我最近開始學習Spring Security,今天我介紹了這個基本的(我相信)問題:爲什麼我無法像Servlet Filter那樣訪問Servlet Filter中的當前Principal?在下面的類:Spring Security:在servlet中訪問當前經過身份驗證的用戶Filter
package com.acme.test;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
@Component
public class TestFilter implements Filter {
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#init(javax.servlet.FilterConfig)
*/
@Override
public void init(FilterConfig filterConfig) throws ServletException {
// TODO Auto-generated method stub
}
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest,
* javax.servlet.ServletResponse, javax.servlet.FilterChain)
*/
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication auth = securityContext.getAuthentication();
// auth is null here
chain.doFilter(request, response);
}
/*
* (non-Javadoc)
*
* @see javax.servlet.Filter#destroy()
*/
@Override
public void destroy() {
// TODO Auto-generated method stub
}
}
認證對象與認證AUTH = securityContext.getAuthentication()取回;爲空。在MVC @Controller中使用上面的代碼片段工作得很好(如預期的那樣)。
這是怎麼發生的?
我想看看春季安全過濾器鏈,覆蓋默認的Spring配置,並在適當位置插入過濾器。身份驗證可能只能在某個位置http://docs.spring.io/spring-security/site/docs/3.1.x/reference/security-filter-chain.html – jpprade 2014-09-30 20:46:00
@jpprade謝謝。我最感興趣的是泛型過濾器,所以我不想重寫安全過濾器。看起來(從下面的答案),配置過濾器的順序工作。 – dimi 2014-10-01 08:30:18