晋江网站有什么职业做,学习网站开发教程,网站团队介绍,拍摄宣传片收费标准web如何取得用户信息
之前说过SecurityContextHolder默认使用的是ThreadLocal来进行存储的#xff0c;而且每次都会清除#xff0c;但是web每次请求都会验证用户权限#xff0c;这是如何做到的呢#xff1f;
这是通过SecurityContextPersistenceFilter来实现的#xff0…web如何取得用户信息
之前说过SecurityContextHolder默认使用的是ThreadLocal来进行存储的而且每次都会清除但是web每次请求都会验证用户权限这是如何做到的呢
这是通过SecurityContextPersistenceFilter来实现的每次请求过来都会session中来获取SecurityContext然后设置到SecurityContextHolder中请求结束后再清除掉
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)throws IOException, ServletException {HttpServletRequest request (HttpServletRequest) req;HttpServletResponse response (HttpServletResponse) res;if (request.getAttribute(FILTER_APPLIED) ! null) {// ensure that filter is only applied once per requestchain.doFilter(request, response);return;}request.setAttribute(FILTER_APPLIED, Boolean.TRUE);HttpRequestResponseHolder holder new HttpRequestResponseHolder(request,response);// 从session获取SecurityContextSecurityContext contextBeforeChainExecution repo.loadContext(holder);try {// 将SecurityContext存入SecurityContextHolderSecurityContextHolder.setContext(contextBeforeChainExecution);chain.doFilter(holder.getRequest(), holder.getResponse());}finally {SecurityContext contextAfterChainExecution SecurityContextHolder.getContext();// Crucial removal of SecurityContextHolder contents - do this before anything// else.SecurityContextHolder.clearContext();// 存储SecurityContextrepo.saveContext(contextAfterChainExecution, holder.getRequest(),holder.getResponse());request.removeAttribute(FILTER_APPLIED);}
}loadContext获取SecurityContext
使用HttpSessionSecurityContextRepository
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {HttpServletRequest request requestResponseHolder.getRequest();HttpServletResponse response requestResponseHolder.getResponse();HttpSession httpSession request.getSession(false);// 从session中获取SecurityContextSecurityContext context readSecurityContextFromSession(httpSession);if (context null) {context generateNewContext();}SaveToSessionResponseWrapper wrappedResponse new SaveToSessionResponseWrapper(response, request, httpSession ! null, context);requestResponseHolder.setResponse(wrappedResponse);return context;
}从session中获取SecurityContext
private SecurityContext readSecurityContextFromSession(HttpSession httpSession) {final boolean debug logger.isDebugEnabled();if (httpSession null) {return null;}// Session exists, so try to obtain a context from it.Object contextFromSession httpSession.getAttribute(springSecurityContextKey);if (contextFromSession null) {return null;}// Everything OK. The only non-null return from this method.return (SecurityContext) contextFromSession;
}存储SecurityContext
public void saveContext(SecurityContext context, HttpServletRequest request,HttpServletResponse response) {SaveContextOnUpdateOrErrorResponseWrapper responseWrapper WebUtils.getNativeResponse(response,SaveContextOnUpdateOrErrorResponseWrapper.class);if (!responseWrapper.isContextSaved()) {responseWrapper.saveContext(context);}
}protected void saveContext(SecurityContext context) {final Authentication authentication context.getAuthentication();HttpSession httpSession request.getSession(false);// See SEC-776if (authentication null || trustResolver.isAnonymous(authentication)) {if (httpSession ! null authBeforeExecution ! null) {// SEC-1587 A non-anonymous context may still be in the session// SEC-1735 remove if the contextBeforeExecution was not anonymoushttpSession.removeAttribute(springSecurityContextKey);}return;}if (httpSession null) {httpSession createNewSessionIfAllowed(context);}// If HttpSession exists, store current SecurityContext but only if it has// actually changed in this thread (see SEC-37, SEC-1307, SEC-1528)if (httpSession ! null) {// We may have a new session, so check also whether the context attribute// is set SEC-1561if (contextChanged(context)|| httpSession.getAttribute(springSecurityContextKey) null) {// 存到session中httpSession.setAttribute(springSecurityContextKey, context);}}
}https://zhhll.icu/2024/框架/springSecurity/7.web如何取得用户信息/
