Spring security 的 SecurityContextHolder:会话还是请求绑定? [英] Spring security's SecurityContextHolder: session or request bound?

问题描述

我从 SecurityContextHolder 检索到的 Userprincipal 是否绑定到请求或会话?

Is the Userprincipal I retrieve from SecurityContextHolder bound to requests or to sessions?

UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();

这是我访问当前登录用户的方式.如果当前会话被销毁，这会失效吗?

This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?

推荐答案

这取决于您如何配置它(或者可以说，您可以配置不同的行为).

It depends on how you configured it (or lets say, you can configure a different behaviour).

在 Web 应用程序中，您将使用 ThreadLocalSecurityContextHolderStrategy 与 SecurityContextPersistenceFilter.

In a Web application you will use the ThreadLocalSecurityContextHolderStrategy which interacts with SecurityContextPersistenceFilter.

SecurityContextPersistenceFilter 的 Java 文档以:

The Java Doc of SecurityContextPersistenceFilter starts with:

填充 {@linkSecurityContextHolder} 与从获得的信息配置 {@linkSecurityContextRepository} 之前请求并将其存储回一旦请求有存储库完成并清除上下文持有者.默认情况下，它使用 {@linkHttpSessionSecurityContextRepository}.有关信息，请参阅此课程HttpSession 相关配置选项.

Populates the {@link SecurityContextHolder} with information obtained from the configured {@link SecurityContextRepository} prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an {@link HttpSessionSecurityContextRepository}. See this class for information HttpSession related configuration options.

顺便说一句:HttpSessionSecurityContextRepository 是 SecurityContextRepository 的唯一实现(我在默认库中找到了)

它是这样工作的:

• HttpSessionSecurityContextRepository 使用 httpSession (Key="SPRING_SECURITY_CONTEXT") 来存储 SecurityContext 对象.
• SecurityContextPersistenceFilter 是一个过滤器，它使用 SecurityContextRepository 例如 HttpSessionSecurityContextRepository 来加载和存储 SecurityContext 对象.如果 HttpRequest 通过过滤器，过滤器从存储库中获取 SecurityContext 并将其放入 SecurityContextHolder (SecurityContextHolder#setContext)
• SecurityContextHolder 有两个方法 setContext 和 getContext.两者都使用 SecurityContextHolderStrategy 来指定在 set- 和 get-Context 方法中究竟做了什么.- 例如，ThreadLocalSecurityContextHolderStrategy 使用本地线程来存储上下文.

• The HttpSessionSecurityContextRepository uses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store an SecurityContext Object.
• The SecurityContextPersistenceFilter is an filter that uses an SecurityContextRepository for example the HttpSessionSecurityContextRepository to load and store SecurityContext Objects. If an HttpRequest passes the filter, the filter get the SecurityContext from the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext)
• The SecurityContextHolder has two methods setContext and getContext. Both uses a SecurityContextHolderStrategy to specify what exactly is done in the set- and get-Context methods. - For example the ThreadLocalSecurityContextHolderStrategy uses a thread local to store the context.

总结:用户主体(SecurityContext 的元素)存储在 HTTP 会话中.并且对于每个请求，它都被放置在您访问它的本地线程中.

So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.

这篇关于Spring security 的 SecurityContextHolder:会话还是请求绑定?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！