使用HandlerInterceptor或AbstractAuthenticationProcessingFilter进行Spring身份验证
[英]Spring authentication with HandlerInterceptor or AbstractAuthenticationProcessingFilter
问题描述
What is the difference usage of spring org.springframework.web.servlet.HandlerInterceptor and org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter 
spring org.springframework.web.servlet.HandlerInterceptor和org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter什么区别用法
I am plan to add authentication for my application. 我打算为我的应用程序添加身份验证。 But in HandlerInterceptor Doc it says, 但在HandlerInterceptor Doc中它说,
In an async processing scenario, the handler may be executed in a separate thread while the main thread exits without rendering or invoking the postHandle and afterCompletion callbacks.
So in this case if handler execute in a seperate thread, i find the HandlerInterceptor in not suitable for authentication. 所以在这种情况下,如果处理程序在一个单独的线程中执行,我发现HandlerInterceptor不适合进行身份验证。
What would be the best way to implement authentication? 实现身份验证的最佳方法是什么?
1 个解决方案
解决方案1
4 已采纳 2015-11-07 15:48:09
Short answer : Use Spring Security. 简短回答 :使用Spring Security。 It supports Servlet 3.x Asynchronous Request Processing out of the box. 它支持开箱即用的Servlet 3.x异步请求处理。 See the documentation . 请参阅文档 。
Long answer : HandlerInterceptor and AbstractAuthenticationProcessingFilter may be used for the same purpose but normally in a Spring based project authentication/authorization is handled by Spring Security ( AbstractAuthenticationProcessingFilter ). 答案很长 : HandlerInterceptor和AbstractAuthenticationProcessingFilter可能用于相同的目的,但通常在基于Spring的项目中,身份验证/授权由Spring Security( AbstractAuthenticationProcessingFilter )处理。
HandlerInterceptor belongs to Spring MVC and - what I've seen so far in my career - used for custom logging, time measurement, HTTP header manipulation or (user) request context enhancement. HandlerInterceptor属于Spring MVC,是我职业生涯中迄今为止看到的 - 用于自定义日志记录,时间测量,HTTP标头操作或(用户)请求上下文增强。 A HandlerInterceptor may be placed before all or a specific Spring MVC controller and "lives" within the DispatcherServlet . HandlerInterceptor可以放在所有或特定的Spring MVC控制器之前,并在DispatcherServlet “存在”。
In contrast, Spring Security's filter chain integrates with javax.servlet.Filter . 相比之下,Spring Security的过滤器链与javax.servlet.Filter集成在一起。 A simplified request flow looks like this: 简化的请求流程如下所示:
Container connector
V
Filter (Spring Security)
V
DispatcherServlet (Spring MVC)
V
HandlerInterceptor (Spring MVC)
V
Controller (Spring MVC)
Spring Security may be used independently from Spring MVC (Take a look at AbstractAuthenticationProcessingFilter and you can see that it derives from GenericFilterBean which in turn implements Filter ). Spring Security可以独立于Spring MVC使用(看看AbstractAuthenticationProcessingFilter ,您可以看到它派生自GenericFilterBean ,而GenericFilterBean又实现了Filter )。 That said, you can incorporate authentication/authorization with Spring Security in any other web framework eg JSF, GWT, Vaadin. 也就是说,您可以将身份验证/授权与Spring Security结合在任何其他Web框架中,例如JSF,GWT,Vaadin。
Primarily, Spring Security is used in 主要是使用 Spring Security
a Java EE-based enterprise software application
but you can use it in a desktop application like Swing too. 但你也可以在像Swing这样的桌面应用程序中使用它。 Honestly, I didn't see it so far. 老实说,到目前为止我没有看到它。
In my opinion, you should rely on a matured and feature rich framework like Spring Security or Apache Shiro for authentication/authorization. 在我看来,你应该依靠一个成熟且功能丰富的框架,如Spring Security或Apache Shiro来进行身份验证/授权。 Most of the time such frameworks already have all the features your project requires. 大多数情况下,此类框架已具备您的项目所需的所有功能。 A popular framework that is used by many people reduces the probability of severe bugs or security holes due to frequent bug reports and security checks. 许多人使用的流行框架减少了由于频繁的错误报告和安全检查而导致严重错误或安全漏洞的可能性。 Please don't reinvent the wheel which usually can't keep up the pace in regard to software quality and flexibility of a grown framework. 请不要重新发明通常无法跟上软件质量和增长框架灵活性的步伐。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.