User Session is the main element of access control subsystem of the CUBA-application. It is represented by UserSession object, associated with the currently authenticated user in the system; it contains information about user rights to access
data. The object of the current session can be obtained in any application block using UserSessionSource infrastructure interface.
The user session is created on Middleware during LoginService.login() method execution after the user is authenticated using the provided name and password. UserSession object is then cached in this Middleware block and is returned to the Client tier. When running in cluster, session object
is replicated to all cluster members. The client tier also stores the session object after receiving it, associating it with
the active user in one way or another (for example, in HTTP session). Further on all Middleware invocations on behalf of this
user are followed by passing the session identifier (of UUID type). This process does not need any special support in the application code, as the session identifier is passed automatically,
regardless of the signature of invoked methods. Client invocations processing in the Middleware starts from retrieving session
from cache using the obtained identifier. Then the session is assigned to the execution thread. The session object is deleted
from cache when LoginService.logout() method is called or when the timeout defined by cuba.userSessionExpirationTimeoutSec application property expires.
Thus the session identifier created when the user logs into the system is used for user authentication during each Middleware invocation.
UserSession object also contains methods for current user authorization – validation of the rights to access system objects: isScreenPermitted(), isEntityOpPermitted(), isEntityAttrPermitted(), isSpecificPermitted().
UserSession object can contain named attributes of arbitrary serializable type. The attributes are set by setAttribute() method and returned by getAttribute() method. The latter is also able to return the following session parameters, as if they were attributes:
-
userId– ID of the currently registered or substituted user; -
userLogin– login of the currently registered or substituted user in lowercase.
The attributes are replicated within the Middleware cluster, same as the rest session data.
