Spring security的SecurityContextHolder：会话或请求绑定？ [英] Spring security's SecurityContextHolder: session or request bound?

问题描述

我从 SecurityContextHolder 检索的Userprincipal是否绑定到请求或会话？

Is the Userprincipal I retrieve from SecurityContextHolder bound to requests or to sessions?

UserPrincipal principal =（UserPrincipal）SecurityContextHolder.getContext（）。getAuthentication（）。getPrincipal（）;

这是我访问的方式目前登录用户。如果当前会话被销毁，这会无效吗？

This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?

推荐答案

这取决于你如何配置它（或者说，你可以配置一个不同的行为）。

It depends on how you configured it (or lets say, you can configure a different behaviour).

在Web应用程序中，您将使用 ThreadLocalSecurityContextHolderStrategy 与 SecurityContextPersistenceFilter 。

In a Web application you will use the ThreadLocalSecurityContextHolderStrategy which interacts with SecurityContextPersistenceFilter.

SecurityContextPersistenceFilter的Java Doc 从以下开始：

使用
获得的
信息填充{@link
SecurityContextHolder}在
之前配置{@link
SecurityContextRepository}并在请求完成
并清除上下文
持有者后将其存储回
存储库。默认情况下，它使用{@link
HttpSessionSecurityContextRepository}。
有关信息，请参阅此课程
与HttpSession相关的
配置选项。

Populates the {@link SecurityContextHolder} with information obtained from the configured {@link SecurityContextRepository} prior to the request and stores it back in the repository once the request has completed and clearing the context holder. By default it uses an {@link HttpSessionSecurityContextRepository}. See this class for information HttpSession related configuration options.

Btw： HttpSessionSecurityContextRepository是SecurityContextRepository的唯一实现（我在默认的libs中找到）

它的工作原理如下：

• HttpSessionSecurityContextRepository 使用httpSession（Key =SPRING_SECURITY_CONTEXT）来存储 SecurityContext 对象。


• SecurityContextPersistenceFilter 是一个使用 SecurityContextRepository 的过滤器，例如 HttpSessionSecurityContextRepository 加载和存储 SecurityConte xt 对象。如果HttpRequest通过过滤器，则过滤器从存储库获取 SecurityContext 并将其放入SecurityContextHolder（ SecurityContextHolder #setContext ）


• SecurityContextHolder 有两种方法 setContext 和的getContext 。两者都使用 SecurityContextHolderStrategy 来指定set-和get-Context方法中的确切操作。 - 例如 ThreadLocalSecurityContextHolderStrategy 使用本地线程来存储上下文。

• The HttpSessionSecurityContextRepository uses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store an SecurityContext Object.
• The SecurityContextPersistenceFilter is an filter that uses an SecurityContextRepository for example the HttpSessionSecurityContextRepository to load and store SecurityContext Objects. If an HttpRequest passes the filter, the filter get the SecurityContext from the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext)
• The SecurityContextHolder has two methods setContext and getContext. Both uses a SecurityContextHolderStrategy to specify what exactly is done in the set- and get-Context methods. - For example the ThreadLocalSecurityContextHolderStrategy uses a thread local to store the context.

总而言之：用户主体（SecurityContext的元素）存储在HTTP会话中。对于每个请求，它都放在您访问它的本地线程中。

So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.

这篇关于Spring security的SecurityContextHolder：会话或请求绑定？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！