Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-13 15:42:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor SecurityContextHolder to return a SecurityContext instead of Authentication.

Browse Source
This commit is contained in:
Ben Alex 2005-05-09 01:35:52 +00:00
parent fa6924a373
commit de6a258460
1 changed files with 30 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
doc/docbook/acegi.xml
View File

@ -342,51 +342,61 @@
<literal>ContextHolder</literal> was used will likely mean that <literal>ContextHolder</literal> was used will likely mean that
certain documentation you encounter concerning Acegi Security might certain documentation you encounter concerning Acegi Security might
still refer to <literal>ContextHolder</literal>. Generally you can still refer to <literal>ContextHolder</literal>. Generally you can
just substitute "<literal>SecurityContext</literal>" for just substitute "<literal>SecurityContextHolder</literal>" for
"<literal>ContextHolder</literal>" and you'll have the primary meaning "<literal>ContextHolder</literal>", and
of such documentation.</para> "<literal>SecurityContext</literal>" for
"<literal>SecureContext</literal>", and you'll have the primary
meaning of such documentation.</para>
</sect2> </sect2>
<sect2 id="security-contexts-security-context"> <sect2 id="security-contexts-security-context">
<title>SecurityContext</title> <title>SecurityContext</title>
<para>The Acegi Security System for Spring uses a <para>The Acegi Security System for Spring uses a
<literal>SecurityContext</literal> to store the <literal>SecurityContextHolder</literal> to store the
<literal>SecurityContext</literal>. The
<literal>SecurityContext</literal> contains a single getter/setter for
<literal>Authentication</literal>. All Acegi Security classes query <literal>Authentication</literal>. All Acegi Security classes query
the <literal>SecurityContext</literal> for obtaining the currently the <literal>SecurityContextHolder</literal> for obtaining the current
principal. <literal>SecurityContext</literal> is an <literal>SecurityContext</literal> (and in turn the principal).
<literal>SecurityContextHolder</literal> is an
<literal>InheritableThreadLocal</literal>, meaning it is associated <literal>InheritableThreadLocal</literal>, meaning it is associated
with the current thread of execution. with the current thread of execution. </para>
<literal>SecurityContext</literal> simply provides a single getter and
setter pair for the <literal>Authentication</literal> object.</para>
</sect2> </sect2>
<sect2 id="security-contexts-storage"> <sect2 id="security-contexts-storage">
<title>Context Storage</title> <title>Context Storage</title>
<para>Central to Acegi Security's design is that the contents of the <para>Central to Acegi Security's design is that the contents of the
<literal>SecurityContext</literal> (which is simply an <literal>SecurityContextHolder</literal> (which is simply a
<literal>Authentication</literal> object) can be stored between web <literal>SecurityContext</literal> implementation) can be stored
requests. This is so that a successfully authenticated principal can between web requests. This is so that a successfully authenticated
be identified on subsequent requests through the principal can be identified on subsequent requests through the
<literal>Authentication</literal> stored inside a <literal>Authentication</literal> stored inside the
<literal>SecurityContext</literal>. The <literal>SecurityContext</literal> obtained from the
<literal>SecurityContextHolder</literal>. The
<literal>HttpSessionContextIntegrationFilter</literal> exists to <literal>HttpSessionContextIntegrationFilter</literal> exists to
automatically copy the contents of a well-defined automatically copy the contents of a well-defined
<literal>HttpSession</literal> attribute into the <literal>HttpSession</literal> attribute into the
<literal>SecurityContext</literal>, then at the end of each request, <literal>SecurityContextHolder</literal>, then at the end of each
copy the <literal>SecurityContext</literal> contents back into the request, copy the <literal>SecurityContextHolder</literal> contents
<literal>HttpSession</literal> ready for next request.</para> back into the <literal>HttpSession</literal> ready for next
request.</para>
<para>It is essential - and an extremely common error of end users - <para>It is essential - and an extremely common error of end users -
that <literal>HttpSessionContextIntegrationFilter</literal> appears that <literal>HttpSessionContextIntegrationFilter</literal> appears
before any other Acegi Security filter. Acegi Security filters expect before any other Acegi Security filter. Acegi Security filters expect
to be able to modify the <literal>SecurityContext</literal> contents to be able to modify the <literal>SecurityContextHolder</literal>
as they see fit, and something else (namely contents as they see fit, and something else (namely
<literal>HttpSessionContextIntegrationFilter</literal>) will store <literal>HttpSessionContextIntegrationFilter</literal>) will store
those between requests if necessary. This is why those between requests if necessary. This is why
<literal>HttpSessionContextIntegrationFilter</literal> must be the <literal>HttpSessionContextIntegrationFilter</literal> must be the
first filter used.</para> first filter used.</para>
<para>You can define a custom <literal>SecurityContext</literal>
implementation be used in your application by setting the
<literal>context</literal> property on the
<literal>HttpSessionContextIntegrationFilter</literal> bean.</para>
</sect2> </sect2>
</sect1> </sect1>