Obtaining information about the logged in user

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












I currently have a special service to obtain information about the logged in user. I have an interface



/**
 * The service operates on the data of an authorised user.
 */
public interface AuthorizationService 
 User getUser();
 String getUserId();
 String getUsername();
 boolean isLogged();



and implementation



@Service("authorizationService")
public class AuthorizationServiceImpl implements AuthorizationService 
 private final UserSearchService userSearchService;
 /**
 * @inheritDoc
 */
 @Override
 public User getUser() 
 return userSearchService.getUserByUsername(this.getUsername());
 

 /**
 * @inheritDoc
 */
 @Override
 public String getUserId() 
 return userSearchService.getUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName()).getId();
 
...



and for example, when I use the method to create messages, I do so



@Override
public String createMessage(
 @NotNull @Valid final SendMessageDTO sendMessageDTO
) throws ResourceNotFoundException, ResourceConflictException 
 log.info("Called with sendMessageDTO ", sendMessageDTO);

 final UserEntity user = this.findUser(this.authorizationService.getUserId());
 final MessageEntity message = this.sendMessageDtoToMessageEntity(sendMessageDTO);

 message.setSender(user);

 ...

 private UserEntity findUser(final String id) throws ResourceNotFoundException 
 return this.userRepository
 .findByUniqueIdAndEnabledTrue(id)
 .orElseThrow(() -> new ResourceNotFoundException("No user found with id " + id));


  1. However, I do not know if this is a good way to obtain information about the logged-in user?


  2. Instead of a DTO User object, I could return an entity(I have a rule that I do not return entity service methods) and then I would not have to use the findUser () method to search for a user. What do you think about it?


  3. Is my way of getting a DTO User logged in user or ID a safe way?




java spring




share|improve this question

























    up vote
    2
    down vote

    favorite












    I currently have a special service to obtain information about the logged in user. I have an interface



    /**
     * The service operates on the data of an authorised user.
     */
    public interface AuthorizationService 
     User getUser();
     String getUserId();
     String getUsername();
     boolean isLogged();



    and implementation



    @Service("authorizationService")
    public class AuthorizationServiceImpl implements AuthorizationService 
     private final UserSearchService userSearchService;
     /**
     * @inheritDoc
     */
     @Override
     public User getUser() 
     return userSearchService.getUserByUsername(this.getUsername());
     

     /**
     * @inheritDoc
     */
     @Override
     public String getUserId() 
     return userSearchService.getUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName()).getId();
     
    ...



    and for example, when I use the method to create messages, I do so



    @Override
    public String createMessage(
     @NotNull @Valid final SendMessageDTO sendMessageDTO
    ) throws ResourceNotFoundException, ResourceConflictException 
     log.info("Called with sendMessageDTO ", sendMessageDTO);

     final UserEntity user = this.findUser(this.authorizationService.getUserId());
     final MessageEntity message = this.sendMessageDtoToMessageEntity(sendMessageDTO);

     message.setSender(user);

     ...

     private UserEntity findUser(final String id) throws ResourceNotFoundException 
     return this.userRepository
     .findByUniqueIdAndEnabledTrue(id)
     .orElseThrow(() -> new ResourceNotFoundException("No user found with id " + id));


    1. However, I do not know if this is a good way to obtain information about the logged-in user?


    2. Instead of a DTO User object, I could return an entity(I have a rule that I do not return entity service methods) and then I would not have to use the findUser () method to search for a user. What do you think about it?


    3. Is my way of getting a DTO User logged in user or ID a safe way?




    java spring




    share|improve this question





















      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I currently have a special service to obtain information about the logged in user. I have an interface



      /**
       * The service operates on the data of an authorised user.
       */
      public interface AuthorizationService 
       User getUser();
       String getUserId();
       String getUsername();
       boolean isLogged();



      and implementation



      @Service("authorizationService")
      public class AuthorizationServiceImpl implements AuthorizationService 
       private final UserSearchService userSearchService;
       /**
       * @inheritDoc
       */
       @Override
       public User getUser() 
       return userSearchService.getUserByUsername(this.getUsername());
       

       /**
       * @inheritDoc
       */
       @Override
       public String getUserId() 
       return userSearchService.getUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName()).getId();
       
      ...



      and for example, when I use the method to create messages, I do so



      @Override
      public String createMessage(
       @NotNull @Valid final SendMessageDTO sendMessageDTO
      ) throws ResourceNotFoundException, ResourceConflictException 
       log.info("Called with sendMessageDTO ", sendMessageDTO);

       final UserEntity user = this.findUser(this.authorizationService.getUserId());
       final MessageEntity message = this.sendMessageDtoToMessageEntity(sendMessageDTO);

       message.setSender(user);

       ...

       private UserEntity findUser(final String id) throws ResourceNotFoundException 
       return this.userRepository
       .findByUniqueIdAndEnabledTrue(id)
       .orElseThrow(() -> new ResourceNotFoundException("No user found with id " + id));


      1. However, I do not know if this is a good way to obtain information about the logged-in user?


      2. Instead of a DTO User object, I could return an entity(I have a rule that I do not return entity service methods) and then I would not have to use the findUser () method to search for a user. What do you think about it?


