什么是“委托人”在Spring Security？ [英] What's the "principal" in Spring Security?

问题描述

我是Spring和Spring Security的新手。我正在阅读关于Spring Security的内容，它出现了 principal 的概念，它应该是当前登录的用户。但是，如果我们有多个当前登录用户怎么办？所以，我的问题是，春季安全的主要原因究竟是什么？

I'm really new to Spring and Spring Security. I was reading about Spring Security and it came out the concept of principal, which should be the current logged user. But what if we have more than one current logged user? So, my question is, what exactly is then the principal in spring security?

我已经阅读了本教程的例子：

I've read for example this tutorial:

http://www.mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/

他们似乎考虑到只有一个当前登录的用户，但情况并非如此。

and they seem to take into account that there's just one current logged user, which isn't often the case.

如何检索特定用户？我如何区分正在进行请求的用户？

How do I retrieve a specific user? And how do I differentiate between users that are doing requests?

推荐答案

主是当前记录的在用户中。但是，您通过绑定到当前线程的安全上下文检索它，因此它也绑定到当前请求及其会话。

The principal is the currently logged in user. However, you retrieve it through the security context which is bound to the current thread and as such it's also bound to the current request and its session.

SecurityContextHolder.getContext（）通过 ThreadLocal 变量在内部获取当前的 SecurityContext 实现。因为请求绑定到单个线程，这将获得当前请求的上下文。

SecurityContextHolder.getContext() internally obtains the current SecurityContext implementation through a ThreadLocal variable. Because a request is bound to a single thread this will get you the context of the current request.

为了简化，您可以说安全上下文在会话中并包含用户/委托人和角色/权限。

To simplify you could say that the security context is in the session and contains user/principal and roles/authorities.

如何检索特定用户？

How do I retrieve a specific user?

你没有。所有API都旨在允许用户访问&当前请求的会话。让用户A成为100个当前经过身份验证的用户之一。如果A对您的服务器发出请求，它将分配一个线程来处理该请求。然后，如果您执行 SecurityContextHolder.getContext（）。getAuthentication（），则在此线程的上下文中执行此操作。默认情况下，在该线程内，您无权访问由不同线程处理的用户B的上下文。

You don't. All APIs are designed to allow access to the user & session of the current request. Let user A be one of 100 currently authenticated users. If A issues a request against your server it will allocate one thread to process that request. If you then do SecurityContextHolder.getContext().getAuthentication() you do so in the context of this thread. By default from within that thread you don't have access to the context of user B which is processed by a different thread.

以及如何我是否区分正在进行请求的用户？

And how do I differentiate between users that are doing requests?

您没有，这就是Servlet容器为您所做的工作。

You don't have to, that's what the Servlet container does for you.

这篇关于什么是“委托人”在Spring Security？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！