Get Authenticated User

This page describes how to get hold of info for an authenticated (logged in) user. This document is part of the delivery tier security information however the first part with respect to getting hold of a SessionUser object the holds true for the CMS application as well

Getting Hold of the SessionUser

The SessionUser is an object containing all kind of information for the user behind the JCR Session, like

  1. First name
  2. Last name
  3. Memberships (which groups it is in)
  4. Userroles
  5. and more, see User

Getting hold of if once you have the JCR Session for the user is trivial:

final Session userSession = ...
final SessionUser sessionUser = ((HippoSession)userSession).getUser();

(and SessionUser extends User)

Getting Hold of the User JCR Session in CMS

Getting hold of the User JCR Session in the CMS context can be simply achieved through Wicket Code


but since the HST (delivery tier) is also used for handling CMS requests, you can alternatively also use


Getting Hold of the User JCR Session in Delivery Tier

Getting hold of the JCR Session that is rendering the page is trivial and is just like above just


However the JCR Session that is rendering the page is in general not the same as the JCR Session of the authenticated user! This is namely only the case when the hst:mount is configured with

hst:subjectbasedsession = true

which is in general discouraged because it doesn't use session pools for rendering then, implying a higher CPU load and memory footprint and less scalability. See Delivery Tier Authentication and Authorization Support for the property hst:subjectbasedsession.

User JCR Session when HST User Renders Page

This is the case when a User requires to Authenticate for a certain channel or page, but the actual rendering is done with a delivery tier session, like the liveuser (from a pool). Hence you need some extra steps to get hold of the UserSession for the authenticated user. This can (best) be done as follows (including caching on http session):

final HstRequestContext requestContext = RequestContextProvider.get();
final HttpServletRequest request = requestContext.getServletRequest();
User user = (User) request.getSession().getAttribute("user");
if (user == null) {
    try {
        final Session userSession = requestContext.getSession()
                .impersonate(new SimpleCredentials(request.getUserPrincipal().getName(), "".toCharArray()));
        user = ((HippoSession) userSession).getUser());
        request.getSession().setAttribute("user", user);
    } catch (RepositoryException e) {
        log.error("Failed to retrieve user from repository", e);
if (user != null) {
    request.setAttribute("user", user);

Note that you do not have to log out the newly created userSession since if created by impersonating from a pooled delivery tier session, the created session will be automatically logged out when the delivery tier does the cleanup at the end of the request processing. Also note that requestContext.getSession() returns pooled session in case hst:subjectbasedsession is not true.


Did you find this page helpful?
How could this documentation serve you better?
On this page
    Did you find this page helpful?
    How could this documentation serve you better?