WebAsyncManagerIntegrationFilter是Spring MVC中处理异步请求的关键组件,它与SecurityContextHolder结合,确保在异步任务中能获取到安全上下文信息。通过SecurityContextCallableProcessingInterceptor在异步调用前后保存和清除SecurityContext,使得WebAsyncTask能在不同线程中正确获取到用户认证信息,而Runnable则无法做到这一点。
WebAsyncManagerIntegrationFilter
介绍
字面意思这是一个Web异步管理集成过滤器,翻译成中文依然很抽象。我们从ThreadLocal讲起,ThreadLocal可以理解为一个与当前线程绑定的Map, key是当前线程,value是要存储的object。当我们在同一个线程中,可以通过get()方法获取到value。如果在A线程set(object),然后在B线程中调用get(),由于线程已切换,key是A,拿B自然取不出key为A的value。对于一个SSO系统,我们常常把当前登录的用户相关信息放到ThreadLocal中,避免每次使用的时候都去调RPC接口或者DB接口去查询。Spring Security的SecurityContextHolder就是通过ThreadLocal实现的。
WebAsyncManager,Spring文档有这么一句话:The central class for managing asynchronous request processing, mainly intended as an SPI and not typically used directly by application classes. 它主要用于异步请求,笔者发现这个东西在spring mvc请求分发处理中用到很多,时间有限,笔者也没有深入的了解,我们的主要关注点是WebAsyncManagerIntegrationFilter。
代码分析
步骤1
WebAsyncManagerIntegrationFilter#doFilterInternal()关键代码如下:
@Override
protected void doFilterInternal(HttpServletRequest request,
HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
WebAsyncManager asyncManager = WebAsyncUtils.getAsyncManager(request);
SecurityContextCallableProcessingInterceptor securityProcessingInterceptor = (SecurityContextCallableProcessingInterceptor) asyncManager
.getCallableInterceptor(CALLABLE_INTERCEPTOR_KEY);
if (securityProcessingInterceptor == null) {
asyncManager.registerCallableInterceptor(CALLABLE_INTERCEPTOR_KEY,
new SecurityContextCallableProcessingInterceptor());
}
filterChain.doFilter(request, response);
}
步骤2
SecurityContextCallableProcessingInterceptor,这个拦截器的关键作用,就是执行前后存储和清空SecurityContext,以便在WebAsyncTask异步调用中获取到SecurityContext,核心代码如下:
@Override
public <T> void beforeConcurrentHandling(NativeWebRequest request, Callable<T> task) {
if (securityContext == null) {
setSecurityContext(SecurityContextHolder.getContext());
}
}
@Override
public <T> void preProcess(NativeWebRequest request, Callable<T> task) {
SecurityContextHolder.setContext(securityContext);
}
@Override
public <T> void postProcess(NativeWebRequest request, Callable<T> task,
Object concurrentResult) {
SecurityContextHolder.clearContext();
}
private void setSecurityContext(SecurityContext securityContext) {
this.securityContext = securityContext;
}
步骤3
笔者做了一个实践,分别一个Runnable和WebAsyncTask中尝试从SecurityContextHolder获取当前登录用户,AuthHolder只是对SecurityContextHolder进行封装,本质上还是调用的SecurityContextHolder.get()获取线程上下文信息,代码如下:
@ApiOperation("[WebAsyncTask]异步获取上下文用户信息")
@GetMapping("/web_async_task")
public WebAsyncTask getContextByWebAsyncTask() {
log.info("1:main线程开始[{}]", Thread.currentThread());
WebAsyncTask<Oauth2User> task = new WebAsyncTask<>(300L, () -> {
log.info("1:WebAsyncTask异步线程[{}], 开始执行异步任务", Thread.currentThread().getName());
Oauth2User user = AuthHolder.user();
log.info("2:WebAsyncTask异步线程[{}], 任务执行完成, 结果:{}",
Thread.currentThread().getName(), JSON.toJSONString(user));
return user;
});
log.info("2:main线程结束[{}]", Thread.currentThread());
return task;
}
@ApiOperation("[Runnable]异步获取上下文用户信息")
@GetMapping("/runnable")
public R<Oauth2User> getContextByRunnable() throws Exception {
log.info("1:main线程开始[{}]", Thread.currentThread());
final List<Oauth2User> list = new ArrayList<>();
CountDownLatch latch = new CountDownLatch(1);
Thread async = new Thread(() -> {
try {
log.info("1:Runnable异步线程[{}], 开始执行异步任务", Thread.currentThread().getName());
Oauth2User user = AuthHolder.user();
list.add(user);
log.info("2:Runnable异步线程[{}], 任务执行完成, 结果:{}",
Thread.currentThread().getName(), JSON.toJSONString(user));
} finally {
latch.countDown();
}
});
async.start();
latch.await();
log.info("2:main线程结束[{}]", Thread.currentThread());
return R.success(list.isEmpty() ? null : list.get(0));
}
执行结果如下:
可以看出,WebAsyncTask从SecurityContextHolder获取到了身份认证信息,但Runnable却不可以。WebAsyncTask之所以能够在异步线程中从SecurityContextHolder中获取上下文信息,与WebAsyncManagerIntegrationFilter的作用密不可分。
扫一扫
1985
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
