[9] SecurityContextHolderAwareRequestFilter

Spring Security Principal详解

最新推荐文章于 2024-11-02 08:55:59 发布

原创最新推荐文章于 2024-11-02 08:55:59 发布 · 2.7w 阅读

2 ·

CC 4.0 BY-SA版权

spring security 专栏收录该内容

17 篇文章

订阅专栏

本文深入探讨Spring Security中SecurityContextHolderAwareRequestFilter的作用，解释其如何处理HttpServletRequest，使其支持Principal参数，以便Controller可以接收并使用。

SecurityContextHolderAwareRequestFilter

介绍

Spring Security TokenEndpoint中获取token的请求，有这样一个参数：Principal。对于一个普通HttpServletRequest，是没有Principal参数类型的。SecurityContextHolderAwareRequestFilter通过HttpServletRequestFactory将HttpServletRequest请求包装成SecurityContextHolderAwareRequestWrapper，它实现了HttpServletRequest，并进行了扩展，添加一些额外的方法，比如：getPrincipal()方法等。这样就可以那些需要Principal等参数的Controller就可以接收到对应参数了。除了这个地方的应用，在其他地方，也可以直接调用request#getUserPrincipal()获取对应信息。

代码分析

步骤1

SecurityContextHolderAwareRequestFilter#doFilter()方法很简单，主要操作都在requestFactory.create()方法之中。SecurityContextHolderAwareRequestFilter初始化后，通过Bean后置处理器调用updateFactory()方法，该方法以"ROLE_"为参数创建了一个HttpServlet3RequestFactory并设置为过滤器的HttpServletRequestFactory。

private String rolePrefix = "ROLE_";
private HttpServletRequestFactory requestFactory;

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {
    chain.doFilter(this.requestFactory.create((HttpServletRequest) req,
            (HttpServletResponse) res), res);
}

@Override
public void afterPropertiesSet() throws ServletException {
    super.afterPropertiesSet();
    updateFactory();
}

private void updateFactory() {
    String rolePrefix = this.rolePrefix;
    this.requestFactory = createServlet3Factory(rolePrefix);
}

private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
    HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
    factory.setTrustResolver(this.trustResolver);
    factory.setAuthenticationEntryPoint(this.authenticationEntryPoint);
    factory.setAuthenticationManager(this.authenticationManager);
    factory.setLogoutHandlers(this.logoutHandlers);
    return factory;
}

步骤2

当请求经过过滤器时，requestFactory#create()会把请求进行包装成Servlet3SecurityContextHolderAwareRequestWrapper，它继承自SecurityContextHolderAwareRequestWrapper，用户getUserPrincipal()、getRemoteUser()方法，这2个方法都是从上下文中获取对应的信息，SpringMvc的ServletRequestMethodArgumentResolver方法参数解析中也有用到getUserPrincipal()。当参数类型是Principal时，就会调用request#getUserPrincipal()，这样就可以填充到TokenEndpoint的对应方法里了，代码如下：

@Override
public HttpServletRequest create(HttpServletRequest request,
        HttpServletResponse response) {
    return new Servlet3SecurityContextHolderAwareRequestWrapper(request,
            this.rolePrefix, response);
}

private Authentication getAuthentication() {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();

    if (!trustResolver.isAnonymous(auth)) {
        return auth;
    }

    return null;
}

@Override
public String getRemoteUser() {
    Authentication auth = getAuthentication();

    if ((auth == null) || (auth.getPrincipal() == null)) {
        return null;
    }

    if (auth.getPrincipal() instanceof UserDetails) {
        return ((UserDetails) auth.getPrincipal()).getUsername();
    }

    return auth.getPrincipal().toString();
}

@Override
public Principal getUserPrincipal() {
    Authentication auth = getAuthentication();

    if ((auth == null) || (auth.getPrincipal() == null)) {
        return null;
    }

    return auth;
}

else if (Principal.class.isAssignableFrom(paramType)) {
    Principal userPrincipal = request.getUserPrincipal();
    if (userPrincipal != null && !paramType.isInstance(userPrincipal)) {
        throw new IllegalStateException(
                "Current user principal is not of type [" + paramType.getName() + "]: " + userPrincipal);
    }
    return userPrincipal;
}