简体繁体 English

Spring Security 中的“主体”是什么？

[英]What's the “principal” in Spring Security?

原文 2016-05-28 12:59:46 7 2 java/ spring/ spring-security

I'm really new to Spring and Spring Security.我对 Spring 和 Spring Security 真的很陌生。 I was reading about Spring Security and it came out the concept of principal , which should be the current logged user.我正在阅读有关 Spring Security 的内容，它提出了principal的概念，它应该是当前登录的用户。 But what if we have more than one current logged user?但是如果我们有不止一个当前登录的用户呢？ So, my question is, what exactly is then the principal in spring security?所以，我的问题是，那么 Spring Security 的委托人究竟是什么？

I've read for example this tutorial:例如，我已阅读本教程：

http://www.mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/ http://www.mkyong.com/spring-security/get-current-logged-in-username-in-spring-security/

and they seem to take into account that there's just one current logged user, which isn't often the case.而且他们似乎考虑到当前只有一个登录用户，但情况并非如此。

How do I retrieve a specific user?如何检索特定用户？ And how do I differentiate between users that are doing requests?以及如何区分正在执行请求的用户？

2 个解决方案

The principal is the currently logged in user.主体是当前登录的用户。 However, you retrieve it through the security context which is bound to the current thread and as such it's also bound to the current request and its session.但是，您通过绑定到当前线程的安全上下文检索它，因此它也绑定到当前请求及其会话。

SecurityContextHolder.getContext() internally obtains the current SecurityContext implementation through a ThreadLocal variable. SecurityContextHolder.getContext()内部通过ThreadLocal变量获取当前的SecurityContext实现。 Because a request is bound to a single thread this will get you the context of the current request.因为请求绑定到单个线程，这将为您提供当前请求的上下文。

To simplify you could say that the security context is in the session and contains user/principal and roles/authorities.为简化起见，您可以说安全上下文在会话中并包含用户/主体和角色/权限。

How do I retrieve a specific user?如何检索特定用户？

You don't.你没有。 All APIs are designed to allow access to the user & session of the current request.所有 API 都旨在允许访问当前请求的用户和会话。 Let user A be one of 100 currently authenticated users.让用户 A 成为 100 个当前已通过身份验证的用户之一。 If A issues a request against your server it will allocate one thread to process that request.如果 A 向您的服务器发出请求，它将分配一个线程来处理该请求。 If you then do SecurityContextHolder.getContext().getAuthentication() you do so in the context of this thread.如果您然后执行SecurityContextHolder.getContext().getAuthentication()您在此线程的上下文中执行此操作。 By default from within that thread you don't have access to the context of user B which is processed by a different thread.默认情况下，在该线程内，您无权访问由不同线程处理的用户 B 的上下文。

And how do I differentiate between users that are doing requests?以及如何区分正在执行请求的用户？

You don't have to, that's what the Servlet container does for you.您不必这样做，这就是 Servlet 容器为您所做的。

Brief definition of Principal:校长的简要定义：

A Principal represents a user's identity. Principal代表用户的身份。

It can be a String object having username on a simple level or a complex UserDetails object.它可以是具有简单级别的用户名的 String 对象，也可以是复杂的UserDetails对象。