Spring security 的 SecurityContextHolder:会话还是请求绑定? [英] Spring security's SecurityContextHolder: session or request bound?
问题描述
我从 SecurityContextHolder
检索到的 Userprincipal 是否绑定到请求或会话?
Is the Userprincipal I retrieve from SecurityContextHolder
bound to requests or to sessions?
UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
这是我访问当前登录用户的方式.如果当前会话被销毁,这会失效吗?
This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?
推荐答案
这取决于您如何配置它(或者可以说,您可以配置不同的行为).
It depends on how you configured it (or lets say, you can configure a different behaviour).
在 Web 应用程序中,您将使用 ThreadLocalSecurityContextHolderStrategy
与 SecurityContextPersistenceFilter
.
In a Web application you will use the ThreadLocalSecurityContextHolderStrategy
which interacts with SecurityContextPersistenceFilter
.
SecurityContextPersistenceFilter
的 Java 文档以:
The Java Doc of SecurityContextPersistenceFilter
starts with:
填充 {@linkSecurityContextHolder} 与从获得的信息配置 {@linkSecurityContextRepository} 之前请求并将其存储回一旦请求有存储库完成并清除上下文持有者.默认情况下,它使用 {@linkHttpSessionSecurityContextRepository}.有关信息,请参阅此课程HttpSession 相关配置选项.
Populates the {@link SecurityContextHolder} with information obtained from the configured {@link SecurityContextRepository} prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an {@link HttpSessionSecurityContextRepository}. See this class for information HttpSession related configuration options.
顺便说一句:HttpSessionSecurityContextRepository 是 SecurityContextRepository 的唯一实现(我在默认库中找到了)
它是这样工作的:
HttpSessionSecurityContextRepository
使用 httpSession (Key="SPRING_SECURITY_CONTEXT") 来存储SecurityContext
对象.SecurityContextPersistenceFilter
是一个过滤器,它使用SecurityContextRepository
例如HttpSessionSecurityContextRepository
来加载和存储SecurityContext
对象.如果 HttpRequest 通过过滤器,过滤器从存储库中获取SecurityContext
并将其放入 SecurityContextHolder (SecurityContextHolder#setContext
)SecurityContextHolder
有两个方法setContext
和getContext
.两者都使用SecurityContextHolderStrategy
来指定在 set- 和 get-Context 方法中究竟做了什么.- 例如,ThreadLocalSecurityContextHolderStrategy
使用本地线程来存储上下文.
- The
HttpSessionSecurityContextRepository
uses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store anSecurityContext
Object. - The
SecurityContextPersistenceFilter
is an filter that uses anSecurityContextRepository
for example theHttpSessionSecurityContextRepository
to load and storeSecurityContext
Objects. If an HttpRequest passes the filter, the filter get theSecurityContext
from the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext
) - The
SecurityContextHolder
has two methodssetContext
andgetContext
. Both uses aSecurityContextHolderStrategy
to specify what exactly is done in the set- and get-Context methods. - For example theThreadLocalSecurityContextHolderStrategy
uses a thread local to store the context.
总结:用户主体(SecurityContext 的元素)存储在 HTTP 会话中.并且对于每个请求,它都被放置在您访问它的本地线程中.
So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.
这篇关于Spring security 的 SecurityContextHolder:会话还是请求绑定?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!