Spring Security:在多个ThreadLocals中使用相同的SecurityContext-instance,它如何工作? [英] Spring Security: same SecurityContext-instance in multiple ThreadLocals, how does that work?
问题描述
我对Spring Security 3.0.5和SecurityContext有一些疑问.首先,我会尝试总结一下我所知道的:
Ive some questions about Spring Security 3.0.5 and the SecurityContext. First of all, Ill try to conclude what I know:
- SecurityContextHolder存储SecurityContext
- 在请求之间,SecurityContext存储在HttpSession中
- 请求开始:SecurityContextHolder从HttpSession获取SecurityContext
-
请求结束:SecurityContextHolder将SecurityContext放入HttpSession
- SecurityContextHolder stores SecurityContext
- Between Request, SecurityContext is stored in HttpSession
- Begin of Request: SecurityContextHolder gets SecurityContext from HttpSession
End of Request: SecurityContextHolder puts SecurityContext in HttpSession
在请求期间,在服务器上,SecurityContextHolder使用ThreadLocal.在应用程序中的任何地方(相同的请求),都可以访问SecurityContext
During the Request, on the server, SecurityContextHolder uses a ThreadLocal. Everywhere in the application (same request), the SecurityContext can be accessed
现在我的问题....
->两个请求:SecurityContext-instance将被共享
--> Two Requests: the SecurityContext-instance will be shared
这是如何工作的?我的意思是,SecurityContextHolder为每个请求使用ThreadLocal. 2个请求= 2个ThreadLocals
How does this work? I mean, SecurityContextHolder uses a ThreadLocal for Each Request. 2 Request = 2 ThreadLocals
每个请求都执行:HttpSession中的getSessionAttribute(SecurityContext) 如果它们在SecurityContext上工作会怎样?是否在所有ThreadLocals中都更改了SecurityContext?
Each request does: getSessionAttribute (SecurityContext) from HttpSession What happens if they work on the SecurityContext? Is the SecurityContext changed in all ThreadLocals?
据我所知:是(??)
这是如何工作的?它们如何在同一实例上工作?我的意思是,我真的无法想象具有两个不同ThreadLocals的两个不同线程如何在同一个实例上工作?
How does this work? How can they work on the same instance? I mean, I really cant imagine how two different threads with two different ThreadLocals can work on the same instance?
API(ThreadLocal): 此类提供线程局部变量.这些变量与普通变量不同,因为每个访问一个线程(通过其get或set方法)的线程都有其自己的,独立初始化的变量副本.
API (ThreadLocal): This class provides thread-local variables. These variables differ from their normal counterparts in that each thread that accesses one (via its get or set method) has its own, independently initialized copy of the variable.
我的意思是,就这样:复制!也许我错了,并且两个线程不能在同一个SecurityContext上工作吗?但是Spring Security Documentation就是这样!
I mean, thats it: copy! maybe Im wrong and its not possible for two threads to work on the same SecurityContext? But Spring Security Documentation says so!
如果有人可以向我解释这一点,那就太好了:-)谢谢!
Would be great if someone could explain that to me :-) Thank you!
推荐答案
每个线程都有自己的值ThreadLocal,但是没有什么可以阻止这些值相等.因此,在这种情况下,多个线程将引用SecurityContext的相同实例.
Each thread has its own value of ThreadLocal, but nothing prevents these values from being equal. So, in this case multiple thread would have references to the same instance of SecurityContext.
通常这不是问题,但是如果您想修改安全上下文,则可以启用防御性复制,请参见
Usually it's not a problem, but if you want to modify security context, you can enable defensive copying, see SEC-356.
这篇关于Spring Security:在多个ThreadLocals中使用相同的SecurityContext-instance,它如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
