to your security filter:

<beans:bean id="myFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandler" />
               <beans:property name="authenticationSuccessHandler" ref="successHandler" />
    </beans:bean>

<beans:bean id="successHandler" class="yourPackage.MyCustomSuccessHandler" >
        <beans:property name="defaultTargetUrl" value="/index.html" /> 
        <beans:property name="alwaysUseDefaultTargetUrl" value="true"/> 
    </beans:bean>

Answer 2

All the information is available through HttpServletRequest. You can obtain it by:

Dependency injection

The easiest way would be to inject servlet request directly into your UserDetailsService: class:

public MyDetailsService implements UserDetailsService {

  @Autowired
  private HttpServletRequest request;

  //...

}

(as suggested by OP) Remember to add the following listener to your web.xml:

<listener>
    <listener-class>
        org.springframework.web.context.request.RequestContextListener
    </listener-class>
</listener>

UPDATE: This works because Spring injects special scoped proxy implementing HttpServletRequest, so you are able to access request-scoped request "bean" from singleton-scoped MyDetailsService. Under the hood every call to request's parameters is routed to org.springframework.web.context.request.RequestContextHolder#requestAttributesHolder ThreadLocal which you can also access directly. As you can see Spring is very flexible when it comes to scoping rules. It just works.

RequestContextHolder

Another approach is to use RequestContextHolder:

HttpServletRequest request = 
  ((ServletRequestAttributes) RequestContextHolder.
    currentRequestAttributes()).
    getRequest();

Further reading:

• Creating a Spring bean holds ServletRequest properties
• Spring: how do I inject an HttpServletRequest into a request-scoped bean?