[英]Spring Security - when to clear SecurityContextHolder
我有一个控制器,并且正在从该控制器返回用户信息:
@RequestMapping(method = RequestMethod.GET)
Object getUserInfo() {
return SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
我已经使用OncePerRequestFilter创建了基于自定义令牌的身份验证:
package gbyf;
import gbyf.token.Token;
import gbyf.token.TokenRepository;
import gbyf.user.User;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class TokenAuthenticationFilter extends OncePerRequestFilter {
private final TokenRepository tokenRepository;
TokenAuthenticationFilter(TokenRepository tokenRepository) {
this.tokenRepository = tokenRepository;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
String tokenString = request.getHeader("token");
if(tokenString == null) {
// user is not authenticated, continue to filter
chain.doFilter(request, response);
return;
}
Token token = tokenRepository.findTokenByTokenValue(tokenString);
if(token == null) {
System.out.println("=====doFilterInternal()==== token is null, not authenticated");
} else {
System.out.println("=====doFilterInternal()==== token is NOT null");
User user = token.getUser();
if(user != null) {
Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(auth);
System.out.println("=====doFilterInternal()==== authenticated user");
}
}
super.doFilter(request, response, chain);
}
}
当我发送数据库中找到的正确令牌参数时,它会正确验证用户身份。 但是,由于另一个wrong令牌请求,服务器仍然发送旧的用户身份验证主体。 请求完成后,SecurityContextHolder不应刷新身份验证详细信息。
可能是什么问题?
您是否正在使用浏览器来调用API? 如果是这样,那么我认为正在为您的用户创建会话并通过cookie进行跟踪。 尝试使用无状态会话创建策略:
@Override
protected void configure(final HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
调用Spring SecurityContextHolder时发生NullPointerException
[英]NullPointerException when Spring SecurityContextHolder is called
在Spring应用程序中使用SecurityContextHolder的security util
[英]security util using SecurityContextHolder in spring application
Spring Security AuthenticationCredentialsNotFoundException,SecurityContextHolder.getContext为null
[英]Spring Security AuthenticationCredentialsNotFoundException, SecurityContextHolder.getContext is null
Spring security的SecurityContextHolder:会话或请求绑定?
[英]Spring security's SecurityContextHolder: session or request bound?
Spring Security SecurityContextHolder.getContext()。getAuthentication()返回null
[英]Spring Security SecurityContextHolder.getContext().getAuthentication() returns null
Spring-Security:SecurityContextHolder未填充匿名令牌,因为它已经包含
[英]Spring-Security : SecurityContextHolder not populated with anonymous token, as it already contained
Spring Security Update 2.x至3.2.5 SecurityContextHolder问题
[英]Spring Security Update 2.x to 3.2.5 SecurityContextHolder issue
具有Spring Security的应用程序是否在其中共享SecurityContextHolder
[英]Do applications with spring security share SecurityContextHolder among them
当 Spring SecurityContextHolder 在 getPrincipal 上返回 null 时,应该抛出哪个异常?
[英]Which exception should be thrown, when Spring SecurityContextHolder returns null on getPrincipal?
春季安全性:用户注册用户并在登录页面后重定向到后,SecurityContextHolder.getContext()。getAuthentication()返回null
[英]Spring Security: SecurityContextHolder.getContext().getAuthentication() returns null after user registering user and redirecting to after login page
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.