      3. Is my way of getting a DTO User logged in user or ID a safe way?




      java spring




      share|improve this question











      I currently have a special service to obtain information about the logged in user. I have an interface



      /**
       * The service operates on the data of an authorised user.
       */
      public interface AuthorizationService 
       User getUser();
       String getUserId();
       String getUsername();
       boolean isLogged();



      and implementation



      @Service("authorizationService")
      public class AuthorizationServiceImpl implements AuthorizationService 
       private final UserSearchService userSearchService;
       /**
       * @inheritDoc
       */
       @Override
       public User getUser() 
       return userSearchService.getUserByUsername(this.getUsername());
       

       /**
       * @inheritDoc
       */
       @Override
       public String getUserId() 
       return userSearchService.getUserByUsername(SecurityContextHolder.getContext().getAuthentication().getName()).getId();
       
      ...



      and for example, when I use the method to create messages, I do so



      @Override
      public String createMessage(
       @NotNull @Valid final SendMessageDTO sendMessageDTO
      ) throws ResourceNotFoundException, ResourceConflictException 
       log.info("Called with sendMessageDTO ", sendMessageDTO);

       final UserEntity user = this.findUser(this.authorizationService.getUserId());
       final MessageEntity message = this.sendMessageDtoToMessageEntity(sendMessageDTO);

       message.setSender(user);

       ...

       private UserEntity findUser(final String id) throws ResourceNotFoundException 
       return this.userRepository
       .findByUniqueIdAndEnabledTrue(id)
       .orElseThrow(() -> new ResourceNotFoundException("No user found with id " + id));


      1. However, I do not know if this is a good way to obtain information about the logged-in user?


      2. Instead of a DTO User object, I could return an entity(I have a rule that I do not return entity service methods) and then I would not have to use the findUser () method to search for a user. What do you think about it?


      3. Is my way of getting a DTO User logged in user or ID a safe way?





      java spring





      share|improve this question










      share|improve this question




      share|improve this question









      asked Apr 5 at 22:55









      user166339

      111




      111




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          Usually the logged in user and it's common used information is stored in the session. And the session is usually wrapped in a Context class (like SecurityContextHolder itself). This is done because you can decouple your code from the session or from the servlet api (or whatever api you're using). It also makes it easier to test.



          Most of web pages do show your user information when you're logged in, e.g. your avatar on this page on the top. So for every request you do not have to look up the user's information.



          I'd introduce a Context class which provides a setUser and getUser method.



          Beside that:




          • AuthorizationService: Authorization means: Is the user allowed to do x. (While authentication means: Is the user really the user he pretends to be). Or in other words: The name of the type is misleading.


          • getUser(): This method calls this.getUsername() -> I don't see the code of this one, bit I assume it looks up the username by SecurityContextHolder. This means, the AuthorizationService is tightly coupled Spring Security, which is bad. Same for getUserId() -> it's better to pass the arguments and put the responsibility to the presentation layer (which includes security usually)





          share|improve this answer





















            Your Answer




            StackExchange.ifUsing("editor", function ()
            return StackExchange.using("mathjaxEditing", function ()
            StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
            StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
            );
            );
            , "mathjax-editing");

            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "196"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: false,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );








             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f191364%2fobtaining-information-about-the-logged-in-user%23new-answer', 'question_page');

            );

            Post as a guest

















            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            1
            down vote













            Usually the logged in user and it's common used information is stored in the session. And the session is usually wrapped in a Context class (like SecurityContextHolder itself). This is done because you can decouple your code from the session or from the servlet api (or whatever api you're using). It also makes it easier to test.



            Most of web pages do show your user information when you're logged in, e.g. your avatar on this page on the top. So for every request you do not have to look up the user's information.



            I'd introduce a Context class which provides a setUser and getUser method.



            Beside that:




            • AuthorizationService: Authorization means: Is the user allowed to do x. (While authentication means: Is the user really the user he pretends to be). Or in other words: The name of the type is misleading.


            • getUser(): This method calls this.getUsername() -> I don't see the code of this one, bit I assume it looks up the username by SecurityContextHolder. This means, the AuthorizationService is tightly coupled Spring Security, which is bad. Same for getUserId() -> it's better to pass the arguments and put the responsibility to the presentation layer (which includes security usually)





            share|improve this answer

























              up vote
              1
              down vote













              Usually the logged in user and it's common used information is stored in the session. And the session is usually wrapped in a Context class (like SecurityContextHolder itself). This is done because you can decouple your code from the session or from the servlet api (or whatever api you're using). It also makes it easier to test.



              Most of web pages do show your user information when you're logged in, e.g. your avatar on this page on the top. So for every request you do not have to look up the user's information.



              I'd introduce a Context class which provides a setUser and getUser method.



              Beside that:




              • AuthorizationService: Authorization means: Is the user allowed to do x. (While authentication means: Is the user really the user he pretends to be). Or in other words: The name of the type is misleading.


