您的位置: 首页  >  技术问答  >  Spring Security:在Servlet过滤器中访问当前经过身份验证的用户

Spring Security:在Servlet过滤器中访问当前经过身份验证的用户

分类: 技术问答 2022-03-29 16:00:53

Spring Security:在Servlet过滤器中访问当前经过身份验证的用户

问题描述:

我最近开始学习Spring Security,今天我提出了一个基本(我相信)的问题:为什么我不能在Servlet过滤器中访问当前的Principal,如以下类所示:

I recently started learning about Spring Security and today I stepped on this basic (I believe) question: Why can't I access the current Principal inside a Servlet Filter as demonstrated in the class below:

package com.acme.test;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
public class TestFilter implements Filter {

    /*
     * (non-Javadoc)
     * 
     * @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
     */
    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        // TODO Auto-generated method stub

    }

    /*
     * (non-Javadoc)
     * 
     * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
     * javax.servlet.ServletResponse, javax.servlet.FilterChain)
     */
    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {

        SecurityContext securityContext = SecurityContextHolder.getContext();
        Authentication auth = securityContext.getAuthentication();

        // auth is null here

        chain.doFilter(request, response);
    }

    /*
     * (non-Javadoc)
     * 
     * @see javax.servlet.Filter#destroy()
     */
    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

}

使用 Authentication auth = securityContext.getAuthentication(); 检索的Authentication对象为null.在MVC @Controller中使用上面的代码片段时,效果很好(如预期的那样).

The Authentication object retrieved with Authentication auth = securityContext.getAuthentication(); is null. While using the above snippet inside an MVC @Controller works just fine (as expected).

为什么会这样?

doFilter内:

HttpServletRequest request = (HttpServletRequest) request;
HttpSession session = request.getSession(false);

SecurityContextImpl sci = (SecurityContextImpl) session.getAttribute("SPRING_SECURITY_CONTEXT");

if (sci != null) {
        UserDetails cud = (UserDetails) sci.getAuthentication().getPrincipal();
        // do whatever you need here with the UserDetails
}

希望这会有所帮助

相关推荐