Java Spring security 的 SecurityContextHolder:会话还是请求绑定?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6408007/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security's SecurityContextHolder: session or request bound?
提问by chzbrgla
Is the Userprincipal I retrieve from SecurityContextHolderbound to requests or to sessions?
我检索的 Userprincipal 是否SecurityContextHolder绑定到请求或会话?
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?
这是我访问当前登录用户的方式。如果当前会话被破坏,这会失效吗?
采纳答案by Ralph
It depends on how you configured it (or lets say, you can configure a different behaviour).
这取决于您如何配置它(或者可以说,您可以配置不同的行为)。
In a Web application you will use the ThreadLocalSecurityContextHolderStrategywhich interacts with SecurityContextPersistenceFilter.
在 Web 应用程序中,您将使用与ThreadLocalSecurityContextHolderStrategy交互的SecurityContextPersistenceFilter。
The Java Doc of SecurityContextPersistenceFilterstarts with:
的 Java 文档SecurityContextPersistenceFilter开头为:
Populates the {@link SecurityContextHolder} with information obtained from the configured {@link SecurityContextRepository} prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an {@link HttpSessionSecurityContextRepository}. See this class for information HttpSession related configuration options.
在请求之前使用从配置的 {@link SecurityContextRepository} 获得的信息填充 {@link SecurityContextHolder},并在请求完成并清除上下文持有者后将其存储回存储库。默认情况下,它使用 {@link HttpSessionSecurityContextRepository}。有关 HttpSession 相关配置选项的信息,请参见此类。
Btw: HttpSessionSecurityContextRepository is the only implementation of SecurityContextRepository (I have found in the default libs)
顺便说一句:HttpSessionSecurityContextRepository 是 SecurityContextRepository 的唯一实现(我在默认库中找到了)
It works like this:
它是这样工作的:
- The
HttpSessionSecurityContextRepositoryuses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store anSecurityContextObject. - The
SecurityContextPersistenceFilteris an filter that uses anSecurityContextRepositoryfor example theHttpSessionSecurityContextRepositoryto load and storeSecurityContextObjects. If an HttpRequest passes the filter, the filter get theSecurityContextfrom the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext) - The
SecurityContextHolderhas two methodssetContextandgetContext. Both uses aSecurityContextHolderStrategyto specify what exactly is done in the set- and get-Context methods. - For example theThreadLocalSecurityContextHolderStrategyuses a thread local to store the context.
- 的
HttpSessionSecurityContextRepository用途HttpSession中(密钥=“SPRING_SECURITY_CONTEXT”)来存储一个SecurityContext对象。 - 这
SecurityContextPersistenceFilter是一个过滤器,它使用SecurityContextRepository例如HttpSessionSecurityContextRepository加载和存储SecurityContext对象。如果 HttpRequest 通过过滤器,则过滤器SecurityContext从存储库中获取并将其放入 SecurityContextHolder (SecurityContextHolder#setContext) - 在
SecurityContextHolder有两个方法setContext和getContext。两者都使用 aSecurityContextHolderStrategy来指定在 set- 和 get-Context 方法中究竟做了什么。- 例如ThreadLocalSecurityContextHolderStrategy使用本地线程来存储上下文。
So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.
所以总结一下:用户主体(SecurityContext 的元素)存储在 HTTP 会话中。对于每个请求,它都被放置在您访问它的本地线程中。