              • getUser(): This method calls this.getUsername() -> I don't see the code of this one, bit I assume it looks up the username by SecurityContextHolder. This means, the AuthorizationService is tightly coupled Spring Security, which is bad. Same for getUserId() -> it's better to pass the arguments and put the responsibility to the presentation layer (which includes security usually)





              share|improve this answer























                up vote
                1
                down vote










                up vote
                1
                down vote









                Usually the logged in user and it's common used information is stored in the session. And the session is usually wrapped in a Context class (like SecurityContextHolder itself). This is done because you can decouple your code from the session or from the servlet api (or whatever api you're using). It also makes it easier to test.



                Most of web pages do show your user information when you're logged in, e.g. your avatar on this page on the top. So for every request you do not have to look up the user's information.



                I'd introduce a Context class which provides a setUser and getUser method.



                Beside that:




                • AuthorizationService: Authorization means: Is the user allowed to do x. (While authentication means: Is the user really the user he pretends to be). Or in other words: The name of the type is misleading.


                • getUser(): This method calls this.getUsername() -> I don't see the code of this one, bit I assume it looks up the username by SecurityContextHolder. This means, the AuthorizationService is tightly coupled Spring Security, which is bad. Same for getUserId() -> it's better to pass the arguments and put the responsibility to the presentation layer (which includes security usually)





                share|improve this answer













                Usually the logged in user and it's common used information is stored in the session. And the session is usually wrapped in a Context class (like SecurityContextHolder itself). This is done because you can decouple your code from the session or from the servlet api (or whatever api you're using). It also makes it easier to test.



                Most of web pages do show your user information when you're logged in, e.g. your avatar on this page on the top. So for every request you do not have to look up the user's information.



                I'd introduce a Context class which provides a setUser and getUser method.



                Beside that:




                • AuthorizationService: Authorization means: Is the user allowed to do x. (While authentication means: Is the user really the user he pretends to be). Or in other words: The name of the type is misleading.


                • getUser(): This method calls this.getUsername() -> I don't see the code of this one, bit I assume it looks up the username by SecurityContextHolder. This means, the AuthorizationService is tightly coupled Spring Security, which is bad. Same for getUserId() -> it's better to pass the arguments and put the responsibility to the presentation layer (which includes security usually)






                share|improve this answer













                share|improve this answer



                share|improve this answer











                answered Apr 11 at 16:21









                slowy

                1,796110




                1,796110






















                     

                    draft saved


                    draft discarded


























                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f191364%2fobtaining-information-about-the-logged-in-user%23new-answer', 'question_page');

                    );

                    Post as a guest
































































                    -

                    Popular posts from this blog

                    Chat program with C++ and SFML

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 2 down vote favorite This is my client code: (My server is very similar at the moment but I will upload it below this one just in case somebody wants to run it) #include <SFML/Graphics.hpp> #include <SFML/Network.hpp> #include <thread> int main() sf::RenderWindow main_win(sf::VideoMode(800, 800), "Chatcy!"); main_win.setPosition(sf::Vector2i(sf::VideoMode::getDesktopMode().width/2 -400, sf::VideoMode::getDesktopMode().height/2 -400)); main_win.setVerticalSyncEnabled(true); //chatcy logo sf::Texture chatcy; chatcy.loadFromFile("image_chatcy.png"); sf::Sprite logo; logo.setTexture(chatcy); //200x800 //font sf::Font font; font.loadFromFile("FreeSerif.ttf"); //name sf::String name("Client"); name += ": "; //text input area and background sf::RectangleShape in_backg
                    Read more

                    Function to Return a JSON Like Objects Using VBA Collections and Arrays

                    Image
                    Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 1 down vote favorite My goal is to create a compact function that can create a JSON Like object from JSON string. I want a function with a small footprint that I or anyone who wants to use it, can simply paste into a module and use. At 61 lines of code, I am happy with its size and portability. Here is an image of JSON Object created from string data using a ScriptControl . Although the Locals Window displays the properties and values correctly, the object itself is extremely difficult to work with. This image shows an object created using getJSONCollection . Because it is made of VBA Collections and Arrays, it is very easy to work with. Option Explicit Private Function getJSONCollection(ByVal Value As Variant, Optional ScriptEngine As Object) As Variant Const DELIMITER As String = "||" Dim col As Collection, JSON As Object, KeyNam
                    Read more

                    Will my employers contract hold up in court?

                    Image
                    Clash Royale CLAN TAG #URR8PPP up vote 8 down vote favorite 2 When I started a new job back in July of 2017, I signed a contract that had the following bindings or restrictions if I was ever to leave the company: Cannot work for a competitor within 25 miles of current companies location for the next two years Cannot offer my services to any organization within 25 miles of current companies location for the next two years Now, when mentioned “my services” this can be related to my profession of website design. This contract seems incredibly binding, 2 years in length, and I’m looking to see if it would actually hold up in an Arizona court. contract employment non-compete arizona share | improve this question edited Aug 7 at 15:35 feetwet ♦ 13.8k 9 37 85 asked Aug 6 at 19:05 Alex S. 46 2 What does your company do and what services do they provide? What is your role (i.e. internal work or work for customers).
                    Read more