堆栈内存溢出
  简体   繁体   English

Spring Security-何时清除SecurityContextHolder

[英]Spring Security - when to clear SecurityContextHolder

 原文  2017-07-06 13:57:32       java/ spring/ spring-boot/ spring-security

问题描述

I have a controller and I'm returning user info from that controller: 我有一个控制器,并且正在从该控制器返回用户信息: 

@RequestMapping(method = RequestMethod.GET)
Object getUserInfo() {
    return SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}

I have created custom token based authentication using OncePerRequestFilter : 我已经使用OncePerRequestFilter创建了基于自定义令牌的身份验证: 

package gbyf;

import gbyf.token.Token;
import gbyf.token.TokenRepository;
import gbyf.user.User;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class TokenAuthenticationFilter extends OncePerRequestFilter {

    private final TokenRepository tokenRepository;

    TokenAuthenticationFilter(TokenRepository tokenRepository) {
        this.tokenRepository = tokenRepository;
    }

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {

        String tokenString = request.getHeader("token");

        if(tokenString == null) {
            // user is not authenticated, continue to filter
            chain.doFilter(request, response);
            return;
        }

        Token token = tokenRepository.findTokenByTokenValue(tokenString);

        if(token == null) {
            System.out.println("=====doFilterInternal()==== token is null, not authenticated");
        } else {

            System.out.println("=====doFilterInternal()==== token is NOT null");
            User user = token.getUser();

            if(user != null) {
                Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
                SecurityContextHolder.getContext().setAuthentication(auth);
                System.out.println("=====doFilterInternal()==== authenticated user");
            }
        }

        super.doFilter(request, response, chain);
    }

}

When I sent correct token parameter that found in database, it correctly authenticates the user. 当我发送数据库中找到的正确令牌参数时,它会正确验证用户身份。 But with another wrong token request, server still sends old user authentication principals. 但是,由于另一个wrong令牌请求,服务器仍然发送旧的用户身份验证主体。 Shouldn't SecurityContextHolder flush the authentication detail after request is done. 请求完成后,SecurityContextHolder不应刷新身份验证详细信息。

What can be the problem? 可能是什么问题?

1 个解决方案

解决方案1
 5 已采纳  2017-07-06 14:04:23

Are you using browser to call the API? 您是否正在使用浏览器来调用API? If so, then I think session is being created for your user and being tracked via cookies. 如果是这样,那么我认为正在为您的用户创建会话并通过cookie进行跟踪。 Try to use stateless session creation policy: 尝试使用无状态会话创建策略: 

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 调用Spring SecurityContextHolder时发生NullPointerException - NullPointerException when Spring SecurityContextHolder is called 在Spring应用程序中使用SecurityContextHolder的security util - security util using SecurityContextHolder in spring application Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext为null - Spring Security AuthenticationCredentialsNotFoundException, SecurityContextHolder.getContext is null Spring security的SecurityContextHolder:会话或请求绑定? - Spring security's SecurityContextHolder: session or request bound? Spring Security SecurityContextHolder.getContext()。getAuthentication()返回null - Spring Security SecurityContextHolder.getContext().getAuthentication() returns null Spring-Security:SecurityContextHolder未填充匿名令牌,因为它已经包含 - Spring-Security : SecurityContextHolder not populated with anonymous token, as it already contained Spring Security Update 2.x至3.2.5 SecurityContextHolder问题 - Spring Security Update 2.x to 3.2.5 SecurityContextHolder issue 具有Spring Security的应用程序是否在其中共享SecurityContextHolder - Do applications with spring security share SecurityContextHolder among them 当 Spring SecurityContextHolder 在 getPrincipal 上返回 null 时,应该抛出哪个异常? - Which exception should be thrown, when Spring SecurityContextHolder returns null on getPrincipal? 春季安全性:用户注册用户并在登录页面后重定向到后,SecurityContextHolder.getContext()。getAuthentication()返回null - Spring Security: SecurityContextHolder.getContext().getAuthentication() returns null after user registering user and redirecting to after login page
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM