堆栈内存溢出
  简体   繁体   English

Acegi / Spring安全性是否支持getUserPrincipal()?

[英]Does Acegi/Spring security support getUserPrincipal()?

 原文  2009-03-11 20:16:36       java/ security/ spring/ servlets/ spring-security

问题描述

I need to interface an existing application with Acegi/Spring security. 我需要使用Acegi / Spring安全性连接现有应用程序。

In order to get started I am looking for one simple piece of information: in this context, will HttpServletRequest.getUserPrincipal() called from my application properly return the username obtained through Spring (as opposed to using Spring-specific objects)? 为了开始,我正在寻找一个简单的信息:在这个上下文中,从我的应用程序调用的HttpServletRequest.getUserPrincipal()是否正确返回通过Spring获得的用户名(而不是使用特定于Spring的对象)? I have Googled conflicting information on this. 我用Google搜索了相互矛盾的信息。

I assume that if Acegi is implemented with filters, it is able to overload the Servlet API's getUserPrincipal(), right? 我假设如果使用过滤器实现Acegi,它可以重载Servlet API的getUserPrincipal(),对吗?

Subsidiary question: if this is not the case by default, is there any way to turn it on? 附属问题:如果默认不是这种情况,有没有办法打开它?

Thanks, 谢谢,

-Erik -Erik

3 个解决方案

解决方案1
 6 已采纳  2009-04-10 11:03:36

As previous user has answer, spring security support the getUserPrincipal and isUserInRole. 正如之前的用户所回答的那样,spring security支持getUserPrincipal和isUserInRole。 Here is how spring security does it. 以下是Spring安全性的方法。

When you configure spring, it can load the following filters: 配置spring时,它可以加载以下过滤器:

http://static.springframework.org/spring-security/site/reference/html/ns-config.html#filter-stack http://static.springframework.org/spring-security/site/reference/html/ns-config.html#filter-stack

As part of the standard filter configuration the SecurityContextHolderAwareRequestFilter filter is loaded. 作为标准过滤器配置的一部分,将加载SecurityContextHolderAwareRequestFilter过滤器。

Examining the filter @ https://fisheye.springsource.org/browse/spring-security/tags/spring-security-parent-2.0.4/core/src/main/java/org/springframework/security/wrapper/SecurityContextHolderAwareRequestFilter.java?r=2514 检查过滤器@ https://fisheye.springsource.org/browse/spring-security/tags/spring-security-parent-2.0.4/core/src/main/java/org/springframework/security/wrapper/SecurityContextHolderAwareRequestFilter。 java吗?R = 2514

You can see it wraps and changes the HttpServletRequest object to the SecurityContextHolderAwareRequestWrapper class which extends HttpServletRequestWrapper which implements HttpServletRequest and feed it back to the standard Servlet Filter doFilter chain. 你可以看到它包装和改变HttpServletRequest对象的SecurityContextHolderAwareRequestWrapper延伸类HttpServletRequestWrapper它实现HttpServletRequest并反馈到标准的Servlet过滤器的doFilter链。 Since spring security filter should be configured as the first filter, all subsequent classes will see the SecurityContextHolderAwareRequestWrapper instead. 由于spring安全过滤器配置为第一个过滤器,因此所有后续类都将看到SecurityContextHolderAwareRequestWrapper This includes JSP pages or Servlets behind this filter. 这包括此过滤器后面的JSP页面或Servlet。

When you make a call to isUserInRole or getUserPrincipal from the JSP page, Servlet or any framework behind this filter, it is calling the HttpServletRequest implementation from Spring Security. 当您从JSP页面,Servlet或此过滤器后面的任何框架调用isUserInRolegetUserPrincipal ,它将从Spring Security调用HttpServletRequest实现。

解决方案2
 1  2009-03-12 12:52:47

If you use the security filter, yes it does. 如果您使用安全过滤器,是的确如此。 I believe this is the default behavior. 我相信这是默认行为。

Exactly which class you're getting back depends on your configuration, but they all implement the Principal interface by way of Spring's own org.springframework.security.Authentication interface which extends it. 究竟哪个类取决于你的配置,但它们都通过Spring自己的org.springframework.security.Authentication接口实现了Principal接口,扩展了它。

I've used request.getUserPrincipal() and request.isUserInRole() in a Spring application and it works seamlessly, even within JSPs. 我在Spring应用程序中使用了request.getUserPrincipal()和request.isUserInRole(),它可以无缝地工作,即使在JSP中也是如此。

解决方案3
 0  2009-03-19 16:23:02

I do believe that Spring Security stores this information in the SecurityContext and not in the request though. 我相信Spring Security会将此信息存储在SecurityContext中,而不是存储在请求中。 You could easily write a FilterSecurityInterceptor that can be configured to add this info to the request also. 您可以轻松编写FilterSecurityInterceptor,可以将其配置为将此信息添加到请求中。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Security request.getUserPrincipal()始终为null - Spring Security request.getUserPrincipal() always null acegi 是否使用与 Spring 不同的 session? - Does acegi use a different session from Spring? 为什么acegi(Spring Security)在比较之前将密码转换为大写? - Why acegi (Spring Security) converts password to uppercase before comparing? LDAP是否支持BCrypt? 尝试在Java Spring Security中实现BCrypt - Does LDAP Support BCrypt? Trying to implement BCrypt in Java Spring Security 春季启动和安全性中的 CORS 支持 - CORS support in spring boot and security Spring Security CSRF支持手动安全配置 - Spring Security CSRF support for manual security configuration acegi安全性登录,无需手动输入密码 - acegi security login without manual password entering 配置acegi安全性以将成功登录存储到数据库 - Configuring acegi security to store successful logins to DB 在grails外部使用grails安全模型(acegi) - using grails security model (acegi) outside of grails 春季安全性不进行身份验证 - spring security does not authenticate
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM