-1
我有一個控制器和我返回從控制器用戶信息:使用OncePerRequestFilter
春季安全 - 當清除SecurityContextHolder的
@RequestMapping(method = RequestMethod.GET)
Object getUserInfo() {
return SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}
我已創建自定義的基於令牌的認證:
package gbyf;
import gbyf.token.Token;
import gbyf.token.TokenRepository;
import gbyf.user.User;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class TokenAuthenticationFilter extends OncePerRequestFilter {
private final TokenRepository tokenRepository;
TokenAuthenticationFilter(TokenRepository tokenRepository) {
this.tokenRepository = tokenRepository;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
String tokenString = request.getHeader("token");
if(tokenString == null) {
// user is not authenticated, continue to filter
chain.doFilter(request, response);
return;
}
Token token = tokenRepository.findTokenByTokenValue(tokenString);
if(token == null) {
System.out.println("=====doFilterInternal()==== token is null, not authenticated");
} else {
System.out.println("=====doFilterInternal()==== token is NOT null");
User user = token.getUser();
if(user != null) {
Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(auth);
System.out.println("=====doFilterInternal()==== authenticated user");
}
}
super.doFilter(request, response, chain);
}
}
當我發送了在數據庫中找到的正確的令牌參數,它正確地驗證了用戶。但與另一個wrong
令牌請求,服務器仍然發送舊的用戶驗證主體。 SecurityContextHolder不應該在請求完成後刷新認證細節。
可能是什麼問題?