Session Attributes

An access group can define session attributes for the users belonging to this group. These attributes can be used in the application code and in constraints.

When a user logs in, all the attributes set for the user’s group and for all the groups up the hierarchy will be placed into the user session. If an attribute is found in several levels of the hierarchy, the uppermost group value will be used. Hence, overriding the attribute values at the lower levels of the hierarchy is impossible. The framework prints a warning message to the server log if it encounters an attempt to override an attribute value.

Session attributes can be defined together with constraints in a class that is used to define the access group. The class must be located in the core module. Below is an example of an access group that defines the accessLevel session attribute with value 1:

@AccessGroup(name = "Level 1", parent = RootGroup.class)
public class FirstLevelGroup extends AnnotatedAccessGroupDefinition {

    @SessionAttribute(name = "accessLevel", value = "1", javaClass = Integer.class)
    public Map<String, Serializable> sessionAttributes() {
        return super.sessionAttributes();

Session attributes can also be defined at run time in the Access Groups screen: select the group to create the attribute for and go to the Session Attributes tab.

Session attributes can be accessed in the application code through the UserSession object:

private UserSessionSource userSessionSource;
Integer accessLevel = userSessionSource.getUserSession().getAttribute("accessLevel");

Session attributes can be used in the constraints as JPQL parameters with the session$ prefix:

{E}.accessLevel = :session$accessLevel